Update, April 19, 2012:
It seems that Google isn't showing my user review on the app. At best, they're holding it for human eyes to review since it was both a 1-star review and contained a URL back to this blog post. At worst, they mark those comments as spam so only the author of the comment can see it. Here's a screenshot of my comment:
At work, I'm the permanent scrum-master for my team, and was looking for tools that would help semi-automate the process, or at least provide a better way of taking notes to share with other teams than writing on a notepad and typing it up on my system afterward. Elmer was always much better at this using some tool that would generate nice notes based on markdown.
Scrum Master Assistant, on the surface, looks like a great tool. You can set up multiple kinds of meetings, add participants, add notes, new issues, it even has a timer so you can track who's a chatterbox during scrum to keep things running quickly and smoothly. They've recently added a "publish to Google Docs" feature which makes a pretty neat spreadsheet. I figured I'd test it out before our actual scrum meeting and could NOT believe what I saw.
In the settings, I had already told the app which Google account to use for publishing to Google Docs:
When you publish to Google Docs for the first time, the app prompts you for permission, which I would have expected:
A second prompt asked for access to Google Spreadsheets, which I also allowed.
Once published, I logged into Google Docs, and saw that the spreadsheet for my sample meeting, where I was the only attendee, had sharing permissions set to "only the people listed below" but to my horror saw that the app developer added THEMSELF as a shared person on the document. If that wasn't bad enough, they added themselves as an EDITOR to the document:
I couldn't believe that the developer would pull such a blatant move. I immediately left feedback on Google Play and uninstalled the app. Then I reinstalled it to grab screenshots.
When you install the app, it tells you about the following permissions:
- modify/delete USB storage
- take pictures and videos
- full internet access
- act as an account authenticator, use the authentication credentials of an account
- read contact data
- view network state
- discover known accounts
On the surface, those permissions seem fine, given the published list of features of the application. Namely, it would use your contacts to add people to meetings, it could take a picture of who was at the meeting, needs Internet access to publish notes online, and needs access to your Google account to push to Google Docs. I suppose it needed access to your USB data in order to save notes to your device.
Version 1.3.3 of the app, published March 2, 2012, says it fixed a few defects and *removed* unnecessary user permissions. As of version 1.3.1, it said it was no long ad-supported yet maintains a full name of "Scrum Master Assistant (adware)", and added the Google Docs integration.
The Description of the app says this:
**** No Ads **** **** Publish reports to Google Docs (Beta) **** **** Adapted for tablets **** The application will help Scrum Masters at daily Scrums to gather impediments and help team members stay focused, restrict the meeting duration to 15 minutes. Every meeting is immediately followed by a scrum report with all the collected issues and meeting details to show who was too talkative. Features - Meeting duration timer and timer for every participant to keep everyone focused on agenda - Participant details, photo can be imported from Phone Contacts. Contacts can be synchronized with Google contacts - A photo can be also captured using a phone camera or taken from a picture gallery - Collected Action items, issues can be shared via Google Docs or sent as Excel report to e-mail Key words: Agile tool, Scrums, Daily Scrum, Standup, Scrum Master, Meetings, Meeting Notes, Meeting Minutes
There is NO notice anywhere within the app that tells you the dev is going to share every document with them. There's no disclosure of why they need access to USB storage.
How have no others users reported this yet??