If you’ve got a Hive heating system and an Android smartphone, you may have been hit with a rather strange request from the Hive app. It wants you to give it permission to make or manage phone calls, supposedly for security reasons. Why on Earth does a heating app need access to your phone? It’s a question I’ve put to Hive.
Hive app permissions: what is it asking for?
When I signed into my Hive app yesterday, it asked me to give it permission to access the phone for security purposes. Giving apps access to parts of the hardware that they don’t need is not good security practice, so I denied the app permission.
I was greeted with the following message:
I’m not the least bit keen on the tone of that final sentence: the assertion that you’re weakening your own security by failing to give the app access to parts of the system that it doesn’t need. Very poor.
I didn’t give in to the scaremongering and refused permission. Initially the app refused to let me log in at all. This morning, it seemed to have righted itself and I could again access functions such as switching off the heating etc, but when I went to the account management, everything was greyed out. I’d need to give the app permission to access phone calls etc if I want to manage my own account!
Note, that I can go on the Hive website with the exact same username and password I logged into the app with and access all of the account management features there, without any extra security hoops to jump through. It’s woefully inconsistent.
What does Hive say?
I asked Hive why it needs permission to make phone calls etc. A company spokesperson said:
“The Hive App pop up asking for customers’ permission to manage calls is incorrect and we’re currently working to update this as soon as possible to be more accurate.
“We are required to access phone permissions for security purposes. For security measures, we need to be able to access some parts of the customers’ phone that might be deemed sensitive, to generate a device signature that our service uses to help differentiate between real and fraudulent logins. The permissions give us access to customers’ phone numbers and network carrier to ensure no one else is trying to access customers’ accounts. This is not a requirement directly imposed by us, but rather by our security service.”
Frankly, this is all a bit of a shambles from Hive. It puts out an update that is – at best – poorly worded, and then tries to shift the blame on to the “security service”, whatever that may be.
I’m not the least bit impressed. There are ways of authenticating customers that don’t need intrusive phone permissions. It’s the second time in recent months that Hive has irritated me, the last occasion being with its poor value Hive Heating Plus service, but at least that was optional.
Alas, replacing a smart heating system is not a cheap or easy process. But I’m growing increasingly tempted to get rid of it.
Doesn’t the popup say… “We will not use it to make or manage phone calls”?
As an android developer I’ve encountered this before and annoyingly google has decided that when an app needs to access read only device state using the android.permission.READ_PHONE_STATE permission the system default permission request is worded as “Make or manage phone calls” – This is usually not the reason this permission is used and it’s no surprise it can scare users away. There’s no option to change this text as a developer. The only thing one can do is provide some justification text, which in this case confirms that it will not be used to make phone calls. Any phone state access comes under the Phone permission group as is therefore worded as such. This is decided by google not the developer. Not the first time google haven’t got the runtime permission request model right.
For more information on what is permission is actually requesting see:https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE
There is no mention of actually being able to make phone calls on the users behalf.