A Paranoid's Guide to the Android Marketplace


As Android users, we are given the curse of knowledge.  Each application we buy in the marketplace (now Google Play) tells us in exactly which ways the app will be snooping on us.  Unfortunately there is neither a justification for these violations nor usually any more granular information about the intrusion than "Monitor All Phone Calls" or something equally opaque.

I think that other mobile OSes might not be as explicit about what permissions an application has, likely because the apps are screened as opposed to the wild west Android market.  Perhaps most users ignore these permissions and blithely accept that they have no privacy anyway and thus aren't that concerned about what further damage is being done.  I thought it might be useful to go over a standard application from the more suspicious perspective so that developers can understand what they are up against when they request these permissions and maybe why I have stopped updating at least half of my apps.

So I'll pick the Facebook application which is admittedly a bit more permissive than a run of the mill application simply because of the amount of coordination and communication it does.  I'll list the different permissions, then my paranoid mind's worst misuse case for them, and finally what they might actually be doing with my information.

  1. Your location - fine GPS location
    • Paranoid: Where to begin?  I'm allowing Facebook to know where I am at all times.  Not just when I'm posting something to provide a search context, but all the time, even when I'm not using the app.  Facebook can know whether I visited the STD clinic, a political rally, when I'm usually away from home, and how much I like to eat Taco Bell.  They could assemble that data into traffic maps and sell that data to the highest bidder or really just all the bidders.
    • Reality: The only location aware thing the app does that I am aware of is their version of check-in.
  2. Your personal information - read contact data, write contact data
    • Paranoid: So Facebook has an extensive social graph of me already, but now they have access to data I haven't specifically given them.  Is my old girlfriend in my contacts list?  Is some old work contact of mine going to see me suddenly show up in their suggested friends list?  Really, should Facebook be seeing that at all?
    • Reality: So I really don't know why Facebook needs access to my contacts.  It doesn't seem to link them up in the contacts view, and I don't see any integration with the app.  I assume this is to enable the initial scan if you choose to do it?
  3. Network communication - Allows the application to accept cloud to device messages from application's service, full Internet access
    • Paranoid: Facebook can do anything related to the internet (which I assume in this case means just any TCP/IP traffic).  Anything.  Facebook could be downloading additional content, using a keylogger, anything that it has access to could be pumped back to their servers wholesale.  This would be a particularly thorny one to try to restrict, but it's also pretty insidious.
    • Reality: Probably mostly just sending you status updates so you can see when your friend posted a funny picture of cat, right?
  4. Your accounts - act as an account authenicator, manage the accounts list
    • Paranoid: The description on this is poor.  It could mean that Facebook is logging you into your other apps.  It could be proxying your access and doing all sorts of malicious things.  Heck it could even be removing your Google+ account.
    • Reality: Probably logs you into Facebook app based on your android credentials
  5. Storage - modify/delete SD card contents
    • Paranoid: Yes, please read everything on my phone.  Would you use the Facebook website if you had to allow it to read the hard drive on your PC?  Your Quicken files?  Your website cookies and browsing history?  Your passwords?  Are there any limits to this file system access?
    • Reality: Probably runs a cache of images and video on your SD card, or maybe it needs it to upload photos you took?  I actually have no idea why it would need this access if the app is running on the system storage.
  6. Phone calls - read phone state and identity
    • Paranoid: Facebook doesn't make phone calls and doesn't log phone calls.  What is this all about?  Must be spying on your phone calls to add more payload to your social graph.  All the more information to sell to third parties.
    • Reality: Probably just doesn't want to send you a notification while you are on the phone?  Needs to not update if the phone is asleep?
  7. System tools - prevent phone from sleeping, write sync settings
    • Paranoid: If I've set the phone to go to sleep on inactivity, Facebook should comply with my settings, why are they trying to second guess me?
    • Reality: Stop the screen from blanking out when you are playing a video maybe?

So there you have it: a peek into the mind of a paranoid user.  Now would these permissions be a lot easier to accept if they said something more akin to what is in the "Reality" statement?  I think so.  You really have to give far too much trust to an application when you run it on your smartphone.  Other operating systems might hide this from you, but in reality your rights are probably far more compromised than you think they are.

Now mutliply this problem times the 40-100 apps you want to run and you have the difficulty involved with being an Android user.  And multiply that times another 30% of the apps that seem to want to "upgrade" their permissions by requesting more access when they release a new version.  It's really pretty scary and a real waste of my time to try to sort out what is legit and what is not.  We need a better system.

Taddeini's Law

I was talking with my friend Andre Taddeini recently about the state of the industry and he made an interesting observation that the amount of bad code being written might be increasing in proportion to the demand for programmers. I thought it was interesting enough to talk about here.

The reasoning is that, as the demand for programmers goes up, the aggregate quality of developers goes down because the supply of capable programmers is somewhat upwardly inflexible due to the amount of effort that goes into being expert. Since the supply of expert developers can't keep up with a rapid increase in demand, the expected quality of a hire is necessarily lowered. As the overall quality of programmers is lowered in this fashion, the corresponding code that is written should lower in quality as well.

There is an implied relation between experience and quality, but it could be equally true that the acceptable quality of inexperienced developers would also lower simply through demand. Either way, I accept that experience doesn't necessitate skill, I'm only talking in the aggregate. The other assumption present is that we are holding the quality of code constant over time. This might not be true if constant improvement in frameworks and tools lessen the need for programming skill.  There is certainly some truth to that assertion, but, by observation, the rate of tooling and framework support increases only offsets the increased expectations of application complexity. Another assumption present is that the demand for developers overall is roughly equivalent to the demand for expert developers.

So Taddeini's Law is

Q = E / D

Where Q is the quality of code produced, E is the population of experienced developers and D is the demand for experienced developers.

It's really a pretty trivial observation and I'm probably aggrandizing it by calling it a law, but I think it has some interesting implications for the state of our industry. If it's accepted as true, the implication is that the current increase in demand for developers is creating an influx of bad code for our industry to grapple with in years to come. Did the same thing happen during the dotcom boom? As inexpertly written code rots, will organizations be paying an increased "maintenance tax" in the future? Should larger organizations plan for this in some way?  And finally, is there something we can do lessen the impact of under-qualified people in the industry overall?

Find the evidence you want

I recent discovered a fascinating podcast called Hardcore History hosted by Dan Carlin.  While bouncing around through the backlogs, I came across an episode with historian and author Gwynne Dyer who had a bevy of interesting things to say, but one in particular struck me as being relevant to the software development process.

Mr. Dyer was talking about whether World War I had been inevitable.  Some people think that the events that led to the first World War were merely a pretense and that the war would have happened even if Archduke Ferdinand had not been assassinated, it just may have happened a year or two later.  I’m not going to compare software development to World War (although it’s a bit tempting sometimes, I just can’t trivialize a real actual war while I sit in a Herman Miller Aeron).  Instead I’ll say the thing that jumped out at me was instead his analysis of how historians analyzed that claim.

He said that historians looked back on the evidence and found the particular things they wanted to in order to support their claim.  This is, on the surface, a very simple statement, but the implications are far reaching.  In general, people look at the evidence and find ways to make it support the viewpoint they already hold.  Couple this with findings that throw into question whether facts actually help us change our minds and you should start to be worried.

Let me illustrate with a story from my development past:

Imagine a project that is in as much trouble as a project can be.  It’s overtime, over budget and the original scope has been shredded beyond recognition.  How did it get there?  What went wrong?  It depends who you ask.

The testers say there wasn’t enough testing.  The developers say there wasn’t good project planning.  The project managers say the developers went off course.  Management says people didn’t work hard enough.  Analysts say there wasn’t enough analysis done.

Who was right?

In this case, it doesn’t matter (it was me.) The important point is that everyone found the evidence that supported their particular viewpoint and anything else was ignored or rationalized away.  Would it have been possible to figure out where things really went wrong?  Probably if there was a frank discussion and analysis, but that is far harder to do and requires fighting our tendencies.

It seems so easy to spot this when other people do it, yet we seem blind to it from ourselves.  Can you challenge a conclusion you came to recently?

What's in a name?

Okay, just a quick note about the name.

At the risk of sounding more sophisticated than I really am, it comes from Plato's Theory of Forms as it relates to virtue ethics.  Now I don't really prescribe to it in its truest sense, but it's the idea that all things have a perfect form including us.  A circle can be  perfectly described mathematically, but no circle in existence is truly perfect - every single representation deviates from that perfect idea in some way.  In this same way, we all deviate from the perfect person that could be.  Now depending on your ideas on metaphysics and religion, you may or may not believe there really is some perfect you, but there is always a more perfect you in your imagination (unless you are a hopeless narcissist I guess).

So virtue ethics tells us to move towards that more perfect us by getting better at everything we do.  The same concept can be expressed as Continuous Improvement, or Kaizen, or sharpening the saw, but it's really all just about making ourselves better at what we do.  So with this blog, I'm hoping to capture the ways that I try to improve myself and the things I learn along the way.  

Plus, I couldn't call it Perfect Circle or I'd get traffic from people looking for the band :).  Well that and it sounds really pompous.

Starting a blog is so 2005

There was a time when it felt like everyone was starting a blog.  A virtually infinite sea of voices shouting into the ether; each individual too focused on what they had to say to notice that nobody was listening.  There are a lot of reasons not to start a blog, but I think I’m going to do it anyway and here are my counterpoints to the doubting voices that tell me not to:

1.  Nobody is going to read it anyway

Okay, yeah, so I don’t care about that one too much.  In many ways, I’m writing this for my own benefit.  It will help me organize my thoughts on a subject and also to serve the dual purpose of reminding me of a solution when I find it.  Oh, did I mention this was going to be a tech blog?  Mostly about my life as a software developer.  Writing down my learning will help me remember it in the future and give me a place to look it up if I don’t.

2.  You don’t have anything to add

Given the multitude of voices out there, it’s almost impossible to have a unique thought or experience, but every so often it happens and when it does I hope that I can put it down in a cohesive way.  If my thoughts are unoriginal, at least I can make them entertaining or reinforce the wisdom of others.

3.  You’ll just abandon it like everyone else does

There is a good chance of that really, but maybe it will stick.  And if it doesn’t, it will be a lasting (in internet years) piece of evidence that I am just as half-arsed as everyone else. :)

So, in short, strap in for a possibly short, possibly meaningless ride that nobody else is going to take.  Here we go!