Re: Installing web apps

On Feb 1, 2012, at 21:20 , Paul Libbrecht wrote:
> Le 1 févr. 2012 à 21:03, Boris Zbarsky a écrit :
>>> Android goes somewhat in this direction with its app-security model...
>> 
>> With all due respect, the app-security model on Android is a joke. Everyone just clicks through the permissions grant without even reading what's being requested, because _every_ app asks for a bunch of permission grants up front and won't run until you grant them.  Any random game wants permission to do arbitrary internet access (as mentioned earlier on this thread, already a security hole if you happen to be behind a firewall when you run the game), listen to your phone conversations, read your addressbook, etc.  Perhaps they do have some sort of rarely-used features that require such access, but the model forces them to ask for all the permissions immediately... and the user is trained to just accept.
> 
> No, no app has yet demanded me my addressbook access and some apps add advertisement: and hey, I do not need network.
> That's the general problem with demanding permissions... I agree it's in infancy.

Apps on Android are unlikely to request access to your address book because the Android Intents model makes it so that unless you're installing a contacts manager app, there probably is no reason why any app would have access to that. That said, if it did require access, the odds that a user would notice are close to nil.

> However this is for an APP download, where you expect some level of trust (basically the essence of an app store's objective?).

I would hesitate to be all too trustworthy. There are plenty of examples of bad stuff getting past the gates. I think we're much better off with a security model that doesn't require you to trust a third party because it's an obvious point of failure.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon

Received on Wednesday, 8 February 2012 21:47:28 UTC