Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

EFF: You Can Have Privacy or Security on Android, Not Both

Earlier this week, the Electronic Frontier Foundation praised App Ops Launcher included in Android 4.3 (Jelly Bean) as an "extremely important app privacy feature," but it turns out Google had removed this feature in the latest Android KitKat (4.4.2).

December 13, 2013
App Ops Launcher

Google giveth privacy in Android Jelly Bean, and Google taketh it away in Android KitKat. What's a privacy conscious user to do?

Earlier this week, the Electronic Frontier Foundation praised the App Ops Launcher included in Android 4.3 (Jelly Bean) as an "extremely important app privacy feature," but it turns out Google had removed this feature in the latest Android KitKat (4.4.2). Google told the EFF that App Ops Launcher was considered experimental and had been released "by accident."

"For the time being, users will need to choose between either privacy or security on the Android devices, but not both," wrote Peter Eckersley, a technology projects director for the EFF.

Granular Privacy Controls
App Ops Launcher allowed users to install apps while preventing the app from collecting specific types of sensitive data, such as the user's location or addressbook. Up until App Ops, Android's privacy permissions were set up in such a way that users could not install an app and still say "no" to certain permissions, such as reading the addressbook or collecting location data. For example, if users want to install an app like Brightest Flashlight without giving it permission to know your location, under Android without App Ops, they can't. It was either install and grant all permissions, or not install the app at all.

This is something Apple had already addressed in iOS.

The fact that Android users could not turn off specific app permissions was a "Stygian hole" in the Android security model, and the reason why App Ops was such a promising development, Eckersley said.

Google told EFF the tool could break some of the functionality in the apps instead of just policing its behavior. "We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it," Eckersley said.

The User Dilemma
With App Ops disappearing from the latest version of Android, privacy- and security-conscious users are faced with a quandary. If you are especially concerned about app privacy, then you want App Ops and should stick with Android 4.3. But not updating to Android 4.4.2 is a "catastrophic situation" because the latest version contains fixes to security and denial-of-service bugs, Eckersley warned.

For Google to prove that it is serious about user privacy, Google needs to "urgently re-enable the App Ops interface," and then extend it to fix some serious gaps, EFF said in the post. For example, Android users should be able to disable an app's ability to collect all trackable identifiers, including phone numbers and IMEIs, with a single switch. Users should also be able to disable the app's network access entirely.

"There are numerous ways to make App Ops work for developers. Pick one, and deploy it," Eckersley wrote.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Fahmida Y. Rashid

Fahmida Y. Rashid

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source. Follow me on Twitter: zdfyrashid

Read Fahmida Y.'s full bio

Read the latest from Fahmida Y. Rashid