It took three years for Google to match Apple’s security permissions for personal data within apps, Hiroshi Lockheimer tells the Guardian

Why it took us so long to match Apple on privacy – a Google exec explains

New privacy features available in Google’s forthcoming Android M software update will give users of Android mobile phones and tablets more control over how their personal data is used.



Yet while Android M will finally give users the same privacy protections against rogue apps that Apple’s iOS has had for three years, Google has admitted that earlier attempts to improve these controls had failed.

M, which is expected to be released in or soon after July 2015, will allow users to pick and choose which data and services apps have access to on a case-by-case basis, when the app requests it.



Until now, the norm for Android apps has been that users either accept all the app’s permission requests at the moment of install or simply don’t install the app. The requests range from access to the internet, the microphone, camera or storage to monitoring call states or location.

‘App ops’ - built, but hidden from view

However, in 2013 Google added the ability to deny apps access to certain data and services within its Android 4.3 “Jelly Bean” operating system.

The feature, dubbed “App ops”, was hidden within Android and only accessible using third-party tools, but laid the basis for per-app permissions and was praised as a big step forward for user privacy by Electronic Frontier Foundation.

“App ops was launched somewhat out of context; we really needed to solve the whole story, not just launch App ops without moving apps from install time to run time permission requests,” said Google’s Hiroshi Lockheimer, head of Android and Chrome OS development.

App ops was short lived, seemingly only seeing the light of day due to developer in-fighting, before being removed in the Android 4.4.2 update some weeks later.

“Applications on Android, starting in 2008, were not built with the notion that certain functionality could be turned off behind their backs – that was just never the assumption for developers because that was not how the APIs were designed.”



Cyanogen OS’s App ops control panel allows users to set access to user data on an app-by-app basis. Photograph: Samuel Gibbs/The Guardian

The worry was that denying an application access to a location or microphone without telling it would cause it to break or crash. Despite this, modified versions of Android, such as Cyanogen OS, found ways of making the individual permission system similar to App ops work. Google took over two years to work out a scheme.

‘Getting things aligned took a while’

“There are a lot of players involved, from Google to developers and consumers – getting it all into alignment took a while to get right,” Lockheimer said. “We’re starting in M, because every time we have a major release we can change these things, and we were able to modify and create new application programming interfaces (API) to handle it.”

Developers do not have to use the new run-time permissions system, unless they want to use the new Android M developer tools and any further improvements going forward. Google thinks that the changes made in the capabilities in Android M will be a big enough incentive to drag all developers over to the new APIs, and therefore the permissions system.

The new permissions system also applies to Google’s own apps, which means users could block Google from knowing their location, prevent access to their address book or personal information.

“The way Android works is that there is no advantage we can give to Google’s applications, everyone operates on a level playing field,” said Lockheimer. “Android is an operating system, which Google is a third-party developer to – the Gmail app, for instance, is an app, and as such is subject to the exact same rules.”

Facebook Twitter Pinterest Google’s new implementation of app permissions is very similar to that seen in App ops in 2013. Photograph: Google

One of the problems with permissions requests is that users do not understand what they are being asked for and invariably just end up saying yes to any dialogue box that pops up.

Contextual decisions make people think more about privacy

“Doing permissions in context helps prevent the ‘yes’ muscle memory,” explained Lockheimer. “It helps to break down the decisions on the access that apps are asking for, such as the microphone when the user has tried to send a voice message.”

Google has also ramped up its screening of apps. Each app submitted to the Play Store is run on a virtualisation screening system, while people review some of them for things like hate speech. It’s not quite to the same degree as Apple’s app store review policy, but helps keep users safe, said Lockheimer.

The Silicon Valley firm is currently being investigated by the European Commission into its alleged abuse of its smartphone market share and the incentives it offers to bundle apps and services on Android.

Any moves to help protect user privacy, however unrelated to app bundling, will be seen as a positive step, even if it is seen as several years late by many.

• Google unveils Android ‘M’ software with focus on security and battery life