EFF criticizes Google for removing ‘vital privacy feature’ with Android 4.4.2

The Android 4.4.2 update that began to roll out Monday to Google’s Nexus devices removed a feature that gave users fine-grained control over app permissions, prompting criticism from the Electronic Frontier Foundation.

The removed feature was called App Ops and was introduced in Android 4.3. It provided an interface from where users could withdraw permissions they gave apps when installing them. Traditionally, Android users have had to choose between giving an app all permissions it requests or not use it.

The granular permission control provided by App Ops is something that privacy advocates have long requested, since many apps ask for more permissions than they need to provide their main functionality.

In part this is because a lot of apps, especially free ones, bundle advertising libraries that provide a revenue stream for developers. Often the excessive permissions requested by such apps come from those ad libraries.

Last week, Goldenshores Technologies, the developer of a popular flashlight app for Android, settled U.S. Federal Trade Commission charges that it shared users’ geolocation information with advertising networks without properly notifying users. The company agreed to disclose to users how it collects, uses and shares geolocation information and obtain consent from them before doing so.

While present inside Android 4.3, the App Ops interface has never been directly accessible to users, but it was easy to gain access to it by installing third-party applications like Permission Manager or AppOps Launcher from Google Play.

In a blog post Wednesday, the Electronic Frontier Foundation, a digital rights watchdog, called App Ops an “awesome” feature and a “huge advance in Android privacy.” However, the organization’s enthusiasm was short lived, as some users later pointed out that Google removed the feature in Android 4.4.2.

“Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone,” Peter Eckersley, EFF’s director of technology projects, said Thursday in a separate blog post.

“The disappearance of App Ops is alarming news for Android users,” Eckersley said. “The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people’s data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.”

According to Eckersley, when contacted by the EFF, Google said the feature wasn’t supposed to be released to begin with because it was experimental and its use could break some apps.

The EFF feels this explanation is suspicious and believes that Google should have worked to improve it rather than remove it. The problem of apps breaking down when not given access to information like location data, the address book or the phone’s IMEI (equipment identifier) number, could be solved by supplying those apps with dummy data when the corresponding permission is removed, Eckersley said.

Google declined to comment.

The company reportedly tried to block access to App Ops before, with the initial release of Android 4.4 KitKat, but developers figured out how to enable it again.

EFF urged Google to re-enable the App Ops interface and improve it. The interface should be properly integrated into the Settings interface, Android users should be able to disable all collection of trackable identifiers with a single switch and should have a way to disable an app’s network access entirely, Eckersley said.

“There are numerous ways to make App Ops work for developers,” he said. “Pick one, and deploy it.”

Android 4.4.2 also patches two denial-of-service issues, including one involving class 0 (Flash SMS) messages that was disclosed at a security conference at the beginning on December. Bogdan Alecu, the mobile security researcher who found the Flash SMS vulnerability, confirmed Friday that it was fixed in the new Android version.

Users are now in a difficult situation because they will have to choose between updating to the new version which removes the App Ops privacy feature or not updating and leaving their devices vulnerable, Eckersley said.