Latest Pandora Radio Security Permissions Leaves Listeners Puzzled

Pandora Radio, one of the most popular streaming music options out there, recently updated their Android application.  While updates are nothing new, the access the app requested left Pandora fans on Android wondering and quite puzzled.  Previously when installing updates, Pandora listeners were asked to grant the app internet access only.  Now in addition to the internet access, listeners are ask to grant the app access to contacts, something which leaves all of us a little confused.  At first glance, I thought that perhaps Pandora needed access to this for song sharing, but I really wasn’t sure. Time for a little Android Guy investigation.

In order to dig deeper we at Android Guys reached out for a statement from Pandora.  We asked why they needed access to a users contacts.  See their response below:

“We request contact access so sharing songs can be quick and simple.  When someone is listening to a song they like and want to share, that access enables us to immediately display their contact list so listeners can pick the friend(s) to whom they want to send that song.   That’s the sole purpose of the access request.  We don’t store, or save anyone’s contact book information, or access it for any other reason at any other time: we just access it for people in that specific instance.

We’re not able to make that explanation on the Android OS screen when it asks for permissions,  so it comes up as you noted below and can seem startling.   I’m glad to have this opportunity to clarify to Android users that the request for access is for the very basic reason: to make for an easier sharing experience that contributes to a more robust Pandora experience.  Thank you.”

While this response is honest enough, we should always remember that Android is an open platform, so there’s no walled garden protecting users from questionable practices. The benefit of having a phone that provides more freedom with apps means that you also have to take on the responsibility of policing your device. Always read the permissions before installing and think about why certain apps make certain requests. Whether it is Pandora or some random third party app, always keep an eye out.

  • An enhancement request was submitted to add an optional description to the uses-permission manifest attribute. This description could provide a better explanation as to why an app is requesting the security permission. Unfortunately, this has yet to be accepted.

  • NeoteriX

    Thanks for reporting on this issue!

  • AndroidDeacon

    Good report.. retweeting!

    • tooltamer

      your a tool…”retweeting”..your sucha tool

  • Pretbek

    There are some other apps out there asking strange permissons. Like the AP news app, it also need 100% acces. No explenations for any of these permissons, if they would restrict dev’s to give them, it would leve us less wondering and more aware of things. 🙂

  • It would help a lot if the Market gave devs the opportunity to explain WHY we are asking for various permissions. Like Pandora, we often have a good reason, but it’s not immediately obvious. If you agree, please go star this issue in the official Android bug tracker:

    Devs should also explain their use of permissions on the website associated with their app, although few users go look there, unfortunately.

  • This is exactly the reason why I wrote this:

    If google or app developers use this advise, we can feel so much more secure in the Android market.

  • Meko

    Thank you for following up on this. I wish when installing apps, there was an easier way to verify WHAT the permissions are needed for and not just what permissions you’re granting.

  • This is good, we need more folks to look into app permissions and call the devs on them.

  • Vince

    See, it’s ok, as in iPhone, to have some control over apps. not only are they ALOT better, but safer for everyone! take some pointers Droid market…police your apps, make the BETTER and all will be fine, really, it’s ok.

  • Matt

    My concern still is people can say all day this is what the permission is being used for but then still use the information any way they feel like….i dont believe in completely policing the android market, but I believe maybe in order to publish an app that requires more sensitive permissions the author should have to sign some legal agreement that if they get caught misusing private information they are held accountable….apps without needing such serious permissions are still free to be made by anyone and could publish no problem

    • arth

      The permission being abused seems to be exactly what’s happened with Pandora.  They now appears to have started e-mailing users found in the Android address book without request from the Android user. I received such an e-mail myself, “on behalf of” a user who would never ever share what he or she listened to, and especially not with me.