Apple announced that a future version of iOS will require user permission for Contacts access.1 I had previously suggested a dialog box similar to the permission dialog for location access, but a lot of people resisted that idea, saying that there are too many iOS permission dialogs already:
- Push notifications
- Twitter account (new in iOS 5)
If an app wants access to all of these, it usually barrages users with a stack of dialogs on its first launch. The barrage-of-dialogs approach, like Windows Vista’s security warnings, isn’t great: users get overwhelmed or annoyed and just start carelessly dismissing all of them without reading them.
The Android approach is different: apps display a list of the permissions they need on their Market pages, and then don’t prompt upon access. The idea is to allow people to decide whether they’re OK with an app’s access before installing it. This also has downsides:
- People may not see or understand the permissions in the Market listings. Or they may just ignore them, since they’re too fine-grained and mostly irrelevant.
- People may forget what permissions an app uses after they install it, so they may not realize what the app is accessing while it’s in use.
- People may refuse to install an app because of a permission it lists, even if that permission is for an optional feature and the app would work perfectly well without it.
That last one would definitely hit me. If all permissions were listed in the App Store, Instapaper’s customers would be wondering why it “needs” location (optional automatic dark mode based on sunset times) or contacts access (optional email-in contact addition, optional find-friends feature). They might refuse to buy the app because they think it needs these features to work, when in reality they’re minor features that most customers will never use. Already, “Top In-App Purchases” has probably cost me some potential customers since they think the app is constantly going to be asking for more money (optional subscription, which I had to offer via IAP to get server-side search in the app).2
Neither iOS’ barrage of dialogs nor Android’s huge list of permissions in the Marketplace is a great solution.
Dialogs can be done well in many cases, avoiding the barrage. They’re only shown when the app requests access to the protected resources, and only the first time. Conscientious developers can usually avoid showing multiple dialogs in a row by only showing them when the data is needed — for instance, I don’t ask for location access unless (and until) a customer selects the automatic-dark-mode setting.3
Careful users can also make better decisions about whether to allow access when they’re prompted on demand. If I asked most careful people if Instapaper could have their location, they’d refuse, because there’s no obvious good reason. But if the app asks right when they enable a location-based setting from a screen that shows why it’s asking for their location, they can make a more educated decision. Similarly, if an app doesn’t seem to have a good reason when it asks for Contacts, a skeptical person can decline.
I like Rene Ritchie’s mockup of an app permissions sheet, which would consolidate these permissions into one panel in Settings for each app. (I believe Android already does this.) But since most people won’t know about it, I don’t think such a sheet can replace the dialogs — it can simply make the after-the-fact settings nicer.
Ultimately, I think Apple’s current implementation of dialogs on first access, then settings to revoke later, is the better, more understandable, less annoying solution with fewer negative side effects for users and developers. They just need to add another dialog and setting for Contacts access, and that’s probably exactly what they’ll do in iOS 6.
Some other local data, such as Calendar entries and your synced media library, is also available to apps today without asking the user for permission. I’d be fine if those required a dialog, too. But I’d argue that Contacts are more important to be kept secure, and as we’ve seen, more likely to be abused by unscrupulous or careless developers. ↩
At least Apple stopped requiring all apps that could access web pages to be rated 17+ for mature themes, profanity, nudity, sex, and drug use. I got a lot of emails from concerned customers about that. ↩
I also stop requesting location data once the device has given me the fastest, largest, least granular location (with an accuracy of within approximately 3 kilometers) because, since this is only used to calculate sunset times, I don’t need it to be any more accurate. ↩