Following the recent revelations that nearly 500,000 Google+ users had their user profile data left out in the open — due to a software bug that Google knew about but decided to let slide no less — the Internet search giant is now introducing changes in the way Android apps ask for permissions. This in hopes of giving users more control over what they decide to share with a certain app.
"a root-and-branch review of third-party developer access to Google account and Android device data and of [the company's] philosophy around apps’ data access."The initiative is called "Project Strobe," which Google describes as
This is what the new permission review process will look like. Notice that both the "Deny" and "Allow" buttons are of the same size and color.
To help users gain a better understanding of what data they're sharing, and with what apps, Google is changing the way Android apps display and ask for permissions when you sign in with your Google Account. Currently, apps normally request permissions in a single screen, but going forward, each permission will have its own dialog window where you'll be able to read about and either allow or deny the request.
For example, if you link your Google Account with a third-party app right now, it may need access to your Calendar and Google Drive and will present the information in a single screen. You can still use the "Information" icon to disable permissions on a per-app basis, but there's a huge number of people out there who will simply tap the big, blue "Allow" button and never even give the permissions a second look. Google hopes to rectify this with the new permissions system.
Google is also updating its User Data Policy for Gmail, in order to limit the apps that may ask for permission to access your email data. Going forward, only apps directly tied to email functionality — such as email clients, email backup services and productivity services, to name a few — will be authorized to access this data. Developers will also have to agree to a set of new rules on handling Gmail data and will be "subject to security assessments," Google says.
The next step Google intends to take is limit apps' ability to request Call Log and SMS permissions. When the new changes come into effect, only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. The few exceptions to this rule include voicemail and backup apps that may need access to this data. Developers also won't have access to your contact interaction data via the Android Contacts API.
Will this be enough to help people pay more attention to the permissions they're granting when linking their Google Accounts to different apps? Remains to be seen. Will it be enough to shift people's attention from the fact that all of this is happening because Google neglected a serious bug? Not likely.
The bug in the Google+ API left user data, such as names, birthdates, email addresses, profile photos, and occupations, of 496,951 Google+ users out in the open. Granted, the company claims that there is no evidence of any developers knowing about or taking advantage of the bug, nor of any misuse of user data in the three years during which the bug existed.
Google is expected to introduce other changes in the coming months and tighten up the controls and policies for its APIs. The app permission review process will likely be the biggest change brought to the table, as far as the average consumer is concerned.