Monday, February 28, 2011

Quote Of The Day: Design

Great design does not come from great processes; it comes from great designers.

-- Fred Brooks, Interview to Wired Magazine

Saturday, February 26, 2011

The Weather Channel: Who Do You Think You Are?

Let's take a brief look at permissions The Weather Channel application requests.
  • Services that cost you money: Send SMS messages - Who is the application going to send SMS messages to?
  • Services that cost you money: Directly call phone numbers - What numbers is it going to call?
  • Your location: Coarse (network-based) location - All right, I understand it wants to know where I am to tell me what the weather is.
  • Your location: Fine (GPS) location - Why does it want my exact location? Oh, I see, to show me ads. Thanks, but no thanks, you guys can easily do the same using just coarse GPS location.
  • Your personal information: Add or modify calendar events and send email to guests - What? Excuse me? Why would Weather Channel want to intrude into my calendar, and, worse, send emails to guests?
  • Your personal information: Read calendar events - This one even seems benign in light of the previous one, but still - why?
  • Storage: Modify/delete USB storage contents, modify/delete SD card contents - Again - why? I can guess that it wants to cache data, but surely not as much that it requires special permissions to USB storage and SD card?
Note that the detailed explanation of why these permissions are required is not available from the developer (at least as of the moment of writing).

Summary

The Weather Channel application requests unreasonably wide permissions with no justification to do so. If you value your privacy, you should never install it, or uninstall it right away if you did install it in the past (when permission set was more reasonable) and forgot to check permissions as updates were coming.

Corollary

The Weather Channel is not the only application abusing permissions. Android core development team must come up with a way for the end user to selectively deny permissions requested by an application, so the end user doesn't fall prey to sloppy or malicious applications. There is some progress, but the definite answer from Google is not available - I wonder if there is a collusion between Google and big players in Android Market, just like there seems to be one with YouTube upload manipulation.