Security is probably the biggest reason. With attacks growing continually more sophisticated, it’s not enough to just patch holes as they’re found — you have to engineer entirely new systems to not be drowned in holes. This unfortunately has compatibility implications.
Look at macOS for example, which over the years has gained app sandboxing and mobile-like access permissions. Software pre-dating these additions that assumes that it has access to everything all the time will have its functionality impaired. Devs had to update their software to not make such huge assumptions and to handle no access cases gracefully.
So, how secure is "secure enough"? Android's security model is okay, and Google knows it, so they just keep redesigning the UI without substantial API changes because the updates have to be coming out with each lap the planet makes around its star.
> Devs had to update their software to not make such huge assumptions and to handle no access cases gracefully.
Sure. But at some point it will reach the "secure enough" state, won't it?
(Actually, macOS permissions work mostly transparently API-wise. Apps can request access explicitly so it better fits their particular UX, but the prompt would also pop up the first time the protected resource is accessed. No code-level changes are necessary to support this.)
> Android's security model is okay, and Google knows it, so they just keep redesigning the UI without substantial API changes because the updates have to be coming out with each lap the planet makes around its star.
Google is a bit of a special case I think due to their culture of using big projects as a means of climbing the corporate ladder. The only thing that could ever possibly result from that is endless churn.
> Sure. But at some point it will reach the "secure enough" state, won't it?
Maybe, I’m too much of a layman in the field of infosec to be able to say.
> (Actually, macOS permissions work mostly transparently API-wise. Apps can request access explicitly so it better fits their particular UX, but the prompt would also pop up the first time the protected resource is accessed)
True, but it’s still problematic if e.g. the user accidentally denies access unknowingly, which will result in the app producing seemingly nonsensical errors. For a good user experience the app needs to be able to tell the user what the real problem is.
The program's interface with environment won't change forever, when you write your program as a pure function which only touches exactly the thing it fundamentally needs to, you use a pretty much finalized interface.
Look at macOS for example, which over the years has gained app sandboxing and mobile-like access permissions. Software pre-dating these additions that assumes that it has access to everything all the time will have its functionality impaired. Devs had to update their software to not make such huge assumptions and to handle no access cases gracefully.