[nextparadigms]

Google is certainly not helping there, giving descriptions to permissions that are way more vague than they should be.

What exactly does "Full Internet access" mean? How about "Access to contact list"? - and so on. In reality they are not as dangerous as they seem. I don't think that even means it gives access to the contact list the way iOS does it. I think it just means the app can fetch those contacts in a widget, or a SMS app, or something, but definitely not sending it to their servers.

Still, I wish they were more clear about this, because either it makes you not want to install the app at all, even though it's safe, or you start ignoring all these permissions, and install all apps without even looking at them, because you don't understand them anyway.

[darrenkopp]

It's funny, because they are quite clear. Click on the "Permissions" tab and you can read through the permissions the app requires and what those permissions entail.

https://market.android.com/details?id=com.twitter.android

[habith]

I've noticed that after the 3.3.4 market update I cannot view the permissions of installed applications. I used to be able to go to an installed app, Menu - Settings - Security, and view its permissions, that's all gone now.

Also, the permissions do not appear on the app's installation page, they appear on the confirmation page before installing (after clicking download/buy), that's not very good UI.

Before the 3.3.4 update, the permissions on my phone were just the titles with no description (Full internet access, Read phone state and identity, etc.), so Kudos to them for adding descriptions.

However, I was shocked after the update when I learned what "Read phone state and identity" really means, here's the description: "Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like."

That seems pretty invasive for what I _assumed_ was a GUID or a token of some sort to authenticate purchases or keep track on installations. I wonder what "the like" means in that description.

[falling]

> I think it just means the app can fetch those contacts in a widget, or a SMS app, or something, but definitely not sending it to their servers.

How could you give the app access to your contacts list and prevent it from sending the data somewhere else?

Besides, the description on the Android Market says: “READ CONTACT DATA Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.”

[Dylan16807]

It could theoretically give access to contacts via a contact-chooser button without ever letting the app get to the list. Much like you can upload a file on a desktop browser without letting the site see your list of files.

[falling]

That limits functionality quite a bit. Say you want to write an email or messaging client (K9, Handcent), your solution prevents you from doing name/address autocompletion in the To: field.