If a wallpaper app requests access to your contacts and millions of users install it anyways that is a flaw in Android's security model. After a while you become conditioned to just hitting Install without even looking at the permissions being requested. Just because users are lazy or even stupid is not an excuse for leaving them vulnerable.

I agree it's a flaw. I do think it is better than iOS but it is still a huge problem. It is one of simultaneously too much and too little granularity. If you provide too much granularity it overwhelms users, while if you provide too little it forces people to approve too wide a scope.

For example, the music app I just installed wants access to the phone state and identity. At first I baulked and said WTF does a music app need that for? And of course, the answer is it wants to make the music quieter / pause when a call comes in. But to do that it needs access to the identity of my phone because that seems to be lumped into the same bucket as the "state" of my phone. It also needs internet access because it wants to download album art. So these completely innocuous features also mean it could be tracking my location and reporting it to the web. How do I tell an evil app from a good one? I don't know - all I do is read the comments.

I think Android needs to make the model richer while also streamlining certain sets of permissions into standard profiles that people can understand. For example, the set of minimal permissions to support ads in an app should be simply presented as "to present location based ads", not a set of 5 permissions that overwhelm people. This should in turn be honed by Google into a minimal set of permissions internally so that an app that just wants to present ads can't actually track me and report my location to arbitrary web sites.

I hope Google is thinking about this stuff. I think it's in a reasonable state at the moment if it is just on a development curve. If this is how Google thinks it should stay then it is not enough and is going to become a serious problem.

No, it's a problem in the model.

User testing has shown, over and over again, that users do not read pop-up boxes. Why would anyone expect security warnings would be any different than error messages? MS dialed down granularity from Vista to 7 and the UAC is still a joke.

What's needed is something different. I don't know what that thing is, but pop-up boxes are not it.

My pet theory atm is "services". When an app installs, it can register as knowing what to do with certain data. Say, GPS coordinates or contacts.

If a user wants their wallpaper to have access to that data, they'll open their GPS, or contacts app and explicitly allow the behavior.

That way, an app only has access to those data sources if the user explicitly sets out to grant it to them. If it's a conscious multi-step process, it should be pretty hard for people to accidentally grant a wallpaper access to all their personal data.

And given the competitiveness of mobile app stores, I doubt any app would survive that sits functionless and nagging until the user explicitly grants it a half-dozen permissions. So they'd quickly end up asking for less, or at least delivering as much as they can with as little as they're given.

I know "services" hardly goes all the way. But my point remains that no level of granularity will make the pop-up approach 'work'.