26

Seriously, it specifically states that it can use the camera and audio recording any time it wants, whether or not I wish it to. Why is Chrome on Android requesting those permissions?

Should I be concerned?

enter image description here

(Emphasis my own.)

Robusto
  • 647
  • 2
  • 8
  • 17
  • 5
    Compared to all the other stuff Google already knows about you, it is like being concerned about a particular lava current while being inside a volcano. But, if I were you, I would just root my phone and install something like Permissions Denied or Pdroid. – Cerberus Apr 05 '13 at 16:36
  • 2
    That doesn't sounds like a good question for a stackexchange site. If you don't trust the company/software then don't use it. There are plenty of good and open source alternative browsers for Android. Otherwise you just have to trust that they don't mess around with their permissions. I think that Chrome is requesting the A/V permissions because of recent changes regarding Chrome and webRTC. – Flow Apr 05 '13 at 16:37
  • @Flow: OK, thought you were editing for style. Feel free to revert to yours. – Robusto Apr 05 '13 at 16:54
  • I thought the edit message was pretty clear :( – Flow Apr 05 '13 at 16:56
  • Hah, like I read edit messages. :) – Robusto Apr 05 '13 at 16:56
  • 6
    The lesson here is: Good developers include information about why their app is requesting the permissions it is. – ale Apr 05 '13 at 17:55

1 Answers1

25

The Chrome page in the app store says this about the new permissions:

This version requests two new permissions, Camera and Modify Audio Settings, to support WebRTC, an experimental feature under development.

WebRTC itself is designed to expose your camera and mic to the browser, so that web-apps can implement video-conferencing and other multimedia solutions in-browser.

The WebRTC people have at least nominally considered the privacy implications, by adding an info-bar to Chrome: enter image description here

Chrome on Windows is said to have access to your camera and mic. So if you use Chrome on Windows (and soon Firefox too) then you are implicitly trusting the vendor of those programs to not take pictures of you when you don't authorize it. The same is true for Android. One hopes that they don't introduce security flaws that allow unauthorized access to the camera/mic by malicious websites.

As to what you can do about it, on a rooted phone you can uninstall Chrome or install a permissions-control app that denies permissions to installed apps. You can switch to a different browser that doesn't support WebRTC. Otherwise you're stuck with what Android provides. If you decide that you trust Microsoft or Apple more than Google, you can switch. Or maybe you trust an open-source Android variant like Cyanogenmod. For myself I consider the fact that Google already has a bunch of apps on my phone which have access to my camera and mic, so if Google wanted to spy on me they already can. Heck, they could build that right into the OS and just not tell anyone.

Google Apps that can access the camera/mic:

Not to mention the camera app which is built-in to the phone.

Edit: The question was updated with a screenshot of what the phone shows when you are prompted to update the app. Unfortunately at this time there doesn't seem to be a way for app developers to document why they need particular permissions, except in external sources. For example, this Chrome update states why it needs the permission in the "What's New" page. However, if you don't look there and just see the scary warning, you are left wondering what is going on. As an app developer I wish we could add help text to the permissions page to explain to the user why we need the permissions and how the privacy policy protects the user. Google could certainly make this more usable and less scary.

Mr. Shiny and New 安宇
  • 506
  • 5
  • 9
  • I don't really count the stock camera as a "Google app" since it is included in the AOSP and I can verify (by looking at its source) that it isn't doing anything malicious, unlike the rest of these google apps. Anywhoo thanks for the great answer =). – FoamyGuy Apr 05 '13 at 18:53
  • @Tim you're assuming that the stock camera app's AOSP code corresponds to what is shipped. It might be the case for Nexus devices, I suppose. Actually other phones are known to have modified camera apps and if they're spying on you it's probably for Samsung, Sony, et al. :) – Mr. Shiny and New 安宇 Apr 05 '13 at 19:07
  • right but at that point then it is also no longer a Google App, because it is Sony app, or Samsung app. – FoamyGuy Apr 05 '13 at 19:25
  • 3
    Great answer. I don't know why Android apps can't be a bit more dynamic in their permissions... WebRTC appears to be an extra (optional) feature that not everyone will use. Why can't permissions be requested at the time that extra feature is first activated, with perhaps just an advisory notice when the app is installed that more permissions are required in order to make full use of the app? I'm not an app developer, but I guess "it doesn't work like that"...? – MrWhite Apr 06 '13 at 00:09
  • 2
    @w3d: Agreed. The question is, why are permissions forced upon you: why aren't we allowed to grant or deny permissions as we see fit? The logic "take it or leave it" is severely flawed. That's what 19th-century factories said to their workers. An ethical company, and organisations founded to protect consumers, are supposed to act against this. – Cerberus Apr 06 '13 at 03:31
  • 2
    @Mr.ShinyandNew安宇 One thing is missing from your otherwise OK answer: in all practicality, the problem is not so much that Google will spy on your, but rather that the browser is far more vulnerable to outside abuse than the other applications! Websites abuse vulnerabilities of browsers all the time. The camera application does not access tons of external websites on the Internet. Nor do any of those other applications. No, this is truly bad. Luckily, the risk can be lowered by just not using Chrome. The stock browser is better anyway, since it has Quick Controls and Flash. – Cerberus Apr 06 '13 at 03:34
  • 2
    @Cerberus: Slight snag, on later Nexus devices Chrome is the stock browser. – MrWhite Apr 06 '13 at 10:45
  • @w3d: Right, well, but we still indicate the old browser as "the stock browser" for lack of a better name, don't we? Even if it does not come pre-installed on the Nexus 4 any more. At any rate, you can still use a different browser and make it the default for everything. – Cerberus Apr 06 '13 at 15:43
  • 2
    @Cerberus I did mention that I hoped that they didn't introduce any security flaws in the browser. Anyway I'm fairly sure that they will make the user interface fire webrtc similar to the one for web geo location, where the browser requests permission before activating the camera. It shouldn't be too hard. – Mr. Shiny and New 安宇 Apr 07 '13 at 03:01
  • @Mr.ShinyandNew: I suppose that would be the best solution in the current situation...still, the user should be able to set permission per application. Make it an advanced, secret, rooted function if you're so scared of ignorant users doing it by mistake (there is really no excuse for not including it, none at all). – Cerberus Apr 07 '13 at 06:07
  • 1
    The idea about permissions on Android is that they can be distributed between different Manifests (apk's), which then can communicate between each other via IPC (Intents/Binder/...). Every apk can provide a given functionally with the permission(s) it has been granted. The user is then free to install a component of the app or not, which comes down to accepting a certain permission and getting the features the permission makes possible. But this approach is not very common with app developers. – Flow Apr 07 '13 at 15:15
  • @flow I wonder how well putting the web rtc functionality into a separate app would work for chrome. Sure, in principle apps can cooperate to share data but this typically involves leaving one shop to invoke the other. So, for example, if chrome just wants to allow photo uploads it can defer to the camera app via an intent. But to do in-page video conferencing using JavaScript? I doubt that would work. – Mr. Shiny and New 安宇 Apr 08 '13 at 11:23
  • Android has a very efficient mechanism, called Binder, for IPC. But you are right, Intents are not suitable for such a job. – Flow Apr 08 '13 at 15:48
  • +1 for the description about webRTC. I just want to add about permissions (Dev POV) is that they are to help the users, not the developers. Devs would love dynamic permissions. But it'll open many security loopholes. Static permission tells user that what access the app can ever have in it's lifetime, unless it gets updated with new permissions. So I'd extremely oppose any dynamic permission feature. – noob May 04 '13 at 23:48