Friday, November 25, 2011

Better Permissions in Android

During my time at UIQ, Symbian introduced a capabilities-based security architecture.  Its analogous to the permissions in Android.

I’m a very big fan of the pattern.

The problem was we imagined our UI getting more and more integrated.  To illustrate, it was imagined that everywhere you had a phone number it would automatically resolve the contact and give dialing buttons and such in the UI.  I don’t mean just that phone numbers are underlined and launchable; I mean that we’d look in your address book, recognise it, and show the person’s name and online status and such.  Maybe even a map of where that person is.  And so on.

From a platform perspective this meant we wanted standard UI components that did this, rather than duplicating the code in each place it was shown and so on.

And from a security perspective, it was worrying that all apps would pretty-much need all permissions.

The solution I came up with was called Content Embedding Framework (CEF) and it built on my Content Rendering Framework (CRF).  A host application would place a placeholder widget in its UI and the actual drawing of this widget would be done by the serving application.  This is like XEmbed in the X Window System.  (And like RemoteViews in Android, people have pointed out to me.)  We took care to make sure that (apart from screen-scraping - we never did close that vulnerability on Symbian) the host application could not actually see what was getting drawn.  And we did it all by intercepting the draw commands as issued by the serving application and replaying them whenever the host drew them.

This wasn’t just for putting contacts information into apps without contacts permissions; we also envisaged using it to sandbox HTML content in apps (we used to be irritated that the MMS viewer was running a full copy of opera and the risks we imagined that was) that displayed it and also as a widget system for home-screens and such.  We had ‘live icons’ where the application icons were drawn by the applications.

Oh so sad that it was part of the pile of code that never shipped on a phone.  It got as far as the factories though.

This XEmbed approach would work nicely for Android too.

Pretty much every app asks for Internet and other permissions.  Why?  Because they have ads :(

Imagine that there was an ad showing service running and applications just put placeholders where the ads can be in their UI and the platform takes care of it…

Imagine all those use-csaes for integrating contacts and social stuff into games without actually giving the games any of the info…

Of course Android needs a working packaging system so that your app can say that it depends upon, say, admob (because Google wouldn’t actually put that in the platform, would they?) so everyone isn’t embedding their own copy of the libraries.  This is an orthogonal to content-embedding but at the same time think of the synergy…


  1. williamedwardscoder posted this

 ↓ click the "share" button below!