You're blaming the wrong people - assuming those are good and valid features (an...

scott_karana · on Oct 24, 2014

Apps can seemingly call external ones: for example, Google Authenticator hands QR code reading off to Barcode Reader, and thus doesn't require the permission for itself.

Having a PayPal "Till" app to augment the main one for microphone/QR users would be ideal, and not violate the permissions.

So there is some blame, though I agree: Android's permission model being fixed is more important.

oliwarner · on Oct 24, 2014

I completely agree. This needs to be fixed in Android...

But I still find it annoying that I can't install the Paypal app without giving them a free wiretap in return. In my eyes, bloating an application out to a state where it needs all this stuff is almost as harmful because it puts users in situations where they're handing this access out without thinking.

Edit: I've pushed a pretty major edit to the post to give a bit more focus to Android but also to point out that Paypal could be a lot more responsible too. They could (for example) farm out all the privileged code to plugins and package them as separate apps. It's more of a pain for some users, less invasive for others.

e40 · on Oct 24, 2014

I completely agree. This needs to be fixed in Android...

This is the primary reason I root my Android device and why I buy Nexus devices (I don't do Android development). XPrivacy and other apps allow you to revoke permissions individually, which is what Google should have baked into Android itself, without the need to root.

dwild · on Oct 24, 2014

It was once supported in Android to do that but it was an masked feature. They quickly realized that most apps weren't made with fail over in place and they would simply crash so they removed it completely.

It's sad that they took that decision but what's done is done...