Google wants to make sure developers are looking after their users’ data in their Android 6.0 Marshmallow apps. The company has provided some key best practices it believes developers should aim for when building their apps and keeping user trust in mind.
“Marshmallow introduced several changes that were designed to help your app look after user data,” wrote Giles Hogben, Google privacy team member, and Joanna Smith, developer advocate, in a blog post. “The goal was to make it easier for developers to do the right thing. So as Android 6.0, Marshmallow, gains traction, we challenge you to do just that.”
(Related: Android++ has been open-sourced)
The latest release of Android changed permissions from install-time to runtime. This change gave developers the ability to request access to a user’s sensitive information and explain how it will be used. Google suggested developers be thoughtful when handling API call requests that have been denied, and to build a solution that allows users to still use the app if they deny the apps request.
“Permissions are also now organized into groups, so that users can make an informed decision without needing to understand technical jargon,” Hogben and Smith wrote. “By allowing your users to make a decision, they may decide not to grant a permission or to revoke a previously-granted permission.”
Other best practices for permissions included using only the permissions necessary for the app to work, paying attention to permissions required by libraries, being transparent, and making system access explicit.
Another way Google aims to protect user data in Android Marshmallow is by turning off access to unnecessary data and providing Instance IDs. Instance IDs provide a unique ID per instance and can provide better security within apps, according to Google.
Other best practices for unique identifiers included avoiding using hardware identifiers, using only an Advertising ID for user profiling or ads use cases, using an Instance ID or a privately stored GUID whenever possible, and using APIs that are appropriate to your use-case to minimize privacy risk.
“User trust depends largely on what users see and how they feel,” wrote Hogben and Smith. “Mishandling permissions and identifiers increases the risk of unwanted/unintended tracking, and can result in users feeling that your app doesn’t actually care about the user.”