Comment by Defletter

The more fine grained “only allow access to select photos” was introduced in iOS 14 and before that your only option was to ask for permissions for all photos. Not to say devs shouldn’t have converted by now but just to say it is possible they just implemented it that way at the time and never got around to updating rather than they really want the broader access.

> possibly as a judge to get you to give it more permissions

judge or kludge?

Yeah on iOS facebook messenger app can be set to only access media one by one selected by the user

The point is that drag-and-dropping files should give the sandbox access to that file exclusively without needing to grant any extra permissions. I don't want discord reading my entire home directory, or even all my pictures.

Android already provides the "proxy" system. You never need a permission to ask the camera app to launch and pass back the photo to your app.

It's only because people want to control the camera UI.

It's slowly getting better but the API devs need a way to learn what the apps need to be better.

For example, maybe in the future, we could have an Android OS bottom sheet with the camera view finder instead of an embedded app UI that requires camera permission.

And also, don't forget that these permissions were eventually required because malicious actors like Meta kept surveiling users in the background without their knowledge.

> In my phone "phone's app" I have the option to message on whatsapp next to each number, but when I click on it, whatsapp doesn't let me just message the number, it asks for permission to view all my contacts.

This works fine with Open contacts from F-Droid.

WhatsApp can be more specific but chooses not to. They want to access your entire address book and cross-match your number with all of your friends', especially if they're not on WhatsApp yet.

This isn't a technological problem with a technological solution. It's a policy problem on WhatsApp's side.

> As a programmer I dread writing any line of code that deletes files. I feel like there should be a low-level API that required me to say the file extension that my application is allowed to delete or something like that. It's still crazy to me that any single program can just delete all user files even though no user would ever grant it that ability. Until that is fixed the whole user permission model just feels like a big joke to me.

Yes, but I wouldn't want my file manager to double prompt me every time I try to delete a file (one from the FM, one from the OS). However, on Android at least, your application can request access to a specific (set of) file(s) or folder(s), so that the damage of a file deletion bug remains very limited. Your app can even request read-only access.

I don't think mobile platform have a good "recycling bin" API, though. There's one for media files, but I don't think that works for general files. Still, the Google Photos/Camera apps seems to use a system prompt to verify deleting files, so I think there's something at least.

And in my experience, users are too stupid to handle fine-grained permissions. Every time I see my parents, I need to go over all of the websites they've somehow managed to permit notifications for (despite my disabling that shit by default), and I'm not the only one. Research shows people will click "allow" without thinking and leave apps running and updating in the background for months before cleaning house. And notifications are only a minor annoyance (at least on Android, other platforms allow them to be pretty annoying), this isn't even about apps trying to track your location by accessing the metadata on your pictures.

For a few decades, we've tried educating people about how to use computers, and wave after wave of viruses proved that most people are incapable of using a computer securely, even with antivirus. In the modern dumbed-down phone landscape, downloading a virus is actually quite hard, and the viruses can do far less damage than what they could in the XP desktop computer era, but that dumbing down comes at a cost. Every unfortunate new sandboxing rule Google imposes on Android (usually) has a very good reason behind it for the vast majority of users, even if it ruins the day or week or month of tens of thousands of power users who rely on the freedom to do what they want with their phones.

I think it is a problem with the design of the system (e.g. POSIX), that the permission models do not work very well, so trying to add them to a system that it does not fit, might be the problem. (In some ways, it is possible to do by a VM code, but that has its own issues.)

The other things that you mention might also be significant, although I think the problem I mentioned is also a significant reason why it is difficult to change even if you do want to improve it.

> As a programmer I dread writing any line of code that deletes files

My idea of operating system design does not have any function to delete files. You can erase the contents of a file, and you can remove all references to a file (if you can find them). If you do remove all references to the file, then the file will be deleted. However, any of these things requires a capability which can be used to modify the appropriate files; you do not automatically have the permission to do any of this. (The capability might also be a proxy capability that does copy on write so that the program's view of them can no longer see the contents and references to the file even if they are not actually modified or deleted.)

> It feels like permission models are stuck in engineering for low-level programs and nobody thinks about how actual people will use it

Not to be a perpetual curmudgeon, but I feel like a portion of the blame for this could the developers XY'ing each other into the broadest use-case possible. Allowing users to select photos to embed into their messages gets "but what are you really trying to do?"-d into just putting access to the filesystem behind a flag.