Why do mobile apps have fine-grained permissions while desktop apps don't?

Question

Androids apps use fine-grained permissions for security reasons, iOS apps (afaik) do it as well. Windows 8.1 applications don't have a permission schema like that, all Linux versions which I have tried so far don't have it either and I guess Mac OS X also doesn't have it, right?

Why are these fine-grained permissions considered necessary on a mobile device, but not on a desktop system? Do users trust apps on a mobile device less than on a desktop system?

Will Windows 10 or newer Linux and Mac OS versions have them?

PS: it seems that some people consider this to be a possible duplicate to Why are apps for mobile devices more restrictive than for desktop? - but both questions differ at least in the point of view (developer/user). And if you read the answer, you will also see that most SO users consider both questions as beeing different :-)

Answer 1

There are two main reasons why smartphones have fine-grained permissions while desktop computers don't.

1. History. Mainframe operating systems have a tradition of giving permissions to the user rather than to the program, and this carried over into minicomputers/workstations/desktops; the desire to maintain compatibility with existing programs limits the ability to change things. Smartphones are a clean break with existing application ecosystems, so the opportunity existed to change the permissions model.

2. Smartphones are far more homogeneous than desktops, and generally don't change their hardware configuration over time. This makes setting up the permissions system far easier.

That said, there are fine-grained permission systems for desktop operating systems. Linux, for example, has AppArmor, SELinux, Bitfrost, and probably others.

Answer 2

For technical reasons it is not possible to tell which permissions an application needs until it tries to use them, which means that an application needs some way to declare this. Applications on desktop operating systems never did this. When the user starts a legacy application, you could only assume that it needs everything (training the user to accepting long lists of capabilities without second thought) or ask with a popup the moment the application needs it (which could break some applications which can't deal with the sudden interruption). Both solutions are bad, so introducing such a mechanism would break backwards compatibility with older software.

Windows 7 sort of tried to improve the situation by allowing newer applications to declare they won't do certain potentially evil things and add the "Do you want [program] to make changes to your computer" prompt when starting an older program which doesn't as well as preventing some even more potentially evil things unless the program is run as administrator.

UNIX and UNIXoid operating systems like Linux allow to restrict rights of programs with their file permission and ownership system. Hardware devices are abstracted as files too, and can be owned by a certain group. So you can restrict capabilities of programs by running each program with a different user and adding the user to those groups which own the hardware device "files" the program requires. This is of course not a very user-friendly solution because it requires a lot of configuration.

When smartphone operating systems were developed, there were no legacy applications the developers had to ensure compatibility for, so they hat the chance to make everything right from the start.

Another reason is that smartphones have the potential to be far more privacy-infringing than desktop computers. A smartphone has a GPS sensor, a microphone, a camera and a permanent internet connection and most users do most of their private and business communication through them. All of that wouldn't be that bad when people wouldn't have these devices on or near their person at all times whereever they go. Smartphones simply are the perfect spying tools. When you get a smartphone under control, you gain perfect 24/7 surveillance of the user and their surrounding. And all you would need to do to get access to this tool is tricking the user into installing your fart sound app.

Answer 3

There are at least two significant reasons why mobile operating systems have fine-grained permissions for apps, while desktop operating systems don't:

1. History. Desktop operating systems date back several decades, when the primary threat model was different, and consequently have mechanisms designed to deal with that (now-largely-obsolete) threat model.

   Desktop operating systems are an evolution of mainframe operating systems. On mainframes, the main concern was multi-user security: the operating system needed to ensure that one user could not attack another user. Thus, desktop operating systems generally built around a multi-user security model, that tries to isolate users from each other and ensure that one user cannot attack other users on the same machine.

   However, today most machines are single-user machines, and the primary threat is not other users but rather malicious attack from other sites or data on the Internet. Thus, mobile operating systems are designed to address this modern threat model. They are designed to make it easy and safe to download and run an app made by some untrusted developer; the existing mechanisms (app sandboxes, permission systems, app stores, app reviews) help make this generally pretty safe. Thus, the mobile operating systems focus on protecting you from malicious/sketchy apps and isolate apps from each other, rather than isolating users from each other.

   This explains a large part of why mobile operating systems have fine-grained permissions while desktop operating systems don't: fine-grained permissions are more helpful at dealing with the modern threat model (protecting users from malicious/dodgy apps) than the old mainframe threat model (protecting users from each other).

   If we were to design desktop operating systems from scratch today, it's plausible that they might look much more like modern mobile operating systems, with a focus on an app model, an app threat model instead of a multi-user threat model, and so forth. However, due to legacy constraints, it's not easy for desktop operating systems to shift to this new approach: users expect existing desktop applications to work, so operating systems can't just block them. In contrast, when Apple and Google introduced iOS and Android, those were new operating systems with no legacy base; there weren't any existing apps they had to be compatible with, so they could change the programming model in fundamental ways that desktop OS's can't easily do.

2. Different user base, different tradeoffs, different threats. Smartphones are a mass-market device. They have to work for everyone. On a desktop, installing a sketchy app can leave your desktop performing poorly, leave your desktop cluttered with spyware, and render the system slow or unstable. On desktops, if you don't know what you're doing, you can really screw up the reliability and performance of your computer. It would be unacceptable if your phone worked like that -- so Apple and Google worked hard to design an operating system to ensure that installing a bad app couldn't do that. This imposes different tradeoffs and different design goals, and naturally leads to a more locked-down platform and enables some designs that might be considered acceptable on a desktop.

   Also, smartphones have a broad variety of sensors that can capture a lot of your life (e.g., record conversations, track your location, etc.), and your phone is with you throughout the day, so there's arguably more opportunity for some bad privacy breaches. This is another motivation for a stronger security model.

That said, modern desktop operating systems are starting to slowly adopt some of these ideas from app-centric mobile operating systems. For instance:

• Mac OS X supports sandboxed applications, which makes applications look a lot more like a mobile app. Application on the Mac App Store are generally sandboxed. The operating system provides a fine-grained permission model, and the application must declare the permissions (entitlements) it needs.

• Windows 8 supports sandboxed applications, with a security model that looks a lot like that of a mobile app. In particular, Windows Store apps run in a sandbox and must declare what permissions they want. Users can view what permissions an app has.

Incidentally, you might notice that the mobile app security model loosely resembles the security model for the web: the web is also based on isolating sites from each other, so one evil web site cannot attack another site. If you think of a mobile app as analogous to a web site, mobile app sandboxing now looks analogous to browser same-origin policies. Historically, web apps were much more limited in what they could do, but with HTML5, this is changing. Browsers are starting to enable web services to have broader powers (read from sensors, read and write files on your filesystem, etc.), and are starting to implement permission systems to control access to these resources, much like mobile operating systems do. Thus, you can view this as browsers borrowing some ideas from mobile operating systems.

Some other reading that might interest you:

• See Alternatives to the "open PC" security model for other security models, beyond the app model and the "open PC" model.

• See Same-origin policy for desktop application? for discussion of the desktop operating system model, and some instances where finer-grained permissions have been grafted onto standard desktop operating systems.

Answer 4

As a comparison point, take a look at firewall options on a smartphone vs a desktop OS - I think you will find that the desktop has much more fine-grained firewall options (excluding root firewall apps on android), allowing you to specify which executable has access to communications on which ports and on what networks, whereas it's nearly impossible to block internet access to a phone app (since they all want ads of some sort via internet to make money it seems)

Look at muting an application - how easy is it to mute a single application in windows vs on a mobile device - can you specifically mute all sounds? easy to do in both - but what about program/app X? or can you adjust the volume of program Y such that it's half that of program X? I would say the desktop has more fine-grained access here

PC's also have more advanced monitoring options - you can go and see exactly which process is accessing which files at any given time, look at the individual threads for each process, run them through an anti-virus (sandboxed?), which while technically possible on a mobile phone is much less practical, and the phone-based AV's aren't quite as good as their desktop counterparts.

I think the overall reason is that a phone isn't really "yours" until you root it/gain admin access, whereas on a PC, that's the norm - as such, the phones want to compensate by making you "feel" empowered, even though you really aren't, whereas the PC can get you virtually anything you want if you simply configure it as such (run untrusted apps in a VM, sandboxie, etc.)

There also seems to be some usage differences, where on a phone just about every app wants access to your contacts, your location, etc. - on a PC, very few (if any) will ask to "sync" contacts across different apps, or even bookmarks - it's usually a 1-time "migrate settings" if anything - the apps are all very self-contained, as opposed to each app relying heavily on the system and other apps to do stuff for them (how many apps function in android without Google play services? what about on windows without service X running)? Look at media players - most desktop media players are self-contained in that they have their own codecs, whereas it's virtually impossible to find a media player that has its own codecs and does not rely on the system's codecs (and thus inherit its flaws) on mobile.

Answer 5

It's actually only Windows that doesn't have that. (Except appstore apps). On OS X you have to give permission before things like contacts can be accessed or if an application wants to do filesystem changes to anything outside the user's container.

For Linux there are things like AppArmor an SELinux, but on most unices, bsd's an linuxes the normal filesystem permission model makes it impissible for normal user programs to make changes outside of the user's home anyway.

While windows has UAC now, it's pretty useless as almost all apps need complete filesystem access to run. (Except media consumption apps)

Answer 6

Desktop apps are expected to do far more than mobile apps, so its much harder to give them fine grained permissions. In particular, desktop apps often communicate with each other, while mobile apps are usually very very very sandboxed to avoid such communication. If you allow interapplication communication, the fine grained privileges available are those of the app, plus whatever it can convince other apps to do for it (including using exploits to do said convincing). With the right exploits, these privileges can be virtually unrelated to the privileges the user clicked OK for.

In that environment, fine grained privileges don't offer as much as we'd like, and they are costly to put into a system. Accordingly desktop OSs rarely support it.