Google nixes app-security management console in Android

If you're one of the proud few who just upgraded your smartphone to Android 4.4.2 and you're wondering what happened to the handy App Ops feature that showed up in 4.3, you're not alone. If you haven't yet upgraded to 4.4.2, read on -- you might have second thoughts.

Mixed in with the welter of features in Android 4.3 was a new feature entitled App Ops, which let you toggle the specific permissions used by a given app. If you didn't like a given app using your location, for instance, you could selectively revoke that permission. Trouble was, App Ops was hard to find -- so hard, in fact, that you had to install a third-party tool like App Ops Launcher to get access to it.

Then came the 4.4.2 upgrade, and suddenly, App Ops settings weren't available anymore.

When the Electronic Frontier Foundation reached out to Google to find out what had happened, Google replied "the feature had only ever been released by accident -- that it was experimental, and that it could break some of the apps policed by it." The EFF was dismayed since "the fact that [users] cannot turn off app permissions is a Stygian hole in the Android security model," and insisted that App Ops be restored and polished even more.

When Android Police looked into the 4.4.2 fixes, it also noted that App Ops had been made "even more difficult to reach" and quoted a conversation in a Google+ thread between user Danny Holyoake and Dianna Hackborn of Google.

Hackborn claimed: "That UI is (and it should be quite clear) not an end user UI. It was there for development purposes. It wasn't intended to be available. The architecture is used for a growing number of things, but it is not intended to be exposed as a big low-level UI of a big bunch of undifferentiated knobs you can twiddle." She did note that app permissions can be cleared and reset wholesale via the "Reset app preferences" option (Settings | Apps | context menu | Reset app preferences).

Many other commenters in the same thread pointed out that while the original intention of the App Ops menu was for the sake of Android developers, many users have since picked up on it -- and failing a return of App Opps itself, it would be good to have some way of getting the same kind of control back even if only via a third-party app. Hackborn did hint at such possibilities in the future.

Some of that work already seems to be in the pipe thanks to Android's culture of third-party development. One of the third-party apps that enables access to App Ops -- named, appropriately enough, App Ops -- is "working on a fix" to bring its features back to Android 4.4.2. Other solutions, like XPrivacy and Xposed, also work, but require root access on the phone -- not something available to all Android users.

Permissions and security on Android have long been a subject of concerned discussion. Back in 2012, PC World'd Ed Oswald pointed out how any Android app can access to a whole plethora of potentially sensitive information without permissions. Some of those behaviors are arguably no worse than what happens on a conventional PC -- such as being able to read files on external storage -- but since phones make increasingly appealing (and convenient) exploitation targets, all this worry is highly justified.