While there are some good points made here, I would like to point out that the average desktop computing environment has no protections of this sort.
If I write a Windows (or Mac OS X, or Linux, to a slightly lesser degree in each case) application, I can have that app do every bad thing proposed by the author, and much more. I can roam through their "Pictures" and "Movies" folders, send out stuff I find over the probably very high speed internet connection. I can run proxies or other malware. I can pretend to be other applications to sniff passwords, or for other nefarious purposes, etc.
That is, of course, a major failing of the security model in a desktop environment...and it's been responded to by lots of band-aid solutions, like anti-virus and malware detection tools.
In short, while I think it's sort of unfair to pick on Android (which has among the best security layers built into the OS, rather than into the application distribution process or based on vendor trust), I actually agree. The new mobile device OS is an opportunity to solve the major security issues we know about. It shouldn't be a situation where backward compatibility is allowed to stand in the way of mitigating serious security risks.
The SD card thing could be fixed by deprecating 1.4 behavior. I wouldn't think that'd be a major issue, since a large number of apps had to be updated for 2.x anyway.
I say it is psychology. Android tells you what the applications are able to do and by being rather explicite about it, it is scary.
It would be great if a user could sandbox those permissions or even outright block them, but I guess that would just lead to malconfiguration, confusion and blind bug reports. Maybe a custom mod will do it some day. I rooted yesterday and now have an iptables based firewall installed that lets me control what applications can access the internet (I guess there are loopholes around it but it is better than nothing).
If I write a Windows (or Mac OS X, or Linux, to a slightly lesser degree in each case) application, I can have that app do every bad thing proposed by the author, and much more. I can roam through their "Pictures" and "Movies" folders, send out stuff I find over the probably very high speed internet connection. I can run proxies or other malware. I can pretend to be other applications to sniff passwords, or for other nefarious purposes, etc.
That is, of course, a major failing of the security model in a desktop environment...and it's been responded to by lots of band-aid solutions, like anti-virus and malware detection tools.
In short, while I think it's sort of unfair to pick on Android (which has among the best security layers built into the OS, rather than into the application distribution process or based on vendor trust), I actually agree. The new mobile device OS is an opportunity to solve the major security issues we know about. It shouldn't be a situation where backward compatibility is allowed to stand in the way of mitigating serious security risks.
The SD card thing could be fixed by deprecating 1.4 behavior. I wouldn't think that'd be a major issue, since a large number of apps had to be updated for 2.x anyway.