11436 SSO

Permissions Creep: How to Avoid Review Damnation

Feb 05, 2014

Apps update all the time as developers fix bugs and add features. Every so often, an app's feature growth will require a new permission. The next time users try to update that app, they might be asked for new personal information, like a request for permission to “read calendar events plus confidential information.”

It’s not too surprising that requests like these can cause heartburn among users: they sound scary. As a user, my first question is, “Why is this company asking for this?” And if there’s no explanation why, then I don't update. These things make people mad, and the obvious vector to express their outrage is by giving the app a poor rating and writing a scathing review.

Much has been written about how app permissions are not very user friendly: 74% of apps reviewed by the latest HP Security Research Cyber Risk report request unnecessary permissions that could lead to inappropriate access.

It’s clear that navigating the potential minefield of permissions is very important to maintaining high ratings. Several recent app updates on the Android Play Store illustrate how angry users express themselves. Here's one example:



The amazing thing is that all that outrage is avoidable by following two simple guidelines:

  • avoid asking for permissions that you don't need
  • if you have to ask for more, explain clearly why you need those permissions

Here's Chase's approach to explaining permissions requests:



The faster you can contain the damage, the better. Angry users may lash out in ratings and reviews, but will they revise those ratings and reviews later? Some will, but some bad reviews might last forever. Act quickly and explain the motiviations behind your permission requests; the rewards could look like this: 



A careless approach to permissions can convince users not to upgrade. People who don't upgrade aren't getting any of the later versions. This fragments your installed app base, and prevents users from getting bug fixes and security. In the worst case, users may uninstall the app, even though the permissions aren't retroactive, and you lose a customer you fought so hard to win in the first place.

Scaling Microservices