AALS Android App Wants Ridiculous Number of Permsissons

How many permissions does a meeting app need?

The American Association of Law Schools has an Android app to help guide the perplexed through the giant list of events that is its 2015 annual meeting.

The app seems to want a ridiculous number of permissions and I decided not to install it:

Version 1.0.0 can access:

  • Device & app history
    • retrieve running apps
  • Identity
    • find accounts on the device
    • add or remove accounts
  • Calendar
    • add or modify calendar events and send email to guests without owners’ knowledge
    • read calendar events plus confidential information
  • Contacts
    • read your contacts
    • modify your contacts
  • Location
    • precise location (GPS and network-based)
    • approximate location (network-based)
  • Phone
    • directly call phone numbers
  • Photos/Media/Files
    • modify or delete the contents of your USB storage
    • test access to protected storage
  • Camera
    • take pictures and videos
  • Device ID & call information
    • read phone status and identity
  • Other
    • receive data from Internet
    • pair with Bluetooth devices
    • access Bluetooth settings
    • full network access
    • view network connections
    • control vibration
    • prevent device from sleeping
    • run at startup
    • use accounts on the device
    • send sticky broadcast
    • delete all app cache data

Not to mention that “Updates to AALS2015 may automatically add additional capabilities within each group.”

I’m disappointed that the AALS hasn’t offered an app that is more sensitive to the privacy interests of attendees. What possible functionality does it offer that needs all this?

There is also an iPhone version – no idea if it’s better behaved.

This entry was posted in Talks & Conferences. Bookmark the permalink.

3 Responses to AALS Android App Wants Ridiculous Number of Permsissons

  1. You touch on something that’s often puzzled me. I can understand why an app might want to ask for access to my contacts, much as I dislike the idea. But what on earth is the purpose of “directly call phone numbers” or “add or remove accounts” or any of several others on the list? It isn’t just that it irritates me, I’m also miffed to be so clueless. Perhaps there’s an app developer among your readers who can enlighten us?

  2. Pablo Molina says:

    Good post! As an iPhone user, it did not occur to me that the Android
    privacy settings of the annual meeting app would be so sloppy. Several
    technology, intellectual property, privacy, and cyber law experts
    evaluated the app. While we addressed some privacy issues before the
    release, we did not think about the Android problems. We should have known
    better. As you can read below, iOS handles privacy permissions differently.

    http://www.intego.com/mac-security-blog/app-permissions-android-vs-iphone/

    Yours is the right call. Do not use the app until Google, the mobile app developer, and the users can control better the privacy settings on Android devices. We hope that others will help us test a new version of the app for next year’s meeting.

    Dr. Pablo G. Molina, CIO, Association of American Law Schools

  3. Vic says:

    With the understanding that I know nothing specifically about this app, I can also say that each of these items has a (possible) perfectly reasonable explanation. Obviously, a nefarious one is always possible too. I think that one must, with ANY app, evaluate the dangers in light of the likely motivations of the developers. This is (apparently) an app that will be used for assisting scheduling and networking at a conference, and it is more unlikely that there is a nefarious use planned, given the purpose and intended audience. So why worry about it?

    Additionally, I suspect it is made to look all the blacker by the generic warnings. “It’s gonna read your contacts…ooooh!” I think some of the things it might do are just bad ways of describing something that you’d likely expect if not want such an app to do. It just looks like it will integrate itself into the google universe that we all carry around in our Androids.

    (And I further suspect that the Apple version of the app is not really any better in this regard – it probably does most if not all of the same things – it just doesn’t warn you about them in the same way.)

    Really, I wouldn’t worry about this one.

Comments are closed.