How Google Got Developers to Ask for Fewer Permissions 60% of the Time

Permissions are a vital component of any mobile experience. Apple and Google both go to great lengths to tell users what permissions an app is asking for as part of their mobile frameworks. So if an app that helps you find the nearest coffee shop asks for permission to read your entire contact list and make telephone calls, you should think twice.

Google is always pressing developers to use permissions appropriately, and it recently explained one method it uses to persuade them. In a blog post, Google executives detailed how they use the company’s administrative tools to help developers ask for only the appropriate permissions when creating their code.

The search giant chose the Google Developer Console to make its recommendations on app permissions. This is a site that lets developers publish their apps, manage and view traffic data, and handle authentication and billing data for Google APIs.

When a developer uses the console to help manage their app, the company identifies peer apps with similar functionality and compares the permission requests that they make against those in the developer’s app. If the developer’s app is overly aggressive in its permissions requests compared to the broader base of apps, Google will message the developer asking if this is strictly necessary. Google uses deep learning technology to handle the analysis.

Developers might see a message like: “Your app is requesting the following permission which is used by less than 3% of functionally similar apps: AccessGPS.”

Google wo’'t penalize the app developer for using these permissions, because the request might well be legitimate. It’s just a friendly reminder.

It also works. According to the company, after its first year of deployment, the recommendation system caused developers to reduce their permission requests 60% of the time, affecting over 55 billion app installs.

Is this kind of privacy protection something that we could ‘shift left’ to happen even earlier in the development process? The GDPR calls for privacy by design, a concept that encourages us to consider privacy (and by implication security) from the early stage of product and service design. Data privacy shouldn’t be an afterthought.

Might we see integrated development environments (IDEs) warning developers when their program code looks like it’s doing something egregious with personal data? If code is too granular for IDEs to recognize this, is it something that higher-level no- or low-code environments could handle?

Perhaps in the future, Microsoft’s dreaded Clippy will make a comeback, but instead offering a harried office worker help with writing a letter and say “It looks like you’re trying to send someone’s social security number over an unencrypted link, which isn’t a good idea. Would you like help fixing that?”

What’s Hot on Infosecurity Magazine?