[habosa]

There are two additions to the permissions API that I think would be very helpful:

1) Incremental Authorization - let Android apps ask for permissions only as they need them. So if you never use the phone dialing feature, they never ask for the permission. 2) One-time auth - allow an Android app to do something once. Say, scan your contacts one time. This gives you a little more control, so you know the dev isn't monitoring your phone at 3am.

Here is the problem though: most people don't actually care. The vocal minority cares, but most Android users don't know what a permission is if you ask them. So all that developers get for trying to work around permissions is less people using their app or less features in the app. Sadly there is no real incentive for a developer to be sparing with permissions for apps that target the mass market.

[Aldo_MX]

1) Incremental Authorization - let Android apps ask for permissions only as they need them. So if you never use the phone dialing feature, they never ask for the permission.

Not only incremental authorization, but the ability of denying specific permissions.

[click170]

Take it a step further, I should be able to forge the contacts in my address book, my GPS coordinates, the list of installed apps.. The list goes on.

But I would happily start with incremental permissions. Baby steps.

[9mit3t2m9h9a]

As far as I understand, there is an option that is even simpler for application developers: all applications have the permissions to see and alter whatever they want on the phone, up to a storage quota for modifications. Most of their accesses are hellbanned, though… Hellbanning logic can be altered by applications (obviously, the user would have to allow the configuration application to access the real settings), so granularity can be added as a bolt-on.

But I guess giving users actual security and privacy is against both Google's and Apple's interest, so this can only exist on a custom ROM without Google Play Services (or with sandboxed Google Play Services, which is probably against EULA).

[habosa]

Well with incremental the developer would put what is 'required' into the manifest for install-time prompt and incremental the rest.

You can't expect a developer to allow you to deny any permission, the whole app would be a giant if-statement spaghetti accounting for all of the permission combinations and workarounds.

[Aldo_MX]

As a user, I don't care if your app will self-destruct if you don't get access to permissions like "read and send SMSs". I simply don't want a free to play game to scan my SMSs for advertisement purposes.

[titanomachy]

Even if you failed to guarantee a functional app for people who deny permissions, it would still be an improvement over the current status quo.

[desas]

Developers manage it for iOS, why can't they do it for android?

[theshrike79]

iOS has taken option 1 since the beginning and it works.

I can install Instagram and deny it access to the camera. It still works, it doesn't crap out on me. I don't need to install 3rd party rooted tools to provide fake camera for it.