I've mentioned this here before: look at something like the weather channel app on Amazon's app store, which requests an astonishing array of permissions, including the permission to dial out silently without your interaction.
The Android apps, like Facebook apps, are overreaching, and training users to accept the incursion in order to use well known apps, leaving them more likely to accept the same from obscure apps.
(zdnet.com)
If Facebook asks for the SMS permission but doesn't actively use an end-user's messages, the end user is eventually more likely to accept a malware application that asks for SMS permissions and then silently steals their messages. Requesting feature permissions that aren't used visibly is terrible practice.
I think Apple got this particular policy right: their review process screens apps to make sure that visibly requested information is visibly used for something in the application, preventing every application from asking users for every bit of their personal information just to launch the app. In my experience the actual execution of said policy is spotty and inconsistent like the rest of the review process, but the idea is sound.
0: https://www.facebook.com/note.php?note_id=10151330596285363 via http://news.ycombinator.com/item?id=3637869
And android needs some blame for not allowing their users to opt out of granting that permission (alt. forcing the app to ask for them every time they are used).
Apps that require too many/creepy permissions needs to be distrusted and this is the only way that is going to happen.
No. I'd never install the facebook, flicker, whatever app if they require access to contacts or sms and internet at the same time. I have sensitive information in my contact-list and I don't trust anyone that is foolish enough to actually ask for permission to read any of those, at install-time, with my data. Simple as that.
Make a "private" version of the app that doesn't require those permissions or no deal.
If you think you should be able to line item veto app permissions, that's a different subject matter.
There are, after all, many legitimate reasons for having access to the contact list and there are many legitimate reasons for not wanting to share it. In android, as a developer, you have to decide whether you want a fully featured app or an app that respects their users privacy. You can not have both in a single app.
There is nothing that says you can't have both and doing so would be very simple. Android doesn't do anything to help so that's why android needs some serious blame for this.
Now people are getting used to ignoring the permissions (if all apps require everything, why bother?) making them quite useless. If this continues they could just as well just remove them (since the typical user wouldn't care anyway).
I also wonder why this is not possible. The user should be the one to have the final say on the permissions an application gets, not the application.
