11 Oct 2011

Android app permissions and Firefox Beta

As a non-profit organization, Mozilla has a strong commitment to personal privacy and empowerment. But after we released the last update to Firefox Beta for Android, many people started asking us why Firefox needed access to their phone numbers.

Firefox does not access users’ phone numbers, but it was clear that we needed to address this concern. Where did these questions come from? Here’s the first thing users saw when installing or updating Firefox Beta in the Android Market:

The “Phone Calls” permission was added in the last update to Firefox Beta (but has been since been removed, as I’ll explain below). When users installed that update and tapped on “Phone calls” for more information, they saw this:

Why did Firefox Beta ask for this permission? Firefox did not ever access phone numbers, serial numbers, or phone calls. But it did have code to detect the type of network connection: 2G, 3G, 4G, Wi-Fi, and so on. Firefox or add-ons could use this code to change settings automatically based on network type, for example to use less data on mobile networks.

Unfortunately, this required permission to READ_PHONE_STATE, which also grants access to very sensitive data. We knew this would worry some users, so we immediately started working on explaining how and why Firefox uses various permissions. We now have this information on our support site and will link to it from our Android Market page.

But the reaction to the new permission in Firefox Beta was so strong that we decided to remove that permission completely, along with the code that used it. Now when you go to the Android Market to install Firefox Beta, it will no longer ask to read “phone state and identity.”

Thoughts on Android Permissions

Permissions on Android and similar platforms are not perfect, but they do give users some useful tools to protect themselves. When an app requests only minimal permissions, users know it can do only limited damage if it is buggy or malicious. Recent versions of Android also have well-written explanations of each permission to help users make decisions.

But when an app requests lots of permissions, users have a tough choice. They can grant the permissions, or not use the app at all. This is especially bad for permissions like READ_PHONE_STATE that are needed for some reasonable features but also provide access to sensitive data. Eventually, most people probably get used to granting whatever permissions are requested, especially for apps like Facebook and Netflix that provide unique access to popular services.

Making permissions finer-grained might help (for example, separating “Read phone number” from “Read connection type”), but would also mean longer lists of permissions. That could make users even less likely to read and understand them. Explanations from developers can also help, but only if users trust them to tell the truth. Allowing users to grant or deny individual permissions (perhaps only at the time the app needs them) might help too, or it might just train users to always grant permissions so that apps will stop nagging them.

Aside from these overall design issues, there are also bugs in the developer documentation, and a bug that causes old permissions to stick around even after updating to a new version that doesn’t need them. These little bugs make it harder for developers to do the right thing. Some researchers at UC Berkeley have analyzed the Android source code to produce tools and documentation that fill in some of the gaps for developers.

The good news is that some users are paying attention, and those users make things better for everyone by pressuring developers (like us!) to remove invasive permissions. If you’re one of the Firefox fans who wrote to us about the new permissions in Firefox Beta, thank you! We appreciate it.