While the advent of BlackBerry Messenger (BBM) being "given" to users on Google's Android and Apple's iOS operating systems last month was met with much enthusiasm, for some this was curbed by the many access permissions required, in particular on the Android platform.
Some Android users, who have been keen to download BBM since it was made available on the platform three weeks ago, have raised concerns about the list of 17 permissions they are required to grant before they can do so. They say, while some of these seem "perfectly reasonable" on the face of it, others have raised alarm bells - especially with the increasingly pertinent issue of security in mind.
However, BlackBerry has responded to user apprehension with an assurance that access permissions are standard practice - and users have nothing to be concerned about.
Earlier this week, BlackBerry said: "BBM puts control of sharing or accessing personal info into the users' hands. Asking for permissions before accessing device information is completely standard and not unexpected for any company that wants to protect its customers."
Visible protection
Asked for clarification on its earlier statement, the company said it all boils down to visibility. "The permissions work to protect the consumer by giving them visibility into what information and phone systems the application might be looking to access."
For example, says BlackBerry, BBM needs to access your GPS and network location (*no 3), because this allows features to work that let users share their location with others on their BBM contact list. Another example the company gives, is the request to access the phone's microphone/record audio (*no 4) - which would be used to send voice notes to a BBM contact a user is chatting with.
BlackBerry adds BBM permissions are common platform permissions, which are standard across the Android ecosystem and Google Play storefront. "Even the wording of the permissions is standard. Users will find themselves having to accept application permissions with any number of other applications - including other IM apps."
Another point the smartphone maker raises is that app permissions work differently for each platform. "The way the platform presents users with information about access to their data and the degree to which they have control over this, is based on the smartphone platform they use."
Android versus iOS
Expanding on BlackBerry's last point, app developer Ashley Ross says the way Android handles permissions is quite different from how Apple does things on the iOS platform.
In general, says Ross, apps are restricted to a subset of information Android apps could request - due to Apple's views on what exactly apps on its platform should and should not be able to do. "For example, accessing the phone's call log is blocked on iOS, while Android allows it under a certain permission, as this enables Android developers to create custom dialler apps. Apple's view is that there should only be a single dialler app - theirs."
He says Android's permissions system - on the other hand - is far more fine-grained, and covers everything Google's engineers thought an app might reasonably want to access; be it scanning for WiFi networks, connecting to the Internet, accessing contact information, or accessing the device's GPS.
"For example, there are separate permissions for reading data from your contacts versus writing data to your contacts, while iOS allows either - once the app has been granted permission to access contacts.
"The other major difference is that you are provided a list of all permissions an Android app might need at the time you install the app. This allows you to make a call as to whether or not an app is trustworthy. For example, why would Angry Birds need to be able to send SMSes? Are you sure you're not about to install a fake copy that sends SMSes to premium-rate numbers?"
The downside to Android's approach, says Ross, is that it is a case of all or nothing. "You can't select which permissions to approve and which to reject. Once approved and installed, an app can make use of any of its permissions at any time, but the benefit is that you know upfront what to expect from the app."
BBM on Android
When it comes to the BBM app on Android, Ross says the permissions mostly seem to be in order.
"Given that it's a messaging app, I would expect it would have access to my contacts, to automatically find other BBM users based on their phone numbers, and possibly store information on my contacts, such as their BBM number - so that the look-up can be skipped next time. This is all covered by the permissions detailed in item *11.
"I would also expect that it would need to know my own phone number, which is covered by the permission in item *9. Arranging parties and events through the app sounds like a nice feature, and I wouldn't want to manually e-mail invites to friends - so the permission in item *7 sounds reasonable."
Ross says the only permission that really seems out of place is for app information (*no 6). "I can think of no reason why a messaging app would need to know what other apps are running on my phone. I'm also not sure why it would need to be able to add and remove accounts and set passwords, as in items *8 and *17, as this refers to the system accounts on my phone, like the Google account I used to set up the phone when I first got it."
For freelance Android developer Toby Kurien, the permission for app information (*no 6) is also the only permission that really raises a flag. "There seems to be no valid reason why BBM would need access to this, unless they are trying to keep track of what apps people have installed on their devices."
On accessing personal information and sending e-mails to guests without the user's knowledge (*no 7), Kurien says, while the permission seems serious, it is merely a generic message that Android gives if any app tries to request permission to read from, or write to a user's calendar.
Reading a user's phone status and identity (*no 9), says Kurien, is merely needed to tell whether 3G is connected or not. "It does mean that BBM can read the IMEI and other device-identifying information. Of course, BBM would want that info to tell whether you moved devices or not."
Finally, on BBM being able to modify and read contacts (*no 11), he says BBM most likely allows users to save a contact send in an IM - and for that the app would need this permission. "It also means BBM can send your contact list to the BBM server."
Kurien says it should be noted that WhatsApp probably also needs all of the permissions BBM needs, maybe even more. Even Facebook, he notes, reads users' contact lists and uploads them to Facebook.
Mega list
* The list of device permissions Android users are requested to accept - in its entirety - before downloading BBM is as follows:
1. Your messages: Send SMS messages
2. Storage: Modify or delete the contents of your USB storage
3. Your location: Precise (GPS) location
4. Microphone: Record audio
5. Camera: Take pictures and videos
6. Your applications information: Retrieve running apps
7. Your personal information: Add or modify calendar events and send e-mails to guests without owners' knowledge, read calendar events plus confidential information
8. Your accounts: Add or remove accounts, create accounts and set passwords
9. Phone calls: Read phone status and identity
10. Network communication: Control near-field communication, full network access
11. Your social information: Modify your contacts, read your contacts
12. System tools: Test access to protected storage
13. Affects battery: Control vibration
14. Your applications information: run at start up
15. Wallpaper: Set wallpaper
16. Network communication: View WiFi connections, view network connections
17. Your accounts: Find accounts on the device
Share