I am *very* surprised that the list of requested permissions on Google Play does *not* have to match the actual permissions which the app gets when installed.<p>I would have thought that the list on Google Play is computed from the binary so it cannot be fake.<p>Is it really true that you can just leave out permissions in this list and then just get them once people install your app?
It was discussed yesterday at <a href="https://news.ycombinator.com/item?id=30115132" rel="nofollow">https://news.ycombinator.com/item?id=30115132</a> which has 57 comments.
So many such issues could be easily mitigated if we just moved away from apps to PWAs/Web apps with better support from mobile vendors for the push api, camera, etc - but the powers that be (Apple, Google, Microsoft) and also the sites (Reddit, Amazon, etc) want to move in the opposite direction because who cares about security and users when apps bring in the moolah.<p>As a matter of fact sometimes the websites are so much better too, like Amazon, which doesn't even have a "Find.." function in the app. I really wish we could done be with these apps and everything just ran in the browser, except maybe apps that need some low level api or something.
You're telling me a for-profit, closed source, proprietary application store where anyone can submit software and call it anything they want has perverse incentives? I'm shocked. Shocked, I tell you.