[ocdtrekkie]

They've done a little bit. Newer Android versions support setups where apps request permissions at runtime, instead of just having them all the time in the background.

But the permissions are still too wide. Things like giving apps access to all your contacts, as opposed to having the OS only provide one contact, after the user picks it from a list.

[lallysingh]

There's a tradeoff in usability. I do wish Google (or a phone vendor! add real value!) would let users choose fine-grained or coarse-grained security at the UI level, and let developers just use fine-grained permissions APIs.

[ocdtrekkie]

There really isn't a tradeoff.

Bad security: App requests all your contacts and shows you a list of people you can invite to play Candy Crush. The user clicks one, but the app already has access to all of them.

Good security: App requests a contact and the OS shows you a list of people you can invite to play Candy Crush. The user clicks one and the OS gives that contact info to the app.

The user experience is quite similar, but the security design is far better.