OP is using an android phone.

Android's permission system also doesn't require apps to ask for permission before they access your phonebook - it requires you to give permission to install the app, and it tells you the app can view your phonebook, but you have to either trust the app not to abuse that ability or not install it at all. There's no way of telling the difference between an app that can use your phonebook to provide useful optional functionality and one that'll upload the entire thing to the mothership the moment you start it.

I really think Android should add another layer of protection here, similar to the "This app wants to use your location" prompt in iOS. I'd like to be able to install an app that might need to access my phonebook in some use case but be able to deny it when it attempts to access that information when I don't want it to.

For example, I'd want to be able to use the facebook app and many users might even want to have it scan their address books in order to find friends. However, if the app attempts to read my address book when I'm just checking someone's status update that is clearly not okay and I want to be able to block it.

The free pass to pillage my phone upon installation doesn't sit well with me.

> I really think Android should add another layer of protection here, similar to the "This app wants to use your location" prompt in iOS

Most definitely. This has always been my argument against the whole system: installing apps that need excessive permissions is basically blackmail. Just like "Do you agree to the terms of service?", you hardly have a choice. I was very surprised to see people not even glance at the permissions before clicking Accept.

But as I said, it's blackmail anyway whether you look or not. You don't want them to have all your contacts, your exact location, all data on your sdcard, and full network access? Fine then, you won't get [whatsapp] (or pretty much any other app), that what everyone else has and that you're almost socially obliged to have (at least in my age category).

It even goes so far that the android user has no permissions to use the permission manager to deny or allow permissions for apps. There are commands ("pm grant x" and "pm revoke y") that lets you change apps' permissions... but you can't use it by default, even as root ("java.lang.SecurityException: Neither user [your uid] nor current process has android.permission.GRANT_REVOKE_PERMISSIONS"). It's totally messed up.

On a rooted android phone, it is possible to install apps but not give the the permission. Of course, that usually means they will crash then they try to do something, but it gives you a layer of protection if you want to try the app out or something.

I'm well aware of what prompted the change to iOS. We talked about that last year. I'm not defending anything, but that's not really at issue today, though.

Specifically in this case: pretty sure Android and Path alike might be informing you about address book access, but nowhere is the user going to be prompted for Path to share with your contacts after uninstalling the app.

Same odious behavior, just a bit different this time.

it certainly is on android. one of the reasons why i only install "social" apps on iOS..