Welcome to AF MiscBec!
What good questions! And I'm very glad you liked PocketPermissions - thank you very much for the kind words
(As always please feel free to rate/comment on it in the market). We're always glad to have some feedback.
If it's OK also, I'm going to post a quick note in the PocketPermissions thread with your suggestions so others can see them and I will remember to try and implement them
1) Billing permission - I hadn't seen this actually but I'm pretty sure that's what it is for. I will add it to the list. I am pretty sure that Google puts in some extra safeguards for that permission too. I think you are able to set a PIN code to protect your saved credit card, and that an app must still go through an extra screen asking you if it is ok to purchase that item. I will be sure to double check this with an live demo app to see for sure and post back the results.
Once the app gets an OK to charge you I believe it has a short window (10 or 15 mins) in which to charge you. After that, It must re-request your OK.
Like I said though this is just some of what I have read and heard, I will test this for sure myself as soon as time permits
2) Manage Accounts / Use credentials
When an app request to manage accounts or use credentials on your phone, it only means accounts that have been set up as Android accounts on the phone. Typically this would almost never include your bank. Rather it includes your Google account (gmail) and any services that you can access through that account. Other accounts that are setup through the phone are Facebook, Twitter, Picassa, etc.
Generally this permission is not as scary as it sounds but you should take caution in granting it.
Manage accounts would allow an app to add or delete (possibly modify) an account. However I think there are some safeguards about modifying any accounts.
Typically the only apps that need to manage accounts would be apps that want to create a special account for you (like twitter or Facebook).
To see what accounts you have on your phone, From the phone's home screen press [menu] > settings > accounts & sync
When an app requests that it be allowed to use credentials, this typically would not give it access to your password or anything like that. Rather, it allows the app to interact with that account on your behalf. For example, an app that helps you backup gmail, may request this permission, so that it can access the data from gmail. This does it it some extra access to other services like YouTube and other Google services, but usually to nothing more sensitive than your gmail. This would not give it a way to log into your bank account.
Again though, this is another permission that should be given with caution. Some apps may request this to interact with Google services, however, I'm hesitant to grant it too easily. I typically would only grant it to Google apps themselves and
rarely some type of "replacement" app or social app.
3) Number of Downloads & Ratings
This is very subjective unfortunately. The section on "The Community" in the guide and in PocketPermissions covers this to some extent. But you bring up some important points too
Basically it is all about context (as with everything). It is important to remember that some of the most nefarious and malicious apps will pay people to fake reviews and fake downloads (this was the case with an illegal 'free music' download app a few months ago).
If you don't want to feel too brave, I'd at least wait until an app had about 100 downloads. Maybe 500. Lots of the best apps start off small (for reference, PocketPermissions still has less than 100).
A better way to tell would be to look at what the comments say. Are they very general, like a horoscope? Saying things like "best app!" "would download again A+++" Or, are they more specific "I like feature X and have a minor problem with Y, 4 stars until Y is fixed - -Samsung Galaxy S"
It is also pretty normal for a dev to have a few friends comment on an app and give it good ratings. But this is usually just one or a handful of reviews and not considered bad/gaming the system.
But none of these methods are perfect for detecting ill intent alone. They must be used together to form a complete picture.
Anyways, hope that helps, and thanks again for the kind words,
cheers
-alp
