A pretty nice addition to [the third developer preview of the OS formerly known as Android M] is granular control over the permissions [which] each and every app requires upon installing it, giving Android users "meaningful choice of control". Just like in iOS, apps in Android 6.0 Marshmallow will only [allow] you to grant them a certain permission immediately before the app needs it and not in bulk during the installation, [as was the case] in previous Android installments.
[...] Android 6.0 Marshmallow officially introduces API Level 23, which is one of the requirements to have app permissions that can be granted on demand. All Android apps need to be updated [by their developers] so that they support the brand new API0 Level 23 libraries in order to introduce the individual granular app permissions.
SiliconANGLE notes that 6.0 is also getting native fingerprint support, a new power-saving mode, and Android Pay.
They also note
Hardly anyone with an existing Android phone will ever get to use [6.0].
[...] Android-powered devices rely on the manufacturer to update the operating system and the reality is that it rarely happens.
To put it more crudely, the Android update process is f**ked.
[...] [As Android remains open source and free to use,] Google can't force manufacturers to come to the party in terms of upgrades [any] more than it can force manufacturers to stop skinning their Android installs with their own custom user interfaces and software.
Release of Android 6.0 is expected in 2015Q4.
Original Submission
(Score: 4, Insightful) by K_benzoate on Monday August 31 2015, @09:20AM
The state of Android security is abysmal. Most phones never get updated. They ship with a version of Android and that's what they have forever--which is usually a year or two when the consumer buys a new one because they're so bogged down with crap. That is, to me, criminally wasteful. Now you can get infected just by receiving an MMS message. Even Google's flagship phone the Nexus is vulnerable and remains unpatched.
If Google can't even keep their official Android phones current with security patches what hope do users of other devices have?
For all the restrictions and problems of Apple and iOS at least they get security mostly right. Patches are usually prompt and get pushed out to the majority of devices in a few days. The last thing I need in my life is yet another Linux computer that needs constant babying and attention--and that's what Android is.
Climate change is real and primarily caused by human activity.
(Score: 0) by Anonymous Coward on Monday August 31 2015, @09:29AM
"The last thing I need in my life is yet another Linux computer that needs constant babying and attention"
What do you mean? Linux computers do not need babying and attention.
(Score: 1) by Francis on Monday August 31 2015, @05:54PM
Indeed, while there are updates popping up multiple times a day, sometimes, you don't have to install them immediately, there's nothing stopping you from waiting until the end of the week. I'm sure some of the updates are that important, but most of them are fine if you wait a few days or a week before installation.
That's certainly not any more work than it would be on Windows versions prior to 10.
(Score: 2) by Bot on Monday August 31 2015, @09:34AM
The funny thing is that to transform a linux system into a windows -like upgrade hell they had to work a lot. Had they been lazier we would have gotten something like maemo.
Account abandoned.
(Score: 3, Interesting) by axsdenied on Monday August 31 2015, @09:53AM
Get real, everybody has bugs. Some take longer to fix...
For example Apple took 3 years to fix the FinFisher trojan. I am not sure if even Micro$oft was that bad in the early days of Windows.
And to correct you, google did release updates for its current nexus lineup (on 5th August the updates were being pushed to Nexus 5 and Nexus 6, the Galaxy S5, S6, S6 Edge, and Note Edge, the HTC One M7, One M8, One M9; LG Electronics G2, G3, G4; Sony Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact; and the Android One).
A further patches also have been released... so much for rushing things.
And to quote ARS:
"Nexus devices will receive regular monthly security updates. The updates will roll out for the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player and include fixes for the libStageFright issues. Samsung reportedly introduced a revamped update process for many of the Android phones it sells."
Having a walled garden and full control certainly helps. But it is not google's problem that carriers don't give a crap about you and want you to get a new phone if you want updates.
And if you know what you are doing you will be running CM or something else that has already been patched for Stagefright as soon as google released the patches.
(Score: 2, Troll) by BasilBrush on Monday August 31 2015, @11:05AM
Get real, everybody has bugs. Some take longer to fix...
For example Apple took 3 years to fix the FinFisher trojan.
Pretty stupid to compare a phone OS with a desktop OS. The fact that you didn't compare Android with iOS is pretty revealing - and not in a good way for Android.
Do you work for Google?
Hurrah! Quoting works now!
(Score: 0, Troll) by axsdenied on Monday August 31 2015, @12:56PM
Working for google? Wow, we are getting personal now.
I know I should not feed the trolls but, for the record, I do not work for google. I have an android phone and an iPad. No interest to defend anybody but, while I agree with some of the stuff you said, some of it is just rubbish.
So you say that it is reasonable to fix a bug in desktop OS in 3 years but not in phone OS? WOW!!!
The example of 3 years was the most extreme example I know of. How about an IOS example:
"fixes an issue that prevented GPS accessories from providing location data"
That took "only" 3 months to fix (IOS 8.3 -> IOS 8.4).
Enough said.
(Score: 2) by Hairyfeet on Monday August 31 2015, @01:25PM
Hear Hear, I have no less than 3 sitting in drawers now that were abandoned by the carriers and the only updates to the OS they got was by me rooting them and putting on a third party ROM. That is why I have to give credit to BLU as that $100 quadcore I picked up (great phone BTW, good battery life, great screen, snappy performance) came with Jellybean but had KitKat sitting there waiting when I pressed the update button. And its not just Apple that gets updates right, the wife's Lumia seems to get updates pretty damned fast and according to the list MSFT posted recently should be updated to 10 in the first wave.
As for TFA...anybody want to bet it'll be just like now, where every app asks for everything by default? Without knowing exactly what permissions are needed by a particular app to do its job I have a feeling this really isn't going to be of much help. IMHO what would be of better use would be Google cracking down on devs not using the least possible permissions to get the job done, perhaps by either rewarding those that do with more views on the playstore or yanking off repeat offenders.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by curunir_wolf on Monday August 31 2015, @06:28PM
As for TFA...anybody want to bet it'll be just like now, where every app asks for everything by default?
Well I thought that was the case until someone asked me to install LINE. It's a pretty long list of permissions - pretty sure LINE got them all.
I am a crackpot
(Score: 2, Insightful) by NullPtr on Monday August 31 2015, @10:49AM
Hardly anyone gets android updates? My z3 went from 4 to 5. Your same is true of all flagship phones released in the last year or so. Talking bollocks mate.
(Score: 1) by riT-k0MA on Monday August 31 2015, @12:01PM
Let's face it: the Z3's 5.01 update was abysmal. I just upgraded to 5.1.1 and it's even worse. I turn off my mobile data and wifi at night and wake up the next morning to find that something turned on the internet connection at 3am and phoned home. It's quite disconcerting to have your alarm go off and find that your disconnected phone has several unread emails in the inbox that arrived after you fell asleep.
(Score: 1) by NullPtr on Monday August 31 2015, @01:43PM
I won't face it, no. I don't turn off my data/wifi overnight though as I typically find a percent or so taken and I can live with that as the battery is so good (at least, i get a full day's usage no matter much I use the phone). But I have used similar settings in the past (triggered by smart connect when I connected the device to the magnetic charger) and it worked fine; I'd grab the phone from the charger and immediately i'd get facebook messenger messages, emails etc. Have you worked out whether it was wifi or data being used? Do you have a bunch of tools like greenify, tasker etc installed?
(Score: 1) by Francis on Monday August 31 2015, @05:56PM
It depends where you live and what your carrier is. If I put the phone into airplane mode, it'll use about 2% of the battery charge over 8 hours. If I leave the airplane mode off, it's more like 30%. Some of that is the data transfer, but a lot of that is because AT&T sucks and no matter where you go, the signal isn't as good as it should be.
(Score: 2) by WillR on Monday August 31 2015, @05:12PM
Your same is true of all flagship phones released in the last year or so.
And how many people are using 1-year-old "flagship" phones, compared to the total number using Android?
(Score: 0) by Anonymous Coward on Tuesday September 01 2015, @08:51AM
That IS hardly anyone. While manufacturers would certainly like it(*), not everyone goes and buys a new flagship phone every year or so.
*) thus they are all for shit that encourages such behaviour, like sticking to half-assed update system.. as a bonus there an aura of plausible deniability since it stems from genuine incompetence
(Score: 2, Informative) by rigrig on Monday August 31 2015, @12:42PM
Android might be open source, but the Google apps aren't. From https://en.wikipedia.org/wiki/Android_(operating_system)#Leverage_over_manufacturers [wikipedia.org] :
If Google wanted to, they could include a clause requiring manufacturers to provide updates for a certain period. (the alternative being no Playstore on any device you produce)
No one remembers the singer.
(Score: 2) by Hairyfeet on Monday August 31 2015, @01:35PM
Am I the only one that finds it ironic that everybody had a shitfit when MSFT tried to force things on the OEMs or leveraged the OS to get IE share, but nobody seems to have a problem when Google does it and in fact encourages Google to do so?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1) by rigrig on Monday August 31 2015, @05:49PM
While I'm not happy with the situation either, this is different:
Google provides Android with no strings attached, (I'm currently running OmniROM, and they are under no obligation to e.g. include any specific browser.)
Google also provides a nice software package, which only comes as a package deal with lots and lots and lots of strings attached.
Manufacturers could (and have tried to) be less dependent on these Google apps for basic functionality by creating their own apps, but
1) People want to have the Play Store (e.g.: it's the only place I can download my banking app)
2) Including the Play Store means the manufacturer has to include the rest of the package, e.g. Maps
3) Most Google apps are quit nice, so it's pretty much impossible to come up with something perceived as 'better' by people that are already used to the Google versions.
4) Now including their own maps app just makes people complain about bloatware.
However, Google is moving more and more functionality from the core Android system into their app package.
This means that
a) Google can update this through their Play store, so people are less reliant on manufacturers for (security) updates
b) People trying to use custom Android ROMS without subscribing to Google won't get a bunch of features that most Android users do.
Although most of those features seem to require giving most of your data to Google to function properly anyway: It makes sense that Google would need access to my location, contacts and calendar to tell me when to leave to arrive in time for my next appointment.
Having to install a bunch of system apps just to be able to use their Play Store annoys me though, F-Droid works just fine as a regular apk.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Monday August 31 2015, @07:29PM
True.
The only real leverage that Google has (as the biggest dog in the alliance) is the ability to forbid the use of the little green robot logo and use of the Android name for those who won't follow the rules.
To me it's like vendors who don't follow MSFT's requirements (Secure Boot^W^W Crippled Boot) and don't get to apply the official **Will Run Windoze** sticker to their whiteboxes.
-- gewg_
(Score: 1) by axsdenied on Monday August 31 2015, @01:47PM
It is not that simple. It is supposed to be an alliance. Blackmailing partners is definitely not a good move. Also agreements/contracts are already signed, changing them after the fact to someone's disadvantage be difficult.
And then google is set to lose millions if other players do not include the play store...
(Score: 1) by rigrig on Monday August 31 2015, @05:17PM
You're definitely right there.
Maybe, but Google has already stopped Acer from producing phones with an alternative OS for being too Android-like: http://arstechnica.com/gadgets/2012/09/google-blocked-acers-rival-phone-to-prevent-android-fragmentation/ [arstechnica.com]
If "preventing Android fragmentation" is a good cause, why wouldn't "keeping Android devices secure" be?
They don't need to mandate providing upgrades to the last version of Android, but timely patches for severe vulnerabilities until N years after last unit sold would be nice.
This is true, although I wouldn't know how far into the future those contracts extend. I very much doubt that Google has granted blanket licenses for any future devices for the rest of eternity.
No one remembers the singer.
(Score: 2) by quacking duck on Monday August 31 2015, @02:38PM
All the somewhat-credible but often-overblown criticism about iOS copying Android features, and yet Android took how many years to finally copy the far-more crucial granular app permissions model that iOS and Blackberry before it had? After how many additional *millions* of devices were released that can't or won't ever be updated to use this feature?
iOS started off simple, with only location services able to be restricted on a per-app basis... in *2008*. But if this post [androidcentral.com] is to be believed, Android is only finally getting to this fundamental privacy option 7 years later.
(Score: 3, Informative) by halcyon1234 on Monday August 31 2015, @02:55PM
If you have a rooted phone, you can install XPrivacy. Fine grained control-- every permission on every app. It even does real-time and temporary permissions. Install an app. The first time it opens, you tap "DENY" a few times because that flashlight app really doesn't need your Phone ID, carrier, contacts, listen to the microphone, etc.
It also has the option of feeding fake data instead of blanket denying. App asking for you advertisingID? Here, have a random guid. Re-randomize on reboot, or each time the app asks.
App needs internet access once to do a license check? OK, you have it. App is asking again to connect to "keystrokelogging.app.com" or "stuff-ads-in-your-face.app.com"? De-fucking-nied.
So, will Marshmallow have control that fine-grained? If so, yay. But since it's an OS by a company that makes billions off advertising and private information tracking, I doubt it.
Original Submission [thedailywtf.com]
(Score: 1, Insightful) by Anonymous Coward on Monday August 31 2015, @04:36PM
If it has used the old android permissions as a base, yes it would have been granular.
But instead it uses the grouped permissions that was introduced to the play store a year ago or so.
This means that you can't approve reading, but not writing something, as both are in the same category etc.
Also, there is a bunch of permissions that are accepted by default. This because Google deem them "safe".
Oh, and older apps still follow the old system of all or nothing.
(Score: 2) by curunir_wolf on Monday August 31 2015, @06:21PM
I've seen reports that early builds of "the OS formerly known as Android M" can successfully use the MPEG-2 hardware decoding (when available on the platform), and works with Android TV. I don't know how successful they thought it was going to be without it, but I hope that functionality makes it into the final build. There are some neat Android TV devices out there, most are missing what seems like essential features. Like Netflix. :/ Or being able to watch LiveTV without stuttering and artifacts. SiliconDust's road map for their devices and software is really going to need that functionality.
I don't expect to see any consumer devices with this functionality until mid-2016, but I can always build my own with a Pi 2 (and a purchase of the MPEG-2 license [raspberrypi.com]).
I am a crackpot
(Score: 2) by albert on Monday August 31 2015, @08:04PM
If I deny a permission, an app may rudely refuse to run. That does me no good.
Example: When I deny location data, the app should get something random, or maybe just Google headquarters. (configurable I suppose)
(Score: 0) by Anonymous Coward on Monday August 31 2015, @08:32PM
DELEATED!
(Score: 2) by quacking duck on Monday August 31 2015, @08:56PM
Older apps that used all-or-nothing permissions could get away with not handling a no-location exception, but new ones built around granular permissions will have to handle it and a host of other no-data and no-access conditions. At the very least throw up a "you must enable this app's access to X to use feature Y".
(Score: 2) by albert on Monday August 31 2015, @09:45PM
To the maximum extent possible, an app should not know that a permission has been denied.
If I want to deny network access, just make it fail with a common error that provides no hint that I'm denying. The app should think I'm in airplane mode, down in a subway, or out in the middle of the ocean.
If I want to deny my IMEI number, provide a randomly generated one.
Etc.
DO NOT REVEAL THAT PERMISSIONS ARE DENIED.
I don't want some app to be able to refuse to work just because I refuse to let it do what it pleases.
(Score: 2) by Hyperturtle on Monday August 31 2015, @10:00PM
I am under the impression you won't get what you want.
Heck, upgrading to a new wifi nic on a laptop or desktop will cause some license validation schemes to fail. I was once told that only hackers change their mac addresses. Uh, right. That's why they are locally administrated addresses right? Next thing up will be being called a hacker because I used a static IP on the network.
(Score: 2) by quacking duck on Tuesday September 01 2015, @03:08AM
Thinking it's in airplane mode isn't as useful as you think it is. Chances are the app will just throw up a "please disable airplane mode to continue using certain features" every time you run the app.... which can confuse the user if they previously denied the app network access.
Providing spoofed data to an app falls far outside the intended audience for Android, even given its more techie-friendly nature. I think there's utilities you can load from other sources that do this, but probably have to be run as root.
My take on spoofing is completely opposite yours. Apps deserve to get accurate info when they request it, or be told when they're explicitly denied it. Unless you're the developer of the app you're spoofing, any false info may as well be due to malware.
Incidentally, iOS doesn't even allow apps to get the IMEI, the closest they get is the identifierForVendor (different for every developer, so no point sharing with ad trackers) or advertisingIdentifier (can be reset by user anytime).
(Score: 2) by BasilBrush on Monday August 31 2015, @09:55PM
The iOS approach is that the app should do the right thing, and keep on functioning as best as it can given the lack of a permission. The curated nature of the app store means that apps live up to this.
Hurrah! Quoting works now!
(Score: 2) by PartTimeZombie on Tuesday September 01 2015, @02:53AM
It has a micro SD card slot and removable battery, so I can see me using this phone for the next several years, as the battery likely to be the first thing to go, and a replacement will cost me about $25.
The SD card slot gives me expandable storage, and as Samsung are woeful in supplying updates, I'll need to install a custom ROM on it at some stage if I want a current OS, but that's no problem.
I suspect there are a lot of people like me, reasonably happy with what they have, which after all can send and receive phone calls and texts no problem. The next generation of smart phones might be a bit harder to sell.
(Score: 0) by Anonymous Coward on Tuesday September 01 2015, @03:46AM
my note 2 has been repurposed to a "media player".
i got a miniusb-2-HDMI dongle and installed kodi on it.
it's decoding the 8 GB mkv blue navii featuring film just fine to my 1080p screen.
It's got no more connection to the wider internet because rooting (OWNING!) your phone seems to turn the device
from a sneaky-phone-home-spyrobot into a device that voids the warranty and thus isn't eligible to updates anymore...f#ckers!
one wonders why samsung et al. don't just provide a image file like others that can be uploaded via usb to
update (even a rooted/owned) devices for the not-so-wolly-sheep crowd?
the gifted-to-me samsung tablet has the same problem. it's owned by me and thus gets no more updates and it has become a
power-sipping bit-torrent client. at least it has half-way up-2-date kitkat ...
(Score: 2) by bart9h on Tuesday September 01 2015, @04:38PM
I'm using CM 12.1, which is based on Android 5.1.1 for some months now, and the new granular permission control works great.