Android Updates with New Permissions

Permissions, the system by which apps declare which hardware or special functions they wish to use, are getting a huge overhaul in the next version of Android, codenamed 'M'. Full details can be found here, with a slightly more palatable version here. This may or may not make developers more aware of the impact of the APIs they use, declare, and how users view, care or don't care about how apps use the hardware and special functions of their Android devices. Certainly a recent published vulnerability within Stagefright (an Android component) has given Android security the unwanted spotlight yet again, so both enterprise and home users alike may be getting more wary, we can only hope. I wrote about the need for a better security patching system for Android 15 months ago, and nothing has changed, it is still a problem given the Stagefright vulnerability.

However, with the current system of permissions declaration in play for a number of months yet before 'M' is released, and perhaps even longer given the slow roll-out of new versions of Android across manufacture and carrier variants, here's some examples of how permissions should and shouldn't be dealt with! Android users will know that in some app updates, developers add features which require them to use extra permissions, and these are displayed to the user at update time.

Case 1

Here's an example from a voicemail app, which for some reason now wants extra permissions from no less than 9 different categories:

When developers publish app updates, they are encouraged to give proper release notes, explaining what has changed in the new version. Here is the accompanying text:

They seem like mainly fixes, improvements to existing features, and that's about it. So why all the new permissions? Why should I be happy, as a user, to suddenly allow this app to get much more of the content and functionality within my device? I contacted the developer, and the response below seems to suggest they were forced into declaring all these permissions just to add badge support for the app's icon in the various launchers.

"Unfortunately we had to add them in order to set the badge counters but they are ALL related to that and are specific to different launchers from various manufacturers and third parties."

This may or may not seem appropriate to you. most apps asking for further permissions are usually legitimate, and sometimes Android will put developers in a corner with certain APIs and permission. However, it would have been far better to include reference to this in the release notes.

Case 2

Here is an altogether better example. This is a password management app, which itself was in the news for a breach last month, but takes a different approach. Here's the app update, and the new permissions it wants to declare:

Not as many as the voicemail app, granted, but still permissions I might be interested in if the privacy of my location is very important to me. Let's see what the release notes say:

A full list of new features, with new permissions called out where they are needed. Much better, more transparent, and the users understands why they are required. Furthermore, for extra credit there is a link at the bottom which follows through to their website, where every single permission used by the app is described in detail, not just the new ones.

 

Now, if I didn't want the app to use the new permissions, I only have one choice; don't install the update. This becomes tricky if I want other new features of fixes, as a user I can't be granular. However, as previously described, the new version of Android, 'M', is due to make significant improvements to the granular control and to the user experience of being notified that apps are using certain hardware or software functions.

And finally...

Whilst we're on the topic of app updates, a special mention has to go to Shifty Jelly for their Pocket Casts release notes. They do the job of describing new features and permissions required, but also include some great humour at the same time, always amusing!

Feels Like a New Moto G

I factory reset my Moto G last night and set everything up from scratch. I'd not done this since I bought the phone 7 months ago. It took until past midnight, and I was short on sleep anyway!

However, battery life in the 48 hours since the reset has been much better, and the feel around the operating system is much quicker, along with only one app crashing where previously there would have been several. This is with the same set of apps and data as before the reset. To be complete in the detail here, that 7 months usage did include the update from Jelly Bean to KitKat. The conclusions are therefore:

• Android now behaves like Windows, in that users who consume lots of software/apps/services will accumulate crud, which over time slow the device down and make random things (crashes, force closes) happen, and only a fresh install gets you back to the speed and stability you know the hardware is capable of.
• Major version updates of the operating system should always be followed by a factory reset where possible.
• Android's native backup and restore of apps and app data is still pathetic, and very rarely restores a complete set of apps or app data, if it starts at all. There’s very little control of how it happens, and no web portal to see the apps Google has linked to your account, such that you know the apps it will restore, and have a choice to prune the list. Android is far, far behind iOS in this area, which has had flawless back and restore for years.
• The Moto G really is a brilliant device, especially given the context that this (albeit non-4G variant) 16GB model cost me £81 brand new from Tesco with ClubCard vouchers plus £3 for a SIM unlock.

None of this is news par se, but as one of those annoying folks who wants his phones to be "phone sized" (that's around 130mm x 65mm for me) it does justify my feeling that there isn't a better phone out there for me right now, over 7 months after the Moto G originally 

I've been tempted by a Moto X, the natural migration path in some ways from the Moto G, but as it is now a year old, a successor is likely around the corner. Given the Samsung Galaxy S5 Mini and HTC One Mini 2 were both disappointing and overpriced, my hopes for a new phone-sized phone to purchase seem to rest on rumoured devices such as:

• Sony Z2 Compact, where they'll hopefully have fixed the Z1 Compact's problems like the under-performing camera, the nasty factory-fitted screen protectors, and the chassis design that makes it feel larger than it is.
• Moto X2, where they'll have a much better camera in than that on the Moto X, and release it in the UK promptly (versus 6-7 months delay on the Moto X after it launched in the US)
• Some other thing that's a bit off piste and will surprise me into a purchase (a small Xiaomi device, a OnePlus One Mini, etc)

That list doesn't include anything too concrete, or even anything likely to be released in the near future. It's just as well this feels like new Moto G since the factory reset, as I seemingly won't be buying anything actually new any time soon...

Android Needs A Better Security Update System

Recent security issues such as Heartbleed, which reportedly affects Android 4.1.1 (http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html), and permissions being a bit too permissive (http://www.fireeye.com/blog/uncategorized/2014/04/occupy_your_icons_silently_on_android.html) have both apparently resulted in Google releasing fixes to their partners. We all know that their partners, the device manufacturers, have a poor history at updating devices, especially those devices which are more than a year or so old. In some countries, mobile network operators add a significant delay to the update process, sometimes many weeks or months.

It must therefore be time for Google to implement a direct system for applying security updates to devices, which does not rely on device manufacturers or mobile network operators. Sure it's not the ideal scenario; both device manufacturers and mobile network operators would much prefer to test the updates before releasing them into the wild. However, the direct system is surely better than having many hundreds of thousands of devices stuck on vulnerable versions of an operating system? Depending on which set of statistics that you look at, there could be anywhere from 10% to 34% of Android devices in use today on the 4.1.1 version that is vulnerable to Heartbleed.

Somewhat ironically, Microsoft's Windows operating system, which is not usually held up as a shining light for security best practice, has had a direct system for updates for many years. It's not perfect or 100% interoperable in every scenario, due to the massive array of both operating system customisations and end user software on the market for Windows. However, it does give Microsoft a direct route to deliver security patches, a route which isn't dependant on anybody else (outside of the corporate environment anyway, where rolling out updates is typically managed by the organisation centrally in a controlled manner).

Apple has the klout to do system updates direct for its iOS devices, but having control of the hardware and operating system stack end-to-end means there are less integration risks than the plethora of Android-based devices in the wild. Maybe that appeases the concerns of the mobile network operators. Apple also control app releases in their App Store much more than Google do in the Play Store, and the apps themselves have far less access to the operating system, with much fewer and wider ranging APIs available to app developers. Maybe that too reduces the risk of interoperability failures when updates are rolled out without mobile network operators having their testing time.

Google Play Services, a set of core modules responsible for providing the majority of APIs to non-system apps (amongst other things), are already updated directly from Google without any middlemen and without a user having to visit the Play Store, tick any boxes, or even "accept" the update. This system works already, and is responsible for bringing some new features to devices without them needing an operating version upgrade or a firmware upgrade from the device manufacturer. It would therefore not sound inconceivable that the next major version of Android, be it numbered 4.5 or 5.0, should include some form of device update system, similar to that used for Google Play Services, to bring security updates to users in a timely manner, for the good of everyone.

Form Factor Monotony

I had to add an extra label for this post; rant. The title above, form factor monotony, should say it all really, but here's some detail.

From the detailed list of Android phones available here in the UK you will see that the last device to not be a touch-only boring rectangle slab was the Motorola Pro Plus in December 2011. Simply put, every single Android phone released in the UK in the last 12 months has been pretty much the same. Maybe that's not fair, there are slight differences in curves around the edges, bezels sizes, materials and colours for example. The basic design of each is the same though; big slab, big pane of glass, increasingly less buttons for things like "home" or the camera shutter and maybe a flap for micro USB or SIM cards.

It's so incredibly boring!

Take a look down the history of Symbian phones. There's some serious variety in there, from phones that twist, flip, slide, have full keyboards, T9 keyboards, the list goes on. There was some serious creativity in there, mostly from Nokia of course being Symbian phones, but this is the best example of a seemingly forgotten art of making something tangibly different, whose physical attributes set it apart 

iPhone hardware is of course very similar through generations too, highly unsurprising given Apple's strategy to keep things simple, and allowing users to upgrade from one iPhone generation to the next without large scale changes and without the need to learn anything new around the hardware. Also different here is Apple controlling the entire device ecosystem, from hardware through operating system to the core software and apps, resulting in a much more uniform experience, which for the most part is a good thing for the average non-geek user.

Windows Phone seems to be following the same path as Android in terms of hardware variety, albeit a year or two behind, much like the operating system itself! The first generation of devices, introduced late 2010, included some small difference in form factors, and we had phones with keyboards, although they all seemed to be sliders and the candy bar qwerty arrangement wasn't taken on by any of the Windows Phone manufacturers. Come late 2012 and Windows Phone 8 hardware has converged on the same touch-only rectangle slab arrangement, from all the manufacturers. Samsung have at least kept a small amount of variety by sticking with a physical Windows button!

RIM's plans for BlackBerry 10 include touch-only and keyboarded devices at least, but with a large cloud surrounding the company's long term future and ability to execute the plan next year, they don't seem too relevant for this current snapshot.

This isn't the only trend in the smartphone hardware world of course. Sealed batteries are close to becoming standard and micro SD card slots are going the way of the Dodo, a trend which could arguably be traced back to Apple's introduction of the iPhone range. There are exceptions, and right up to its latest flagship the Galaxy S III, Samsung was bucking this trend and included both a changeable battery and a micro SD card slot. The days of these features seem numbered though, much like the reducing trend for camera shutter buttons, and the complete lack of a xenon flash equipped camera for a year or two across any of the ecosystems. Personally I can live with sealed batteries, but the SD card slot and shutter button are still big deals for me, but I must be in a diminishing minority.

We've seen that most smartphones are converging to touch-only hardware, with a button or two for power and a home function if you're lucky, and a volume rocker. One can only presume that this is due to the powers of supply and demand. Android and Window Phone phones had some variety in their early days, but with this fizzling out it, one logical train of thought is that the non-slab phones simply did not sell enough for manufacturers to bother making them again; why would you if they lost you money last time around because nobody bought them!? Maybe the extra complexity of non-slab phones and potentially large premium in build cost means they have to sell them at higher prices, which again would decrease demand. Or they're sold at lower margins, meaning the manufacturers, retailers and carriers alike would all see less profit on these devices, and their days would be numbered.

I don't blame the manufacturers, retailers or carriers for not continuing with devices which don't sell or don't make them enough money to bother, that's just life selling in a free (ish) marketplace. It does however make life for the smartphone enthusiast very dull. In recent episodes of both The Verge Mobile Show and The Phones Show Chat the presenters have bemoaned the lack of interesting devices, and alluded to a perceived plateau or technology and specifications within the smartphone space (although in fairness Chris Ziegler was rather shot down for his explanation of this, though he stuck to his guns!)

I've found myself agreeing with these guys; an industry which was once really interesting is starting to decline in variety. We still have 3 or 4 platforms to keep us interested on the software front, but hardware is becoming more of a commodity (it's not there yet) which is a real shame, and it seems that whilst I once changed phones every few weeks that is starting to drop to every few months, or more.