Arno,
An app *must* contain the permission request in the manifest,
regardless if it actually uses it or not.
>
I take that as "regardless if it *directly* uses it or not."
>
There is no "direct use". Either an app does use an system API
which requires a permission or not.
:-) I think we are talking about the same thing., though I think from
different vantage points. The "direct use" quip was about the difference of
only asking the permission when the app actualy uses it, versus asking for
all permissions at install time.
"Late binding" is required for *all* permissions in newer Android
versions. I am not sure when Google changed this, but as far I
remember, Android 6 introduced that.
I decision I consider as being bad. For reason(s) I already mentioned.
I hope my phones OS doesn't follow it.
:-) You talk as if you are smart enough, but at the same time you seem
to blindly trust an apps honesty in obeying a setting it manages it
itself.
I don't.
>
I don't either - but I can read and understand source code:
:-) I've worked my way thru enough sourcecode to know that a lot can go on
in there that I will never be able to fully grasp. Kudos to you that you
can.
And yes, I also develop Android software myself:
I'm not at all surprised about it.
They *tell you* that they will /just/ take the contact names, and leave
everything else (you know, phone numbers, adresses, etc.) alone, and
you believe them ? Again, I don't.
>
Who is "they"?
The apps infopage (wherever it is stored) ?
Heliboard is not sold by a company but provided by a bunch of
contributors (at the moment 26 - see
<https://github.com/Helium314/HeliBoard/graphs/contributors>) who
spend their free time to maintain a keyboard app you can use for free.
>
So you believe all these guys work on that app to spy on you?
Is there any reason why I should believe that /all/ app makers - or in this
case all 26 contributors of it - are all fully above board ? On which
ground please ?
Also, *You* have the capability to inspect their sourcecode, and make your
decisions on that. I would call that distrust too. I'm not at your level
of expertise, so I'm not allowed to have the same distrust ?
And FWY, I was-and-am talking about apps in general. You keeping pushing a
specific app forward as proof that my distrust is unwarranted is therefore
meaningless to me.
And pardon me, but as someone who can inspect such apps (I take it you have
some kind of de-compiler at hand too) you must have encountered a number
which are rather ... iffy in what they try to do, and "not quite" matching
their info sheet.
FYI, I'm frequenting a website which regulary talks about how, often
high-ranked, android apps contain malware, purposely put there by the app
maker or because (s)he used a third-party library which cointained it.
Then don't use the app or better don't use smartphones at all - and
yes, I am really serious!
You sound as if I trust the OS I'm running I also *must* trust the apps that
can run on it. I sure hope I misinterpreted that.
Also, there is a reason why some phone OS-es offer you to provide
apps asking for such a permission a fake list.
>
Which does not solve the issue, that you still have to trust the OS that
it works as intended.
Indeed. The only difference is that if I (think I) can trust the OS than
it becomes a bottleneck for the apps that are up to no good, and thereby
neutralize those. So instead of having to worry about all the apps I would
want to put on my phone I only have to worry about one. I don't know
about you, but that sounds like quite an improvement.
Yes - everything is possible! Even if an app has *no* permissions at
all it still can be harmful since there may be a security bug in Android
which a malicous app can exploit. And yes, I am really serious!
:-) The website mentioned talks about such stuff too. So yes, I'm aware
of that.
No, I have no problem trusting an open source app I can check of myself.
:-) You're lying. You're not *trusting* it, you're *vetting* it. Just like
I try to do. But somehow /my/ vetting is problematic to you. Why ?
No I don't expect anything except not being paranoid and trying
to understand *why* I told you that about Heliboard.
Ask yourself how I could possibly *know* why you mentioned that app. You
might be fully above board, but you could as easly be someone who's trying
goading people into installing (trojaned) malware. (don't worry, I'm leaning
to the former).
And do ask yourself why I would trust someone I cannot touch if he violates
that trust ? Thats not trust, that is merely acknowedging that there is no
other choice.
But to be honest, Heliboard looks, permission wise, to be one of the better
ones. If-and-when I install it I likely won't give it that READ_CONTACTS
permission though.
Than again, I might just go for the other one in my (short) list, which only
asks access to the dictionary and vibrate.
Regards,
Rudy Wieser