Android App Permissions

Intro
This guide aims to provide the basic info most people want to know about the security of their
phones, and when to download, and when not to download applications from the Play Store.
It's my hope that this will help people make more informed decisions and be safe about their
application usage, privacy, and data. It is my firm belief that Android is a fundamentally safe
platform. With some common sense, diligence, and the right knowledge of the potential threats,
users can rest assured and enjoy their devices more thoroughly.
While most of these tips will apply to any of the new app stores and markets now available for
Android, this guide is written specifically for Google's original Play Store.
Also, while this guide attempts to be as comprehensive as possible, there may be errors or
misjudgments, or just opinions that are subjective. Please read it with the idea in mind that it's just
a part of the information you may want to consider when downloading your apps.
Deciding what to download is ultimately up to you, and that's the most important thing you'll need
to remember.
______________________________
Note: As of 2/21/2010 I became an Android developer. I wanted to post this in the interest of full
disclosure. You can read more about me, or my apps ( Listables and BlueMuze ),on my site: Lost
Packet Software
Printer friendly & downloadable PDF: Lost Packet Software
App version w/ permission search: PocketPermissions
______________________________
Background
This guide aims to provide the basic info most people want to know about the security of their
phones, and when to download, and when not to download applications from the Google Play
Store.
It's my hope that this will help people make more informed decisions and be safe about their
application usage, privacy, and data. It is my firm belief that Android is a fundamentally safe
platform. With some common sense, diligence, and the right knowledge of the potential threats,
users can rest assured and enjoy their devices more thoroughly.
While most of these tips will apply to any of the new app stores and markets now available for
Android, this guide is written specifically for Google's original Play Store.
Also, while this guide attempts to be as comprehensive as possible, there may be errors or
misjudgments, or just opinions that are subjective. Please read it with the idea in mind that it's just
a part of the information you may want to consider when downloading your apps. Deciding what
to download is ultimately up to you, and that's the most important thing you'll need to remember.
I am also an Android developer. I wanted to write this in the interest of full disclosure. You can
read more about me or my apps ( Listables and BlueMuze) on my site: http://alostpacket.com/
You can also contact me through the Play Store or my website with any thoughts you have on this
guide.
Background about Android

The first thing when understanding the security of your phone is to know a little bit about what
makes it tick. Android is a 'lite' version of LINUX with most applications that you download from
the Play Store written in Java.
This is important to know because it means Android is very unlikely to ever get a 'virus' in the
traditional sense. Part of the reason is because LINUX is a fairly secure operating system that
protects various parts of itself from other parts. This is similar to how Windows has admin
accounts and limited user accounts. Because of this protection, applications downloaded from the
Play Store do not have access to anything by default. You must grant them permission for each
activity they want to perform when they are installed. This is a very important point which we will
address a bit later. Also due to some bad choices by Google, there are a few exceptions to this rule
that we'll talk about in the permissions section.
Nevertheless, while Android is very unlikely to get a 'virus', that does not mean you are
completely safe from 'malware', 'spyware', or other harmful types of programs.
Anti-virus
The efficacy of anti-virus apps on Android is a controversial subject on even the best of days.
Needless to say, there are some very differing opinions on the necessity of having anti-virus
software protecting your phone. Both sides of this debate have some credible and respectable
reasons for their choice, so I will try and present both sides as objectively as I can. In full
disclosure though, I personally do not use anti-virus on my phone. That's a personal choice I
made. Plenty of security experts whom I respect do chose to use anti-virus on their phones. So
ultimately this will be a choice that is yours alone to make and not something where you should
take cues from other people. That said, here are the pros and cons of each side as best as I know
them.
One thing to remember though, is that each side may have some irrational or sensational
arguments. These stem from either a sense of emotional justification or a vested interest in selling
software. Put simply, neither side of the debate is above bad arguments and unintentional or
intentional faulty logic.
Benefits
- Will protect you from all past threats
- May protect you from a future threat
- Often can have additional features for privacy and data protection
- May have features to protect your phone if it is lost or stolen
Drawbacks
- May waste system resources like battery and memory
- It's hard to protect from future/unknown threats
- Can potentially cause serious harm to the OS (very rare but not unheard of)
- May provide a false sense of security and encourage risky behavior
Types of Dangerous Programs

The most common threats from Android applications are:
1) When the app tricks the user into giving it permissions it does not need to do its job.
2) When the app hides malicious code behind legitimate permissions.
3) When the app tricks the user into entering in personal information or sensitive data (such as a
credit card number).
There are various ways malicious developers (also known as hackers or crackers) accomplish this.
We'll briefly define each kind just to have a common understanding of the terms.
Malware
Malware generally is an all-encompassing term used to describe any harmful program. This
includes spyware, viruses, and phishing scams. Sometimes the older term 'virus' is used in this
context, but malware is now considered more accurate.
Spyware
Spyware is used to describe software or applications that read your information and data without
you actually knowing it and reporting it back to some unknown third party for nefarious purposes.
Oftentimes this includes keystroke loggers to steal passwords or credit card information. Some
people include certain types of Advertising tracking in this category (sometimes called Adware,
see below). However that's a much larger debate we wont cover here.
Phishing
Phishing and spyware are closely related. They work on a similar principle: tricking the user and
sending user information to a 3rd party to steal it. The difference with phishing however, is that
the application (or website) will pretend to be from a trusted source to try and 'trick' you into
entering in your details. Contrastingly, spyware would try to hide itself from being known to the
user. One way to think about the difference is that phishing is masquerading while spyware is
hiding, but the end goal of stealing your data is the same.
An example of this would be an app or website pretending to be affiliated with your bank or
Paypal, Samsung Pay or your email provider (Gmail, Hotmail, Yahoo, Yandex). However it can,
and does, include any service where someone might want to steal your identity or password.
There have been known successful phishing attacks related to at least one bank on Android.
Virus
The definition of virus used to be more all-encompassing. These days that term has been replaced
by malware. Virus is more typically used to describe a specific type of software that takes control
of your operating system and either damages it, or uses it for its own purposes. An example might
be when a virus sends emails to everyone in your email address book. Again this is the type of
program least likely to be a problem for Android.
Trojan Horse
A trojan horse is really just a specific type of virus. It merely refers to the idea that the app
pretends to be something useful or helpful or fun for the user while actually causing harm or
stealing data. This term is often used to describe spyware and phishing attacks as well.
Adware
Adware is typically a bit of a grey area. Sometimes this is also called nuisance-ware. This type of
application will often show the users an excessive amount of advertising in return for providing a
service of dubious quality to the user. However, this type of program can often be confused with
legitimate ad-supported software, which shows a mild to moderate amount of advertising while
providing a useful service that the user wants. Because it can be hard to tell the difference, there
exists a grey area from most anti-virus companies as to how to handle adware.
Warez (warez&quot)
This is a term you'll sometimes hear referring to 'pirated' or unlicensed software. Often warez
forums and web sites will offer "free apps" or "apks" ( Android Package ).
Don't be fooled by these sites, and do NOT download these files and load them to your phone.
These files are stolen from the real developers by unscrupulous people who have no regard for the
work put into apps by the developers, or the law. Oftentimes they will even try making money off
of the advertising on their "warez" forums. They are profiteers that do the entire
Android community a great disservice, and hurt the developers. Furthermore, this is very often the
most popular 'vector' (method) of attack that malware writers use. Some go as far as stealing apps
and putting them on the Google Play Store itself under different names.
If you are a user who cannot access the paid Google Play Store there are alternatives these days.
The most trustworthy markets (in my opinion) are the following:
- Android Market (Google Play Store)
- Amazon AppStore
- SlideMe
- Archos AppsLib
- AndAppStore (possibly)
- Verizon's Market (not sure if this is live yet)
- Motorola's Market (not sure if live or where, might be focused on Latin America)
Other than these markets, I would not advise anyone to download and install an app from
anywhere else.
However there are a few exceptions related to open source. These are places that independent
developers can upload free and/or open source apps. They don't guarantee your safety (nothing
does) but they are not warez sites and are much more likely to be safe.
Open source or free apps: (very likely safe, not warez)
- XDA Developers
- Googlecode (2012)
- GitHub
How to check Permissions

When you install an application the Google Play Store will tell you all of the permissions it needs
to function. These are important to read. Permissions can give you an idea if an application is
asking for more than it needs to function properly. While some legitimate apps often ask for more
permissions than they need, it should at least raise an eyebrow. Again this is just part of what you
should consider when deciding if an application is safe and good quality.
Note: in the latest version of the phone version of the Google Play Store the permissions are only
shown after you click install. You will then be shown a screen with the list of permissions and an
"Accept and Download" button.
To see the permission given to an application after installation follow these steps :
1) Go to you phone's settings
2) Then select "Applications" or "Manage Applications"3) From there you should be able to get to
an Application's specific settings. You should see buttons like "clear data." To see the permission
you may need to scroll down a bit
How to Protect Yourself

There are no full-proof ways to avoid all bad situations in the world. But, any sane person with a
reasonable head on their shoulders knows that a few good habits can keep you safe for a long,
long time in whatever you do. Here are a few tips I have learned from many years as aprofessional
software developer and from reading many Android forums that have many people smarter and
more knowledgeable than I about Android.
Read the comments in the Play Store.
This should go without saying. Before you download any applications, besure to read the
comments. Don't just read the first three either, clickthrough and see what people are saying. This
can also help youunderstand how well an app works on your particular phone (and yourparticular
version of Android). Comments should also be read EVERY timeyou update an app.
It's also important to note that bad apps can sometimes"game" the comments and
ratings. There are some unsavoryservices that provide thousands of fake comments for apps and
they areprobably more common than you think. See the section on
TheCommunity for more on identifying these types of fake comments.
Check the Rating
Any app that fails to maintain above 4.0 stars is likely not worth yourtime. If you are brave
enough to be one of the first few to download anapp, this does not apply to you. Nevertheless,
almost all good apps havebetween 3 and 5 stars. To me, this is just a general rule to help find
quality apps.
Check the permissions
There are many things an app can do to, and for, your phone. Butanything an app can do is told to
you when you download and install it.Before you download and install an app, you will be shown
a list ofpermissions the application is requesting. Read them. Try yourbest to understand them in
terms of what the application is supposed todo for you. For example, if you download a game of
checkers, and theMarket warns you that it wants to be able to read your contacts, youshould think
twice and probably not download it. There is no sanereason a game of checkers needs to know
your friend's phone numbers.
In the Permissions section you can read a list of some of the most commonly used permissions.
The list explains how important they are,what they do, and notes some examples of apps that
might legitimatelyneed the permission. This should help you get a basic understanding ofwhat to
allow, and when to skip, an app.
Check the developer's website
Make sure the developer has a website and not just some blog. This isoften a good indication of
quality as well as safety. If the developercares about their app they will likely have a relatively
nice lookingwebsite (or, if they are open source, a site on Google Code or somethingsimilar).
Note: sites on Google code are NOT verified or approved by Google. However, open source is
usually (but not always) morelikely to indicate a safe application.
NOTE: This is not a definitive indicator if a developer is good or bad,just one more piece of
information you can use. There are a lot ofexceptions to this particular rule, as a lot of good
developers might not have anything more than a blog, and a lot of bad developers couldjust point
to a nice looking site they have no affiliation with. However, the developer's website can be
helpful just as an extra pieceof information you can use in making your decision about the
developeror app.
Updating applications is the same as installing them fresh
Each time you update an application on your phone, you should use the same diligence as if you
were installing it for the first time. Reread the permissions to see that it is only asking for what it
needs and nomore. Reread the comments to see if anything has changed in the opinionsof the
users and to see if it still works for your phone. If you seethat an application says Update (manual)
next to it, that means thedeveloper has changed the permissions that they are requesting. This isnot
necessarily a bad thing -- but it should indicate that you shouldpay a bit closer attention to the
permissions and re-evaluate them asneeded.
Privacy
Wi-Fi
One of the things to remember when trying to keep yourself safe is to be very careful with public
Wi-Fi. Whenever you connect to the internet through a public Wi-Fi, you should never use any
website that requires a password to sign into. The danger here is because you have no idea who is
connecting you to the website. A good analogy would be like trying to mail a letter to your friend
by giving it to a stranger in the street. For more info read:
Man-in-the-middle attack
(Wikipedia). There is also a risk that applications may be transmitting data in the background over
that Wi-Fi connection about you without encrypting it. This is also true of any applications over
any internet connection however. And while there are some good ways to secure your phone, I
personally don't use any public Wi-Fi at all. This may be seen as extreme in some circles, but I
believe it to be safest route (although somewhat limiting).
SD Card (external memory)

There isn't much to say about SD cards except that all users should remember that they are not a
safe place to store personal information. This can be something as simple as a backup/export of
your contacts.
The reason the SD card is not safe is that nearly all applications can read any file they want from
the SD card. Most personal info such as contacts is stored internally in protected databases
however, so this shouldn't be a huge concern for most people, but it's helpful to keep in mind.
GPS and Network location

There is a lot of information online and in various books about why letting yourself be tracked has
potential consequences. However, there are a lot of useful features that apps can provide with
location tracking information. You should treat location tracking with care and be sure to give it
only to parties your trust. Google Maps would be a great example of this.
Advertising and location tracking

There is a trade-off that some people will consider making with regards to location tracking. Some
advertisers would like to have location information on you in order to show you local
advertisements and coupons. In exchange, you get free use of an app such as a game. This is a
decision you will need to make for yourself. I personally would not make this trade off, but some
people very knowledgeable about security are very comfortable making it.
The community
If you are still unsure, ask around -- the community is your anti-virus
If you see an app you want, but it seems to be asking for more permissions than it should, or its
comments and ratings are mediocre, go ahead and ask around about the app. You will often find
dozens of people who know the answers and another whole bunch wishing to know the answers to
the same questions. Good places to ask include Android enthusiast web sites and forums.
I can't stress this point enough. This is the best part about Android. The community is usually the
first to identify any malware or dangerous programs, and is the best resource for finding quality
apps.
Beware the Sockpuppets, Shills, and Spammers

However, like anything, don't believe everything you read. Someone who comes into a forum
telling you an app is the "best" may be what's referred to as a sockpuppet or shill. I
tend to be wary of people with low post counts on forums, or who have unreasonably high praise
for what seems to be a simple app, or anyone using the word "best" in a forced
context.
Now these people are not all bad, some may just be excited, or not speak English as their first
language. But it's common for sockpuppets to use the term "best" to try and get better
search rankings on Google. Saying things like "Best Android App" or "Best GPS."
Other tell-tale signs include when a spammer mentions software for iPhone or other platforms
without any focus on Android in their post/comment. Another is when it seems like the post is just
out of context or overly general (think about how horoscopes are made for everyone to relate to
them). I often get spam on my blog that says things like "best blog post! love your writing
style, you put things in perspective for me" which makes no sense when my blog was about
my new app.
This is a fine line and very much a grey area. Sometimes it can be very hard to tell if someone is a
spammer. If you see a post or comment in the Play Store or on a forum that you suspect is spam,
report it to the website or Play Store, don't reply and start an argument.
These tips also apply to the comments about apps. There are sometimes people who are paid to
rate and comment about an app. The key to spotting this is again all about context. If an app has
not been on the market for very long and has thousands of great comments it should raise an
eyebrow. If the comments are all general like "best app" that is another good indicator.
Again it's hard to tell for sure, but you should always look with a skeptical eye at comments. It's
also to be expected that the developer themselves (and maybe a handful of friends) would rate an
app well, that's normal and not something to be concerned about. However, when you see an
overwhelming number of questionable comments, you should tread carefully.
Posting your own comments
After you have downloaded an app you can post your own comments. The comment will be
visible to all other Android users but it will only show your first name. To do this go into the Play
Store and press [menu] then
[downloads] . You should see five empty stars at the top which you can tap to rate the app. Once
you have rated the app you should see an option to add a comment under the stars.
Being a good user
While this guide is about security, I think it's important to point out how to be a good user too.
Android is a community and stems from open source and will only ever be as good as both its
developers and its users.
So, if an app is crashing on you, try emailing the developer before uninstalling and posting an
angry comment. Anything you post in the market will stay even if you have uninstalled the app,
and you could do serious harm to a developer's reputation if you post very negative comments.
If you think the developer just made a mistake, or didn't support your phone, work with them. If
they are unhelpful, then you can consider giving them a bad rating. This is especially true for free
apps in the market. Remember that you, as a user are not "entitled" to perfect free
apps. Most developers do not have Google's engineering and QA team backing them up and even
Google makes mistakes.
And while it's frustrating when things don't work, imagine how frustrating it is when you put long
hours into something but make a mistake -- and then because of that mistake you can never fix the
damage done by a rude commenter.
What does Google do to protect us?
Unfortunately at the moment, not a lot. They do police the market to a small extent and investigate
any reports of malware. However, on at least 2 occasions they identified several instances of
malware (called DroidDream) and remotely uninstalled the applications from users' phones. The
was also an instance of a phishing app that pretended to be from a particular bank and was
removed when discovered.
Nevertheless, the Google Play Store is not like the Apple App Store or Amazon AppStore, there is
no screening of applications before they are published. There are no draconian procedures or
lengthy approval processes that developers have to go through to publish applications. All that a
developer needs to do is to 'digitally self sign' the application before posting it. This helps Google
track any developers with ill intent, but it's just a way to manage malware after it is discovered.
permissions
When you install an application the Play Store will tell you all of the permissions it needs to
function. These are important to read as it can give you an idea if the application is asking for
permission to do more than it needs. While some legitimate apps often ask for more permission
than they need, it should at least raise an eyebrow when deciding if an application is safe and of
good quality.
Make phone calls

Services that cost you money
URI:
android.permission.CALL_PHONE
Risk: HIGH
Protection level: DANGEROUS
Official Description
Allows an application to initiate a phone call without going through the Dialer user interface for
the user to confirm the call being placed.
Details
This permission is of high importance. This could let an application call a 1-900 number and
charge you money. However, this is not as common a way to cheat people in today's world as it
used to be. Legitimate applications that use this include: Google Voice and Google Maps.
Another important point to note here is that any app can launch the phone screen and pre-fill a
number for you. However, in order to make the call, you would need to press [Send] or [Call]
yourself. The difference with this permission is that an app could make the entire process
automatic and hidden.
Send SMS or MMS

URI:
android.permission.SEND_SMS
Risk: HIGH
Allows an application to send SMS messages.
Details
This permission is of high importance. This could let an application send an SMS on your behalf,
and much like the phone call permission, it could cost you money by sending SMS to for-pay
numbers. Certain SMS numbers work much like 1-900 numbers and automatically charge your
phone company money when you send them an SMS.
Modify/delete SD card contents

Your personal information
URI:
android.permission.WRITE_EXTERNAL_STORAGE
Risk: MEDIUM
Allows an application to write to external storage
Details
This permission is of high importance. This will allow applications to read, write, and delete
anything stored on your phone's SD card. This includes pictures, videos, mp3s, documents and
even data written to your SD card by other applications. However, there are many legitimate uses
for this permission. Many people want their applications to store data on the SD card, and any
application that stores information on the SD card will need this permission. You will have to use
your own judgment and be cautious with this permission knowing it is very powerful but very,
very commonly used by legitimate applications. Applications that typically need this permission
include (but are not limited to) camera applications, audio/video applications, document
applications
WARNING :Any app targeting Android 1.5 or below (possibly 1.6 as well) will be granted this
permission BY DEFAULT and you may not ever be warned about it. It is important to pay
attention to what version of Android an app is targeting to know if this permission is being
granted. You can see this on the Google Play Store website in the right hand column.
Read Contacts
Development tools / Your personal info
URI:
android.permission.READ_CONTACTS
Risk: MEDIUM-HIGH
Allows an application to read the user's contacts data.
Details
This permission is of high importance. Unless an app explicitly states a specific feature that it
would use your contact list for, there isn't much of a reason to give an application this permission.
Legitimate exceptions include typing or note taking applications, quick-dial type applications and
possibly social networking apps. Some might require your contact information to help make
suggestions to you as you type. Typical applications that require this permission include: social
networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Write contact data

URI:
android.permission.WRITE_CONTACTS
Risk: MODERATE-HIGH
Allows an application to write (but not read) the user's contacts data.
Details
This permission is of high importance. Unless an app explicitly states a specific feature that it
would use your contact list for, there isn't much of a reason to give an application this permission.
Legitimate exceptions include typing or note taking applications, quick-dial type applications and
possibly social networking apps. Some might require your contact information to help make
suggestions to you as you type. Typical applications that require this permission include: social
networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Read calendar data

URI:
android.permission.READ_CALENDAR
Risk: MEDIUM
Allows an application to read the user's calendar data.
Details
This permission is of moderate to high importance. While most people would consider their
calendar information slightly less important than their list of contacts and friends, this permission
should still be treated with care when allowing applications access. Additionally, it's good to keep
in mind that calendar events can, and often do contain contact information.
Write calendar data

URI:
android.permission.WRITE_CALENDAR
Risk: MEDIUM
Allows an application to write (but not read) the user's calendar data.
Details
This permission is of moderate to high importance. While most people would consider their
calendar information slightly less important than their list of contacts and friends, this permission
should still be treated with care when allowing applications access. Additionally, it's good to keep
in mind that calendar events can, and often do contain contact information.
Read browser history & bookmarks

URI:
com.android.browser.permission.READ_HISTORY_BOOKMARKS
Risk: MEDIUM-HIGH
Allows an application to read (but not write) the user's browsing history and bookmarks.
Details
This permission is of medium-high importance. Browsing habits are often tracked through regular
computers, but with this permission you'd be giving access to more than just browsing habits.
There are also legitimate uses for this permission such as apps that sync or backup your data, and
possibly certain social apps.
Write browser history & bookmarks

URI:
com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
Risk: MODERATE-HIGH
Allows an application to write (but not read) the user's browsing history and bookmarks.
Details
This permission is of medium-high importance. Browsing habits are often tracked through regular
computers, but with this permission you'd be giving access to more than just browsing habits.
There are also legitimate uses for this permission such as apps that sync or backup your data, and
possibly certain social apps.
Read sensitive logs

URI:
android.permission.READ_LOGS
Risk: VERY-HIGH
Protection level: DEVELOPMENT
Allows an application to read the low-level system log files.
Details
This permission is of high importance. This allows the application to read what any other
applications have logged.
Modify global system settings

Hardware controls
URI:
android.permission.WRITE_SETTINGS
Risk: MEDIUM
Allows an application to read or write the system settings
Details
This permission is pretty important but only has the possibility of moderate impact. Global
settings are pretty much anything you would find under Android's main 'settings' window.
However, a lot of these settings may be perfectly reasonable for an application to change. Typical
applications that use this include: volume control widgets, notification widgets, settings widgets,
Wi-Fi utilities, or GPS utilities. Most apps needing this permission will fall under the "widget" or
"utility" categories/types.
Read sync settings

Hardware controls
URI:
android.permission.READ_SYNC_SETTINGS
Risk: LOW-MODERATE
Protection level: UNKNOWN
Allows applications to read the sync settings
Details
This permission is of low to medium importance. It mostly allows the application to know if you
have background data sync (such as for Facebook or Gmail) turned on or off.
Automatically start at boot
Hardware controls
URI:
android.permission.RECEIVE_BOOT_COMPLETED
Risk: MODERATE-HIGH
Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the
system finishes booting.
Details
This permission is of low to moderate impact. It will allow an application to tell Android to run
the application every time you start your phone. While not a danger in and of itself, it can point to
an applications intent
Restart other applications

Hardware controls
URI:
android.permission.RESTART_PACKAGES
Risk: HIGH
This constant is deprecated. The restartPackage(String) API is no longer supported.
Details
This permission is of low to moderate impact. It will allow an application to tell Android to 'kill'
the process of another application. However, any app that is killed will likely get restarted by the
Android OS itself.
Retrieve running applications

Hardware controls
URI:
android.permission.GET_TASKS
Risk: MEDIUM-HIGH
Allows an application to get information about the currently or recently running tasks: a thumbnail
representation of the tasks, what activities are running in it, etc.
Details
This permission is of moderate importance. It will allow an application to find out what other
applications are running on your phone. While not a danger in and of itself, it would be a useful
tool for someone trying to steal your data. Typical legitimate applications that require this
permission include: task killers and battery history widgets. Other than that however, most apps
should not need this permission.
Display system-level alerts

Hardware controls
URI:
android.permission.SYSTEM_ALERT_WINDOW
Risk: HIGH
Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of
all other applications.
Details
This permission is of high importance. This permission allows an app to show a "popup" window
above all other apps, even if the app is not in the foreground. A malicious developer/advertiser
could use it to show very obnoxious advertising. Almost no apps should require this permission
unless they are part of the Android operating system. An example of a system alert would be the
alert you are shown when your phone or tablet is out of battery and is about to shut down.
Control vibrator
Development tools
URI:
android.permission.VIBRATE
Risk: LOW
Allows access to the vibrator
Details
This permission is of low importance. As it states, it lets an app control the vibrate function on
your phone. This includes for incoming calls and other events.
Take pictures and videos

Development tools
URI:
android.permission.CAMERA
Risk: MODERATE-HIGH
Required to be able to access the camera device.
Details
This permission is of moderate importance. As it states, it lets an app control the camera function
on your phone. In theory this could be used maliciously to snap unsuspecting photos, but it would
be unlikely and difficult to get a worthwhile picture or video. However, it is not impossible to
make malicious use of cameras.
Access location extra commands

Network Communication
URI:
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
Risk: MEDIUM-HIGH
Allows an application to access extra location provider commands
Details
The specifics of the extra commands here are a bit unclear. However, the usage of this permission
indicates that an app wants to know detailed information about your location, and respond
accordingly. This is often used with advertising and location-based and social-network services
like Four Square, Twitter, Facebook or Google Places/Google+. It is recommended that you treat
this permission with the same caution as the GPS location permission and assume the same
implications to privacy apply.
Access mock location

Network Communication
URI:
android.permission.ACCESS_MOCK_LOCATION
Risk: MODERATE
Allows an application to create mock location providers for testing
Details
This is a permission used for development of apps that make use of location based services. By
creating "mock" (fake) locations, apps can test if their code works correctly depending on your
location.This permission has no known sercurity considerations; Nor much use in a app released
to the public.
Battery stats
Hardware controls
URI:
android.permission.BATTERY_STATS
Risk: LOW
Allows an application to collect battery statistics
Details
This permission is of little to no importance.
Bluetooth Admin
Your accounts
URI:
android.permission.BLUETOOTH_ADMIN
Risk: MEDIUM
Allows applications to discover and pair bluetooth devices
Details
Bluetooth (Wikipedia: http://en.wikipedia.org/wiki/Bluetooth ) is a technology that lets your
phone communicate wirelessly over short distances. It is similar to Wi-Fi in many ways. It itself is
not a danger to your phone, but it does enable a way for an application to send and receive data
from other devices. Typical applications that would need bluetooth access include: sharing
applications, file transfer apps, apps that connect to headset or wireless speakers.
Broadcast Sticky (Intents)

Hardware controls
URI:
android.permission.BROADCAST_STICKY
Risk: LOW-MEDIUM
Allows an application to broadcast sticky intents. These are broadcasts whose data is held by the
system after being finished, so that clients can quickly retrieve that data without having to wait for
the next broadcast.
Details
The permission has to do with how applications "talk" to each other using a communication
method called "Intents". While this permission is highly technical it is a relatively low importance.
There are no know obvious malicious uses for this permission.
Change Configuration
Hardware controls
URI:
android.permission.CHANGE_CONFIGURATION
Risk: MEDIUM-HIGH
Allows an application to modify the current configuration, such as locale.
Details
This is a permission that generally should not be granted to regular apps. Other than changing the
locale (i.e. language), it is unclear what configuration changes this permission allows. As such, it
should be treated with considerable caution.
Clear app cache

Hardware controls
URI:
android.permission.CLEAR_APP_CACHE
Risk: LOW
Allows an application to clear the caches of all installed applications on the device.
Details
This permission is of low importance. It allows an app to clear the cache of apps on the phone or
tablet. The cache is a place that an app stores recently used data for faster access. Clearing the
cache can sometimes (very rarely) fix bugs related to those files. Clearing these files generally
presents no risk other than to slow the performance of the phone or tablet (as apps will need to re-
create the caches when used).
Disable Keyguard (lock screen)

(unknown category)
URI:
android.permission.DISABLE_KEYGUARD
Risk: MEDIUM-HIGH
Allows applications to disable the keyguard
Details
This permission is of medium-high importance. It allows an app to disable the "lock screen" that
most phones go into after going to sleep and been turned on again. This lockscreen can sometimes
be a password screen, or a PIN screen, or just a "slide to unlock" screen.
Expand status bar

Hardware controls
URI:
android.permission.EXPAND_STATUS_BAR
Risk: MEDIUM-HIGH
Allows an application to expand or collapse the status bar.
Details
This appears to be a system permission -- not for use by regular applications. If you come across
this permission I would beware of any app requesting it that is not an Android system app.
Flashlight
Development tools
URI:
android.permission.FLASHLIGHT
Risk: LOW
Allows access to the flashlight
Details
This allows apps to turn on or off the LED "flash" light used by the camera. This is a handy tool
but usually of no risk itself.
Get package size

Hardware controls
URI:
android.permission.GET_PACKAGE_SIZE
Risk: LOW-MODERATE
Allows an application to find out the space used by any package.
Details
This permission does not seem to have any risk associated with it.
Kill background processes

Hardware controls
URI:
android.permission.KILL_BACKGROUND_PROCESSES
Risk: HIGH
Allows an application to call killBackgroundProcesses(String).
Details
This permission is a bit of a tricky one. Often this is used by what are called "task killers". These
apps supposedly free system resources by closing apps running in the background. However the
usefulness of such apps is minimal at best. They can help close an app that is misbehaving,
however a user can already do that themselves through the Android settings under "Apps" or
"Manage Applications". Conversely this permission has some potential to maliciously close anti-
virus or other security related apps. As with anything I would treat this with caution. Few users
should ever need an app with this permission. Rather, it could be an indicator of malicious intent
(especially if not requested by a task killer or system performance tuning app).
Modify audio settings

Hardware controls
URI:
android.permission.MODIFY_AUDIO_SETTINGS
Risk: LOW
Allows an application to modify global audio settings
Details
This permission is of low importance. Audio settings pose little to no risk to the device.
Format file systems

URI:
android.permission.MOUNT_FORMAT_FILESYSTEMS
Risk: MEDIUM
Allows formatting file systems for removable storage.
Details
The primary danger with this permission is that it could be used to erase data from an SD card or
other similar storage in your phone. This is also not a permission any normal app should need.
Mount / Unmount file systems

URI:
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
Risk: MODERATE
Allows mounting and unmounting file systems for removable storage.
Details
This permission just allows for connecting to SD cards for reading and writing. While not a risk
itself, this is also not a permission any normal app should need.
NFC (Near Field Communication)

Your accounts
URI: android.permission.NFC
Risk: MEDIUM
Allows applications to perform I/O operations over NFC
Details
NFC stands for Near Field Communication. This is a technology like Bluetooth that enables short
range communication between two devices or the reading of NFC "tags". The distance which NFC
is able to work is only a few centimeters so that devices (or a device and a tag) must effectively be
touching each other to communicate. Due to the distance, this technology is not particularly
dangerous. However it does present a small risk and it is something that should used with caution.
For more info: http://en.wikipedia.org/wiki/Near_field_communication
Process outgoing calls

Your location
URI:
android.permission.PROCESS_OUTGOING_CALLS
Risk: VERY-HIGH
Allows an application to monitor, modify, or abort outgoing calls.
Details
This permission is of high importance. This would allow an app to see what numbers are called
and other personal info. Generally this permission should only be seen on apps for VOIP (Voice
Over Internet Protocol) like Google Voice or dialer replacement type apps.
Read sync stats

Hardware controls
URI:
android.permission.READ_SYNC_STATS
Risk: MODERATE
Allows applications to read the sync stats
Details
This permission is related to "Read sync settings" but not particularly dangerous itself. There is a
minor risk that some personal information could be gleaned from the sync stats, but the
information is unlikely to be valuble. Sync in this case relates to syncing of contacts and other
types of media on the phone.
Record audio
Development tools
URI:
android.permission.RECORD_AUDIO
Risk: MODERATE-HIGH
Allows an application to record audio
Details
While this permission is not typically dangerous, it is a potential tool for eavesdropping. However
recording audio has legitimate uses such as note taking apps or voice search apps. As a side note
recording audio is typically a significant drain on the battery.
Set alarm
Hardware controls
URI:
android.permission.SET_ALARM
Risk: LOW
Allows an application to broadcast an Intent to set an alarm for the user.
Details
This permission seems to be of low risk because it doesnt allow the setting of the alarm directly.
Rather it allows the opening of the alarm app on the phone.
Set time zone

Hardware controls
URI:
android.permission.SET_TIME_ZONE
Risk: LOW
Allows applications to set the system time zone
Details
This permission poses little, if any, risk
Set wallpaper
Hardware controls
URI:
android.permission.SET_WALLPAPER
Risk: LOW
Allows applications to set the wallpaper
Details
This permission poses little, if any, risk
Subscribed feeds read

URI:
android.permission.SUBSCRIBED_FEEDS_READ
Risk: MEDIUM
Allows an application to allow access the subscribed feeds ContentProvider.
Details
This would give an app access to RSS feed that you have subscribed to. If you dont subscribe to
any RSS feeds this permission is of little risk. If you do, this permission is akin to letting an app
have access to your broser history. It could glean interests and preferences and other semi-personal
information.
Subscribed feeds write

URI:
android.permission.SUBSCRIBED_FEEDS_WRITE
Risk: LOW-MEDIUM
(No developer documentation is available for this permission)
Details
This would give an app access to RSS feed that you have subscribed to. If you dont subscribe to
any RSS feeds, this permission is of little risk. If you do, this permission is akin to letting an app
have access to your broser history. It could glean interests and preferences and other semi-personal
information.
Use SIP
Your accounts
URI:
android.permission.USE_SIP
Risk: MEDIUM-HIGH
Allows an application to use SIP service
Details
SIP stands for Session Initiation Protocol. It is a technology mostly used for making video and
voice calls over the Internet. While not a major security risk it should be treated with almost as
much caution as the standard "make phone calls" permission.
Write secure settings

Hardware controls
URI:
android.permission.WRITE_SECURE_SETTINGS
Risk: VERY-HIGH
Protection level: DEVELOPMENT
Allows an application to read or write the secure system settings.
Details
This permission should only be seen on Android system apps (and possibly wireless carriers or
hardware manufacturer pre-installed apps).
Write SMS

URI:
android.permission.WRITE_SMS
Risk: HIGH
Allows an application to write SMS messages.
Details
This permission appears to be an offshoot from the "send SMS" permission. This should allow an
app to write, but not send an SMS message. Users should still be cautious of this permission
however. Many kinds of malware lure users into sending SMS to special for-pay numbers costing
them money.
Write sync settings

Your messages
URI:
android.permission.WRITE_SYNC_SETTINGS
Risk: MEDIUM
Allows applications to write the sync settings
Details
This permission relates to backup and sync of certain types of information like contacts. This
allows an app to write settings for how that account and the data are sync and backed up. This is a
common permission for social services or contact managers or any other type of app with an
account associated with it. Alone, this permission doesn't allow an app access to contacts or other
sensitive data. Rather, it just relates to how that data is backed up. Nevertheless, care should be
taken as always.
Read profile
URI:
android.permission.READ_PROFILE
Risk: MEDIUM-HIGH
Allows an application to read the user's personal profile data.
Details
This a new permission that relates to a special new "Me" contact you can create in your phone or
tablet as your own profile.
Install Shortcut (Android Launcher)

Hardware controls
URI:
com.android.launcher.permission.INSTALL_SHORTCUT
Risk: MODERATE-HIGH
Details
This is a custom permission for the default Android Laucher (the home screen). This permission
would allow an app to put an icon or shortcut there. While not dangerous, this can sometimes be a
sign of a potentially malicious or adware app. For more on adware, see the guides section of
PocketPermissions.
Read external storage

URI:
android.permission.READ_EXTERNAL_STORAGE
Risk: LOW
Allows an application to read from external storage.
Details
This permission is granted to all apps by default.
Read SMS
System tools
URI:
android.permission.READ_SMS
Risk: MODERATE-HIGH
Details
This permission is mostly a privacy concern. Any app that can read your SMS messages could
gather a lot of information about you. However there are quite a few legitimate reasons an app
may request this. Some apps are simply "SMS replacment" apps (such as Handcent) and would
naturally need this permission to function. Other apps sometimes use this as a way of sending a
special code to you device. This can be used by a paid app by sending a code to unlock the full
version of an app. Or, this can be used by security apps to listen for a special shutdown codes in
case your phone is stolen.
Write call log

Your location
URI:
android.permission.WRITE_CALL_LOG
Risk: MEDIUM-HIGH
Details
This permission is not much of a danger by itself, but rather could be used to hide other malicious
behavoir. However it has a legitimate purpose for dialer replacements or voice over IP apps (like
Google Voice).
Write profile
URI:
android.permission.WRITE_PROFILE
Risk: MODERATE-HIGH
Details
This a new permission that relates to a special new "Me" contact you can create in your phone or
tablet as your own profile.
Read social stream

URI:
android.permission.READ_SOCIAL_STREAM
Risk: HIGH
Details
This permission is very important. It is a new permission introduced with Android 4.0 (Ice Cream
Sandwhich). This permission would allow an app to read updates from social networking apps like
Google+, Twitter, and Facebook. By granting this permission you are giving an app the ability to
read not only your information, but any updates posted by people in your social circles.
Add voicemail
System tools
URI:
com.android.voicemail.permission.ADD_VOICEMAIL
Risk: MEDIUM-HIGH
Details
This seems to be a new permission related to Android's new centralized voicemail system. It
would be an unusual means for an app to use this permission maliciously. However few apps
should need it and, as always, it should be treated with caution.
Authenticate Accounts
Your messages
URI:
android.permission.AUTHENTICATE_ACCOUNTS
Risk: VERY-HIGH
Details
This permission is of high importance. It allows an app to authenticate credentials (such as
passwords). Typical uses of this would be if an app had it's own type of account on your phone
such as Google, Facebook, or Twitter.This permission is closely related to the Account Manager
permission. Both are typically requested together.While this doesn't directly give an app access to
your personal information or passwords, it does present a security risk for phishing (tricking the
user into revealing their password). For more on phishing, see the Guides section of
PocketPermissions)
Read email attachments
URI:
com.android.email.permission.READ_ATTACHMENT
Risk: HIGH
Details
This is a custom permission for the default Android email app (i.e. not Gmail). This permission
should be treated with great caution. Many email attachments contain highly sensitive and
personal or financial information.
Read user dictionary

URI:
android.permission.READ_USER_DICTIONARY
Risk: LOW
Allows an application to read the user dictionary.
Details
This would allow an app to read words added to your custom dictionary. Oftentimes this is
abbreviations like "brb" that you might add for typing text messages. Unless you save personal
information in your dictionary, this permission is of almost no risk.
Write user dictionary

Hardware controls
URI:
android.permission.WRITE_USER_DICTIONARY
Risk: LOW
Allows an application to write to the user dictionary.
Details
This alows an app to add custom words to your user dictionary. For example, the common
acronym "brb" for "be right back".
Receive SMS
System tools
URI:
android.permission.RECEIVE_SMS
Risk: HIGH
Allows an application to monitor incoming SMS messages, to record or perform processing on
them.
Details
This permission is mostly a privacy concern. Any app that can read your SMS messages could
may request this. Some apps are simply "SMS replacment" apps (such as Handcent) and would
naturally need this permission to function. Other apps sometimes use this as a way of sending a
special code to you device. This can be used by a paid app by sending a code to unlock the full
version of an app. Or, this can be used by security apps to listen for a special shutdown codes in
case your phone is stolen.
Receive MMS
System tools
URI:
android.permission.RECEIVE_MMS
Risk: HIGH
Allows an application to monitor incoming MMS messages, to record or perform processing on
them.
Details
This permission is mostly a privacy concern. Any app that can read your MMS messages could
may request this. Some apps are simply "SMS/MMS replacment" apps (such as Handcent) and
would naturally need this permission to function.
Install DRM
Hardware controls
URI:
android.permission.INSTALL_DRM
Risk: MODERATE-HIGH
Details
DRM stands for Digital rights management. Typically this permission is not particularly
dangerous itself. However, it is a permission related to controlling access to medi such as books,
audio video, and more. Due to its purpose to control access, I would be especially careful
installing any app requesting it.More info:
http://en.wikipedia.org/wiki/Digital_rights_management
Add system service

Hardware controls
URI:
android.permission.ADD_SYSTEM_SERVICE
Risk: CRITICAL
Details
This permission should only be given to Android System apps (and possibly to wireless carrier or
hardware manufacturer pre-installed apps)
Access WiMax State

Your accounts
URI:
android.permission.ACCESS_WIMAX_STATE
Risk: LOW-MODERATE
Details
WiMax is a technology developed for "4G" data and internet speeds on mobile devices. This
permission allows an app to see if it is currently connected to a wireless network that uses WiMax.
There is no significant risk associated with this permission.
Change WiMax state

Your accounts
URI:
android.permission.CHANGE_WIMAX_STATE
Risk: MODERATE
Details
This permission allows an app to turn on or off the WiMax radio. WiMax is a type of "4G"
wireless connection like LTE. This permission essensially allows an app to turn on or off 4G.
Read instant messages (IM)

URI:
com.android.providers.im.permission.READ_ONLY
Risk: HIGH
Details
This is apermission realated to reading instant messages, such as those on
GooleTalk.
RECEIVE
(unknown group)
URI:
com.google.android.c2dm.permission.RECEIVE
Risk: LOW
Details
C2D stands for Cloud to Device Messaging. This is a push notification technology that is being
phased out for a similar technology called GCM. (Google Cloud Messaging). This permission is
of little to no risk.
In-app billing
URI:
com.android.vending.BILLING
Risk: CRITICAL
Details
This permission is of very high importance. This allows an application to directly bill you for
services through Google Play. Users will be required to confirm any purchase made however this
is potentially costly. Users should beware of games and other free apps with in-app billing.

Android App Permissions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Android App Permissions

Uploaded by

Copyright:

Available Formats

Intro

Background about Android

Types of Dangerous Programs

How to check Permissions

How to Protect Yourself

SD Card (external memory)

GPS and Network location

Advertising and location tracking

Beware the Sockpuppets, Shills, and Spammers

Make phone calls

Send SMS or MMS

Modify/delete SD card contents

Write contact data

Read calendar data

Write calendar data

Read browser history & bookmarks

Write browser history & bookmarks

Read sensitive logs

Modify global system settings

Read sync settings

Restart other applications

Retrieve running applications

Display system-level alerts

Take pictures and videos

Access location extra commands

Access mock location

Broadcast Sticky (Intents)

Clear app cache

Disable Keyguard (lock screen)

Expand status bar

Get package size

Kill background processes

Modify audio settings

Format file systems

Mount / Unmount file systems

NFC (Near Field Communication)

Process outgoing calls

Read sync stats

Set time zone

Subscribed feeds read

Subscribed feeds write

Write secure settings

Services that cost you money

Write sync settings

Install Shortcut (Android Launcher)

Read external storage

Write call log

Read social stream

Read user dictionary

Write user dictionary

Add system service

Access WiMax State

Change WiMax state

Read instant messages (IM)

You might also like