Welcome to the WPCentral Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Page 1 of 3 123 LastLast
Results 1 to 25 of 59
Like Tree28Likes
  1. eldnar's Avatar
    Member

    Posts
    6 Posts
    Global Posts
    8 Global Posts
       #1  
    Hi all,

    I just got my HTC 8X setup. I was eager to download some of the apps, and was shocked at what I have to give up in order to use the vast majority of WP8 Apps. I'm considering going back to my old phone simply because WP8 seems to have incredible privacy overreaches with its Apps. Thus far is appears to be the most insecure of any modern phone OS (in regards to apps). Can someone please explain a couple of things to a newbie? I'm newer to the WP8 platform, so there might be a rhyme and/or reason for these things.

    1) Why does Flashlight X require video and still capture and the ability to playback media to simply turn on a rear flash?

    2) Why does Flixster and Fandango need to access my photos, music, and video in order to tell me what time a movie starts?

    3) Why does Amazon Mobile and NewEgg need to access my photo, music, and video libraries in order to show me what they have for sale?

    4) Why does NetFlix need to access my photos, music, and videos in order to play videos

    5) Why does "RapDialer" need to access my photo, music, and video libraries in order to make outgoing phone calls faster?

    Why do I need to give them access to my private vacation photos, videos and music, as if the applications will not work without it. It's like going to Amazon.com via a web browser on your desktop and they say, "Oh sorry, to use Amazon, you need to let us scan your C drive first". I don't understand this.

    Thanks for your time.
  2. Slai's Avatar
    Member

    Posts
    557 Posts
    #2  
    1) Why does Flashlight X require video and still capture and the ability to playback media to simply turn on a rear flash?
    Perhaps because the video and still capture use the flash? No idea about the media, could be because the flashlight has a soundeffect?

    2) Why does Flixster and Fandango need to access my photos, music, and video in order to tell me what time a movie starts?
    Because it also lets you view media, perhaps? Might be that photos/music/video is baked into one thing, so if you need access to video you get access to the entire package.

    3) Why does Amazon Mobile and NewEgg need to access my photo, music, and video libraries in order to show me what they have for sale?
    Same thing as above, Id guess.

    4) Why does NetFlix need to access my photos, music, and videos in order to play videos
    And same.

    5) Why does "RapDialer" need to access my photo, music, and video libraries in order to make outgoing phone calls faster?
    No idea, does it have anything to do with audio at all?
  3. #3  
    I wouldn't worry. You're only giving the apps permission to use those pieces of functionality on your phone, allowing you to upload or download content.

    most of us blindly click Allow and just get on with using the apps.
  4. VoordeR's Avatar
    Member

    Posts
    2 Posts
    #4  
    I saw this to when I checked out some of the apps I would like to install when I finally get my lumia920.

    For example:
    Angry birds: photo, music, and video libraries. Why the **** is this necessary for a game!?

    Just a simple flashlight app which is the most downloaded in the store:

    • phone identity
    • owner identity
    • video and still capture
    • photo, music, and video libraries
    • microphone
    • data services
    • movement and directional sensor
    • camera
    • compass
    • WVGA (480x800)
    • media playback
    • HD720P (720x1280)
    • WXGA (768x1280)


    And if you say this isn't a big of a deal, Angry birds and this simple flashlight app can look at all of your pictures and videos taken. That's insane!


    These are just 2 examples, almost every top app in the market has these kind of insane permissions. I am on android now, and I can safely say that apps do not have these permissions there.
  5. Slai's Avatar
    Member

    Posts
    557 Posts
    #5  
    Angry birds: photo, music, and video libraries. Why the **** is this necessary for a game!?
    Again, might have to do with the fact that angry birds plays music, etc. Something about if youre playing music on your phone then launching the game, the gamesounds will be muted. Something like that.

    Not really a huge "OMG WTF U NEED PIC 4!?", its more like "oh yeah, sure, that makes sense".

    Just because an app needs different reqs on different OSes, doesnt mean its malicious.
  6. caret's Avatar
    Member

    Posts
    12 Posts
    #6  
    I felt like you when I first started using my phone (it's Windows 7.5, but same philosophy). Some of the requests you listed are totally expected - how can an app play videos if it can't access your videos? Some functionality is lumped together, too - there isn't really a dinstinction between videos, pictures and music, it should probably just be called 'local media'.

    Saying that, some apps seem like they're taking the proverbial when they ask for access to certain things. They are almost certainly poorly developed (apps are so easy to throw together for Windows Phone), but when considering that some of them are published by big names, you begin to wonder. I'm not going to call out certain companies, but I do know that many online retailers use neural networks in order to process your data and target products at you. They would almost certainly be interested in your music library so they could cross-sell - whether or not it is happening from your phones storage, I'd be doubtful. I'm sure given the opportunity to access that library, they'd take it (whether it is practical to use or not). They already know lots about you by processing digital purchases and trading that information between each other.

    The biggest security problem on the phone is others' information, in my humble opinion. People who don't even have a computer, such as my grandma, have their personal information stored in the 'cloud' if someone adds them to their Windows Phone. If you're serious about protecting information, I'd start by protecting this sensitive information that others have no control over, but should. There is an app on the Marketplace called My People which gives you the ability to store contact information for people on your local phone, not on Microsoft's servers.

    And if you ever need to do a John McAfee, remember to turn the phone off
  7. VoordeR's Avatar
    Member

    Posts
    2 Posts
    #7  
    It is when it is a commercial company that is driven by making money on advertising.

    This is what it says:
    How can I tell if an app has specific hardware or software
    requirements? | Windows Phone How-to (United States)


    Photo, music, and video libraries Allows an app to access all photos, music, and videos on your phone.


    So just because they perhaps want to simply mute my music when I play a game. This commercial company can look into ALL my photos and vids on the device!


    That's just insane. And i know you are a fan of windows phone, but that doesn't mean you can't have critique.
    Why doesn't microsoft make a stand alone permission where they can only shut down my music or calls or whatever without unlimited permissions to my personal vids and pictures!
  8. Slai's Avatar
    Member

    Posts
    557 Posts
    #8  
    No, I just dont care if they have access to my music and videos. I dont get what POSSIBLE harm could that do me. So I dont care.
    Bundalings and kittengirl like this.
  9. BokiV's Avatar
    Member

    Posts
    27 Posts
    #9  
    Same here, a lot of apps are free, so if they need my data to make money..sure..., and even if not, I just don't care..
  10. conanheath's Avatar
    Member

    Posts
    450 Posts
    Global Posts
    580 Global Posts
    #10  
    Quote Originally Posted by BokiV View Post
    Same here, a lot of apps are free, so if they need my data to make money..sure..., and even if not, I just don't care..
    +1. I don't know why everybody thinks the permissions are such a big deal. If you think there are people looking at your personal content, you're wrong. Your information is out there. If somebody wanted to, they could find it and use it without your permission. But nobody cares about your family pictures. You're not that important. If some software somewhere analyses my content they won't find anything of interest. It's for advertising purposes. Advertising is a way of life. You can't get away from it. If some program wants to check my info and send advertising that actually pertains to my life, so be it. I would rather have customized advertising than just random crap sent to me that I could care less about. And somebody made a comment about Android apps are better in this aspect. Google started this trend.
    Klevis likes this.
  11. #11  
    One word - APIs.
  12. SaucePolicy's Avatar
    Member

    Posts
    82 Posts
    #12  
    For Amazon and Newegg, it probably has something to do with their barcode scanning that's built into the app's search. They need to access the camera. Nothing to worry about.

    For flashlight, why don't you just use HTC's flashlight app. It's pretty nice.
  13. paulm187's Avatar
    Member

    Posts
    273 Posts
    #13  
    Check this thread, may answer some of your questions

    App Permissions List and what they mean
    Thanked by:
  14. brmiller1976's Avatar
    Member

    Posts
    2,092 Posts
    Global Posts
    2,578 Global Posts
    #14  
    OP makes a good point about trust.

    Too many well-known developers (Facebook, Path, Google, Apple) have violated users' trust in the past. The low-trust environment is directly a result of stories like Path downloading and holding onto all your contacts (without your permission) or Apple tracking your movements and storing them in a non-secure file on your phone that can be downloaded and accessed.

    Don't even get me started about Carrier IQ.

    This is something that needs to be addressed by a nonprofit trade group -- auditing apps, OSes, and phones for privacy certification.
  15. Fleon's Avatar
    Member

    Posts
    171 Posts
    #15  
    Not sure why the OP says "Thus far is appears to be the most insecure of any modern phone OS (in regards to apps)" when Android lets apps get to these things without even asking... and iOS has issues like this:
    http://www.theregister.co.uk/2012/10/17/itrack/
    Latest iPhone hacked to blab all your secrets ? The Register

    Not saying I am disagreeing that a lot of apps seem to need weird permissions, but insecure OS? Hardly.
    brmiller1976 and Klevis like this.
  16. paulm187's Avatar
    Member

    Posts
    273 Posts
    #16  
    In Windows 8 you can manage these app permissions for metro apps by turning them off or on. Perhaps Windows Phone could benefit from something like this.
  17. brmiller1976's Avatar
    Member

    Posts
    2,092 Posts
    Global Posts
    2,578 Global Posts
    #17  
    Fleon also makes a good point. A friend of mine had his Twitter account start sending all of those annoying "Hey, someone is saying nasty things about you at this link" malware e-mails. He changed the password but the e-mails were still going out.

    We finally isolated it to a free game on his Android device that never asked for permission, but was accessing his Twitter account without his permission (via Android shared services) and also converted his phone into a spam hub that was sending out spam e-mails using his data connection.

    THAT is "insecure." And it will never happen on Windows Phone.
    Klevis likes this.
  18. zedmartinez's Avatar
    Member

    Posts
    31 Posts
    #18  
    A lot of apps require access to the media hubs to save images or interact with them at all. As the ability to save images (like wallpapers) is pretty common in WP since it encourages media-richness, this will be common. Pretty sure apps also need those permissions to integrate into those hubs, so, from the Music & Videos hub you can open the app since that movie you were watching got you thinking, that sort of thing.

    The Flashlight one is more interesting. There's no actual API to allow direct access to the flash, except through the camera. So, for the flashlight to work, it basically tells the phone it's a camera, turns the flash on, then doesn't actually capture any video stream. I remember reading about the dev end of things back when that came out. A weird but clever workaround, is what that is.
    Laura Knotek likes this.
  19. #19  
    As a developer, I think I can speak directly to this issue. Depending on which services are being requested, it can be many things. Sometimes locations are requested because of the advertisements - to give the advertisers locations will give more directed ads, and the developers will be paid a higher rate (measured in "cents per thousand impressions"). Sometimes the media is needed for sounds in a game, the camera is needed for bar code reading, or if the app is one where you can take a picture, or even to modify a photo (Pictures Lab, etc.). Sometimes the phone identity is used in order to track statistics (I have done this, just to get how many unique users of my apps) - without phone identity, you don't know if a repeat instance of your app is the same user using the app again, or a different user. Sometimes User identity (or is it Owner Identity? - I don't remember exactly) is used for reasons of tracking purchases - say for instance you have subscription content or something, maybe you had in-app purchase, or maybe you're participating in something where your identity does matter. These are all valid reasons to use these services.

    Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.

    My personal opinion is that if the capabilities are checked, but not used, either the app should fail certification, or perhaps Visual Studio should automatically uncheck the unused capabilities during the final build so that they are unchecked. The reason for this, to me, is because with the knowledge that this is happening out there, it diminishes the value of having the capabilities listed and the value of asking permission prior to allowing the app to install. Since I know this happens, when I look at a game or app that I know can't possibly need these capabilities, I figure that this must be the case - lazy, or forgetful, or uninformed programming. So I end up allowing the app. But the problem with that, is that just when we get into that habit, that's when it will bite us. That's when the note-taking app that doesn't do anything in the background will be the one that ends up running in the background, tracking our location, and sending it home to the server every step we take. Or whatever the case may be. No system is perfect, and it is the social engineering that is the weakest.

    In Windows Phone 8, the capabilities listed in WMappManifest.xml are:
    Appointments
    Contacts
    Gamer Services
    Device Identity
    User Identity
    Camera
    Location
    Media Library
    Microphone
    Networking
    Phone Dialer
    Push Notifications
    Sensors
    Web Browser Component

    So, if you see an app that lists ALL of those capabilities (though it will be worded in a more user-friendly way), odds are it was lazy, forgetful, or uninformed programming, and not that it's actually using all of them. If something's missing from that list, I'd wonder, because the developer was in the file, and obviously removed something, so why not the rest of what wasn't needed?

    For WP7 apps that were recompiled for WP8, the list could be different. If it is an app created (or updated) for or after Mango, the list can be the same as above. But if it is an older game or app that wasn't updated to the Mango (WP 7.5) update (Fruit Ninja, for instance), then the list of capabilities would be shorter:

    GAMER SERVICES
    IDENTITY DEVICE
    IDENTITY USER
    LOCATION
    MEDIA LIB
    MICROPHONE
    NETWORKING
    PHONE DIALER
    PUSH NOTIFICATION
    SENSORS
    WEB BROWSER COMPONENT
    - Rich


    WPCentral.com | WPCentral Store | Mobile Nations Forum Rules

    Join Bing Rewards and get rewarded - and get me a few bonus points!
  20. Daniel Ratcliffe's Avatar
    Retired Moderator

    Posts
    2,816 Posts
    Global Posts
    4,472 Global Posts
    #20  
    Quote Originally Posted by hopmedic View Post
    Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.

    My personal opinion is that if the capabilities are checked, but not used, either the app should fail certification, or perhaps Visual Studio should automatically uncheck the unused capabilities during the final build so that they are unchecked. The reason for this, to me, is because with the knowledge that this is happening out there, it diminishes the value of having the capabilities listed and the value of asking permission prior to allowing the app to install. Since I know this happens, when I look at a game or app that I know can't possibly need these capabilities, I figure that this must be the case - lazy, or forgetful, or uninformed programming. So I end up allowing the app. But the problem with that, is that just when we get into that habit, that's when it will bite us. That's when the note-taking app that doesn't do anything in the background will be the one that ends up running in the background, tracking our location, and sending it home to the server every step we take. Or whatever the case may be. No system is perfect, and it is the social engineering that is the weakest.
    Thank you! I wasn't aware that there is where the permissions was. As I'm hoping to develop a radio app for a specific station, I'll be able to use this for the services I want. Data, check. Media, check. Phone identity, maybe (depends whether or not I want to track statistics of the app). Gamer services, no. etc, etc. This has truly opened my eyes!

    "Fortune cookie said: 'Outlook not so good'. I said: 'Sure, but Microsoft ships it anyway'."
  21. palandri's Avatar
    Retired Moderator

    Posts
    6,903 Posts
    Global Posts
    9,033 Global Posts
    #21  
    Quote Originally Posted by brmiller1976 View Post
    ...Don't even get me started about Carrier IQ...
    LOL!
    Check out the great deals on Windows Phone Accessories: http://store.wpcentral.com
  22. SoloXCRacer's Avatar
    Member

    Posts
    219 Posts
    Global Posts
    224 Global Posts
    #22  
    I was going to post something similar, but hopmedic beat me to it. He nailed it.

    Quote Originally Posted by hopmedic View Post
    As a developer, I think I can speak directly to this issue. Depending on which services are being requested, it can be many things. Sometimes locations are requested because of the advertisements - to give the advertisers locations will give more directed ads, and the developers will be paid a higher rate (measured in "cents per thousand impressions"). Sometimes the media is needed for sounds in a game, the camera is needed for bar code reading, or if the app is one where you can take a picture, or even to modify a photo (Pictures Lab, etc.). Sometimes the phone identity is used in order to track statistics (I have done this, just to get how many unique users of my apps) - without phone identity, you don't know if a repeat instance of your app is the same user using the app again, or a different user. Sometimes User identity (or is it Owner Identity? - I don't remember exactly) is used for reasons of tracking purchases - say for instance you have subscription content or something, maybe you had in-app purchase, or maybe you're participating in something where your identity does matter. These are all valid reasons to use these services.

    Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.

    My personal opinion is that if the capabilities are checked, but not used, either the app should fail certification, or perhaps Visual Studio should automatically uncheck the unused capabilities during the final build so that they are unchecked. The reason for this, to me, is because with the knowledge that this is happening out there, it diminishes the value of having the capabilities listed and the value of asking permission prior to allowing the app to install. Since I know this happens, when I look at a game or app that I know can't possibly need these capabilities, I figure that this must be the case - lazy, or forgetful, or uninformed programming. So I end up allowing the app. But the problem with that, is that just when we get into that habit, that's when it will bite us. That's when the note-taking app that doesn't do anything in the background will be the one that ends up running in the background, tracking our location, and sending it home to the server every step we take. Or whatever the case may be. No system is perfect, and it is the social engineering that is the weakest.

    In Windows Phone 8, the capabilities listed in WMappManifest.xml are:
    Appointments
    Contacts
    Gamer Services
    Device Identity
    User Identity
    Camera
    Location
    Media Library
    Microphone
    Networking
    Phone Dialer
    Push Notifications
    Sensors
    Web Browser Component

    So, if you see an app that lists ALL of those capabilities (though it will be worded in a more user-friendly way), odds are it was lazy, forgetful, or uninformed programming, and not that it's actually using all of them. If something's missing from that list, I'd wonder, because the developer was in the file, and obviously removed something, so why not the rest of what wasn't needed?

    For WP7 apps that were recompiled for WP8, the list could be different. If it is an app created (or updated) for or after Mango, the list can be the same as above. But if it is an older game or app that wasn't updated to the Mango (WP 7.5) update (Fruit Ninja, for instance), then the list of capabilities would be shorter:

    GAMER SERVICES
    IDENTITY DEVICE
    IDENTITY USER
    LOCATION
    MEDIA LIB
    MICROPHONE
    NETWORKING
    PHONE DIALER
    PUSH NOTIFICATION
    SENSORS
    WEB BROWSER COMPONENT
  23. #23  
    - Rich


    WPCentral.com | WPCentral Store | Mobile Nations Forum Rules

    Join Bing Rewards and get rewarded - and get me a few bonus points!
    Laura Knotek likes this.
  24. MikeInBA's Avatar
    Member

    Posts
    70 Posts
    #24  
    Quote Originally Posted by hopmedic View Post
    Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.
    This is the most likely culprit. PhoneGap does the same (at least the last build i dl-ed), and you have to manually edit the manifest to remove what you dont use. I havent used vs2012 yet, so I wonder if tools such as ReSharper or CodeRush will notify you like they do of unused variables/namespaces.
  25. manicottiK's Avatar
    Member

    Posts
    459 Posts
    #25  
    As another developer, let me share with you what we did with our app to inspire user understanding and confidence in the list of seemingly broad permissions that our app uses. As background, our app access lots of personal data for students, faculty, and staff from almost a dozen university information systems. We support Android, BlackBerry, iOS, webOS and WP using native design styles and no porting. (The webOS app was pulled after HP killed the platform.)

    To assuage users, we added a privacy page to the app that described, in plain language, the permissions needed for specific functions. This seems to have helped (people stopped asking about our permissions needs). Still, there has to be a trust between the user and the developer for the user to believe that the dev is doing only what's described.

    If anyone has questions on this, private message me rather than further hijacking this thread. Below is the privacy statement built in to our app.

    how we exploit your phone, not you

    DrexelOne Mobile takes advantage of many services that your phone offers. Find out how it uses those services while protecting your privacy.

    location services: GPS and cell tower location information is used to show your location on campus maps and to compute walking distances and times to shuttle bus stops. Location information is never transmitted to Drexel.

    picture, music, and video library: Holds pictures for custom page backgrounds and used to submit photos to Candid Campus.

    phone identity: Provides make, model and other information about your phone for crash reports (to help debugging) and gets a unique ID for your phone so that we can count downloads without double-counting reinstalls. Your user-id and device ID are linked and sent to Drexel when push notification is turned on so that we can know which updates to send to which phone.

    data services: The data that the app shows comes from Drexel's servers and some outside service providers; the phone uses the network to access those servers. Heavy cellular use of Candid Campus, News+Events, and Athletics (which all contain images) will consume more of your data plan.

    push notification services: Used to setup notification for grades and holds and for sending live tiles. When turned on, your accent color and a unique identifier for your phone is sent to Drexel so that we can compose the right tile and notification information for you.

    Camera: Lets users take photos for custom page backgrounds and to submit to Candid Campus. The only images ever transmitted are the ones that you submit to Candid Campus.
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 05-03-2012, 10:00 PM
  2. O2 (UK) Mobile Web Privacy Breach
    By TheWeeBear in forum The "Off Topic" Lounge
    Replies: 0
    Last Post: 01-25-2012, 06:28 AM
  3. WP7-Xbox Live Nightmare
    By 44zippo44 in forum Windows Phone 7
    Replies: 9
    Last Post: 12-04-2011, 02:27 PM
  4. Should they make another surround for wp8?
    By CamiKitti in forum HTC Surround
    Replies: 1
    Last Post: 11-21-2011, 12:00 PM
  5. How important is RAM for WP8 update
    By danygandhi in forum HTC TITAN
    Replies: 8
    Last Post: 11-15-2011, 03:05 PM

Posting Permissions