As an Android user, not developer, I wanted to ask how are permissions on Android these days.

Is "internet access" permission just granted for any app by default without asking the user?

There were initiatives (probably 3rd party) for more granular permissions, but I haven't noticed this becoming common. I vaguely remember that Android started asking for some individual permissions not upon installation, but only when they were first used by the app, e.g. camera access. Why is this not the case for internet access?

In a nutshell, how did permission granting in stock Android develop from say Android 3.x times?

I understand that some keyboards want to provide suggestions using a dictionary they download online. Also, I used to use SwiftKey once which wanted to read all my mail to produce better suggestions. Is there even a good way to balance the benefits (features) and risks (uploading a key log if the app is sold/abandoned and taken over by an attacker)?

> Is "internet access" permission just granted for any app by default without asking the user?

IIRC it was changed because people complained that a lot of apps required that permission despite the functionality not needing it. E.g. calculator app or whatever. Turns out that you need this permission if you want to display ads. So Google just sided with the advertisers and removed the permission from the display. Generally, I believe that Google likes internet connected things because they as a company have better tools to capture online revenue streams vs offline ones.

Even if I hate ads and I think one should be able to ban them forever on their devices, Android could just add an "Internet access" permission that only counts for Internet access required outside the Ads API, so they would keep their ads and users could be a bit safer on the "this app is snooping my data" side.

That would only work if they open up the Ads API to work with any ad network. Otherwise it would basically kill any competition in the Android Ad space, which would probably lead to EU and US regulators coming down hard on Google.

They could instead expand the permission system to group various ad api's so that each api is considered a distinct permission. Honestly would be good to do that in addition (i.e. separate from) the general internet permission.

I agree that it would be nice to separate the privileges if it were possible.

I suspect that allowing internet access even in the form of ads opens the possibility for data exfiltration in principle. But I'm not familiar with the Android case at all.

It allows for expensive, obvious data exfiltration. (Expensive in the sense that somebody else could take the data, unless you're the highest bidder for those categories – assuming Google Ads still shows ads with a bid of 0, which I'm not confident in.)

> outside the Ads API

Presumably these Ad APIs would be for access to Google Ads. That would seem like an anti-trust issue.

Could you imagine the complaining for treating different ad libraries differently?

A good solution to this is using iptables to control what has access to which networks, rather than relying on the OS. AFWall+ is a nice front end for iptables and requires root. Netguard is another option that doesn't require root, but I'm not sure how that one works.

Certain permissions (internet is one example) are granted when the app is installed, other permissions (e.g. access to photos) require the user to give access through a dialog prompt (and from Android 10(?) the user will be asked again every so often, rather than just once).

All permissions an app can use are listed in the manifest file, and are displayed on Google Play.

I know I "shouldn't" but I use Google Keyboard. It is really compelling and has legitimate use cases for a network connection with the built in GIF search.