{"id":5907,"date":"2017-02-09T06:30:05","date_gmt":"2017-02-09T11:30:05","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5907"},"modified":"2018-10-10T17:29:22","modified_gmt":"2018-10-10T13:29:22","slug":"android-permissions-guide","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/android-permissions-guide\/5907\/","title":{"rendered":"All about Android app permissions"},"content":{"rendered":"<p><strong>Updated October 9, 2018:<\/strong> Google has changed app permission settings in Android Oreo, adding a new group called \u201cSpecial app access.\u201d More details are available in \u201c<a href=\"https:\/\/me-en.kaspersky.com\/blog\/android-8-permissions-guide\/12004\/\" target=\"_blank\" rel=\"noopener\">App permissions in Android 8: The complete guide<\/a>.\u201d<\/p>\n<p>In the face of malware, Android has a very good defense mechanism \u2014 the app permissions system. This system defines a set of actions an app is allowed (or not allowed) to perform. By default, all Android apps work in a\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Sandbox_(computer_security)\" target=\"_blank\" rel=\"noopener nofollow\">sandbox<\/a>\u00a0\u2014 an isolated environment. If they want to access, edit, or delete data outside the sandbox, they need the system\u2019s permission to do so.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5908\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112441\/android-app-permissions-featured-es-3.jpg\" alt=\"\" width=\"1280\" height=\"840\"><\/p>\n<p>Permissions are divided into\u00a0<a href=\"https:\/\/developer.android.com\/guide\/topics\/permissions\/requesting.html\" target=\"_blank\" rel=\"noopener nofollow\">several categories<\/a>, but we are going to discuss only two of them:\u00a0<i>normal<\/i>and\u00a0<i>dangerous<\/i>. Normal permissions cover such actions as accessing the Internet, icon creation, Bluetooth connection, and so forth. These permissions are granted by default and do not require a user\u2019s approval.<\/p>\n<p>If an app needs one of the \u201cdangerous\u201d permissions, user confirmation is required. So, why are some permissions deemed dangerous? Are they inherently, actually dangerous? And in which cases should you grant them?<\/p>\n<h2>Dangerous permissions<\/h2>\n<p>The \u201cdangerous\u201d category includes nine permission groups where apps are somehow connected with the user\u2019s privacy or security. In turn, each group contains several permissions an app can request.<\/p>\n<p>If a user approves one of the permissions, the app gets all of the permissions from the same group automatically, without additional confirmation. For example, if an app gets permission to read SMS messages, then it will be also able to send SMS messages, read MMS messages, and perform other operations from this group.<\/p>\n<h3>Calendar<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Read events stored in the calendar (READ_CALENDAR).<\/li>\n<li>Edit old events and create new ones (WRITE_CALENDAR).<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0If you actively use your digital day planner, the app will know everything about your daily routine and might share it with criminals. In addition, a buggy app could accidentally wipe important meetings from the calendar.<\/p>\n<h3>Camera<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Camera access (CAMERA) lets the app use your phone to take photos and record videos.<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0An app can secretly record video or take photos\u00a0<em>at any moment<\/em>.<\/p>\n<h3>Contacts<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Read contacts (READ_CONTACTS).<\/li>\n<li>Edit contacts or add new ones (WRITE_CONTACTS).<\/li>\n<li>Access account list (GET_ACCOUNTS).<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0An app can snag your whole address book. This data is very attractive to spammers and fraudsters. This permission also grants access to the list of all of the accounts you use in the apps on this device \u2014 Google, Facebook, Instagram, and others like them.<\/p>\n<h3>Location<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Access to your approximate location (ACCESS_COARSE_LOCATION), provided based on data from cellular base stations and Wi-Fi hotspots.<\/li>\n<li>Access to your exact location (ACCESS_FINE_LOCATION), provided based on GPS data.<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0The app knows where you are at all times. It might, for example, let burglars know when you are far away from home.<\/p>\n<h3>Microphone<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Record audio from the microphone (RECORD_AUDIO).<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0The app can record everything that\u2019s going on near your phone. All of your conversations. Not only when you\u2019re speaking on the phone, but all day long.<\/p>\n<h3>Phone<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Reading phone state (READ_PHONE_STATE) lets the app know your phone number, current cellular network information, the status of any ongoing calls and so on.<\/li>\n<li>Make calls (CALL_PHONE).<\/li>\n<li>Read the list of calls (READ_CALL_LOG).<\/li>\n<li>Change the call list (WRITE_CALL_LOG).<\/li>\n<li>Add voicemail (ADD_VOICEMAIL).<\/li>\n<li>Use VoIP (USE_SIP).<\/li>\n<li>Process outgoing calls permission (PROCESS_OUTGOING_CALLS) lets the app see who\u2019s calling, hang up the phone, or redirect it to another number.<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0When you grant phone permissions, you allow the app to take almost any action associated with voice communications. The app will know when and whom you call \u2014 and it can call anywhere, including paid numbers, at your charge.<\/p>\n<h3>Body Sensors<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>(BODY_SENSORS) \u2014 this permission provides access to your health data from certain sensors, such as a heart-rate monitor.<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0If you use accessories with body sensors (not the phone\u2019s built-in movement sensors), the app receives data about what is going on with your body.<\/p>\n<h3>SMS<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Send SMS messages (SEND_SMS).<\/li>\n<li>Read saved SMS messages (READ_SMS).<\/li>\n<li>Receive SMS messages (RECEIVE_SMS).<\/li>\n<li>Receive WAP push messages (RECEIVE_WAP_PUSH).<\/li>\n<li>Receive incoming MMS messages (RECEIVE_MMS).<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0It lets the app receive and read your incoming SMS messages as well as send them (charged to you, of course). For example, criminals can use this permission to subscribe victims to unwanted paid services.<\/p>\n<h3>Storage<\/h3>\n<p><b>What it permits:<\/b><\/p>\n<ul>\n<li>Read SD card or other storage (READ_EXTERNAL_STORAGE).<\/li>\n<li>Save records to storage or SD card (WRITE_EXTERNAL_STORAGE).<\/li>\n<\/ul>\n<p><b>Why it\u2019s dangerous:<\/b>\u00a0The app can read, change, or remove any files stored on your phone.<\/p>\n<h2>How to set up app permissions<\/h2>\n<p>You should carefully consider each permission you grant. For example, if a game or photo-editing tool wants access to your current location, that\u2019s strange. At the same time, maps and navigators really need GPS data \u2014 but not access to contact lists or SMS messages.<\/p>\n<p>In Android 6 and later, apps ask users for approval any time they need one of the dangerous permissions. If you don\u2019t want to grant them, you can always decline the request. Of course, if the app really needs those permissions, it will show error messages and won\u2019t work properly.<\/p>\n<div id=\"attachment_5934\" style=\"width: 1930px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5934\" class=\"size-full wp-image-5934\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112439\/app-permissions-request-en-1-3.png\" alt=\"\" width=\"1920\" height=\"1080\"><p id=\"caption-attachment-5934\" class=\"wp-caption-text\">An app requests permission to make and manage phone calls<\/p><\/div>\n<p>You can also check the permission list and change any app\u2019s permissions. Start by choosing\u00a0<em>Settings<\/em>\u2192\u00a0<em>Apps<\/em>\u00a0(these and following menu items may have slightly different names in your version of Android).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5911\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112437\/app-permissions-setup-1-en-3.png\" alt=\"\" width=\"1280\" height=\"1084\"><\/p>\n<p>Now you can go one of two ways. First, you can check all permissions assigned to a certain app. To do that, click on the app\u2019s name and choose\u00a0<em>Permissions<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5912\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112436\/app-permissions-setup-2-en-3.png\" alt=\"\" width=\"1280\" height=\"711\"><\/p>\n<p>Second, you can look through the full list of apps that have already requested or can request one of the dangerous permissions. For example, it\u2019s a good idea to check which apps want access to your contact list and prohibit suspicious ones from getting it. For this choose\u00a0<em>Configure Apps<\/em>\u00a0(the gear icon in the upper right corner) and then click\u00a0<em>App Permissions<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5913\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112434\/app-permissions-setup-3-en-3.png\" alt=\"\" width=\"1280\" height=\"711\"><\/p>\n<h2>Special access rights<\/h2>\n<p>Apart from dangerous permissions, an app can also request special access rights. When that happens, you should be wary: Trojans often request such rights.<\/p>\n<h3>Accessibility<\/h3>\n<p>This permission simplifies work with apps and devices for people with sight or hearing difficulties. Malware can abuse these features.<\/p>\n<p>Having obtained such access rights, Trojans can intercept data from apps (including input text \u2014 passwords are the main goal here). In addition, malware gets the ability to\u00a0<a href=\"https:\/\/securelist.com\/blog\/research\/75894\/how-trojans-manipulate-google-play\/\" target=\"_blank\" rel=\"noopener\">purchase apps<\/a>\u00a0in the Google Play Store.<\/p>\n<h3>Default messaging app<\/h3>\n<p>Banking Trojans aim to become the default SMS app; that lets them read SMS messages\u00a0<em>and hide them<\/em>\u00a0\u2014 even in later versions of Android. For example, Trojans can use this feature to intercept banking passwords from SMS messages and confirm malicious transactions without a user\u2019s knowledge (remember, they can hide SMS messages).<\/p>\n<h3>Always on top<\/h3>\n<p>The permission to overlay windows of other apps lets Trojans show phishing windows on top of legitimate applications (mobile banks or social network apps mostly). Victims think they\u2019re entering their passwords into the forms of real applications, but in fact everything happens in the fake window displayed by the Trojan, and sensitive data goes to criminals.<\/p>\n<h3>Device administrator privileges<\/h3>\n<p>These rights let the user change the password, lock the camera or wipe all data from the device. Malicious apps often try to get such permissions; apps with administrator privileges are hard to uninstall.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5914\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/02\/05112432\/device-admin-request-en-1.jpg\" alt=\"\" width=\"1280\" height=\"1084\"><\/p>\n<h3>Root privileges<\/h3>\n<p>These are the most dangerous permissions. By default, Android never grants these rights to apps, but some Trojans can\u00a0<a href=\"https:\/\/securelist.com\/blog\/mobile\/76081\/rooting-pokemons-in-google-play-store\/\" target=\"_blank\" rel=\"noopener\">exploit<\/a>\u00a0system vulnerabilities to get them. Once that happens, all other defenses become useless \u2014 the malware can use root privileges to do whatever it wants no matter which permissions the victim assigns or denies.<\/p>\n<p>It\u2019s noteworthy that even the new permission system (released in Android 6) does not fully protect from malware. For example, the\u00a0<a href=\"https:\/\/securelist.com\/blog\/mobile\/75971\/banking-trojan-gugi-evolves-to-bypass-android-6-protection\/\" target=\"_blank\" rel=\"noopener\">Gugi Trojan<\/a>\u00a0repeatedly bugs victims with window overlay permission requests until the permission is granted. After that, the malware overlays all other apps until it receives other permissions it wants.<\/p>\n<h2>Conclusions<\/h2>\n<p>Apps should not be allowed to do whatever they want on your phone \u2014 especially if they want dangerous permissions for no reason.<\/p>\n<p>Some apps really do need a lot of rights, however. For example, antivirus programs need a lot of permissions to scan a system and proactively protect it from threats.<\/p>\n<p>The conclusion here is simple: Before granting certain rights, think about if the app really needs them. If you\u2019re not sure, do some investigating online.<\/p>\n<p>Last but not least: Even the most vigilant users are not safe from malware exploiting system vulnerabilities. That\u2019s why it\u2019s important to manage your apps\u2019 permissions properly, which helps you protect your privacy from apps spying on you,\u00a0<em>and<\/em>\u00a0to install a\u00a0<a href=\"https:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=ru_kdaily\" target=\"_blank\" rel=\"noopener nofollow\">reliable security solution<\/a>\u00a0that will defend your device against even more dangerous Trojans and viruses.<\/p>\n<p><strong>Updated October 9, 2018:<\/strong> Google has changed app permission settings in Android Oreo, adding a new group called \u201cSpecial app access.\u201d More details are available in \u201c<a href=\"https:\/\/me-en.kaspersky.com\/blog\/android-8-permissions-guide\/\" target=\"_blank\" rel=\"noopener\">App permissions in Android 8: The complete guide<\/a>.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated October 9, 2018: Google has changed app permission settings in Android Oreo, adding a new group called \u201cSpecial app access.\u201d More details are available in \u201cApp permissions in Android<\/p>\n","protected":false},"author":292,"featured_media":5908,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1225,9],"tags":[613,105,1279,805,45,49,131],"class_list":{"0":"post-5907","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-privacy","9":"category-tips","10":"tag-advice-2","11":"tag-android","12":"tag-app-permissions","13":"tag-settings","14":"tag-smartphones","15":"tag-tablets","16":"tag-tips-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/android-permissions-guide\/5907\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/android-permissions-guide\/14453\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/android-permissions-guide\/4124\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/android-permissions-guide\/10796\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/android-permissions-guide\/8388\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/android-permissions-guide\/8921\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/android-permissions-guide\/10042\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/android-permissions-guide\/9793\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/android-permissions-guide\/14099\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/android-permissions-guide\/2956\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/android-permissions-guide\/14014\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/android-permissions-guide\/6702\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/android-permissions-guide\/6194\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/android-permissions-guide\/9743\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/android-permissions-guide\/14490\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/android-permissions-guide\/14099\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/android-permissions-guide\/14014\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/android-permissions-guide\/14014\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/advice-2\/","name":"advice"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/292"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5907"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5907\/revisions"}],"predecessor-version":[{"id":12074,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5907\/revisions\/12074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5908"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}