List of Android permissions normal permissions and dangerous permissions in API 23? [duplicate]

The Android permissions model – Tutorial

1. Security and permissions

1.1. Security concept in Android

The Android system installs every Android application with a unique user and group ID. Each application file is private to this generated user, e.g., other applications cannot access these files. In addition, each Android application is started in its own process.

Therefore, by means of the underlying Linux kernel, every Android application is isolated from other running applications.

If data should be shared, the application must do this explicitly via an Android component which handles the sharing of the data, e.g., via a service or a content provider.

1.2. Permission concept in Android

Android contains a permission system and predefined permissions for certain tasks. Every application can request required permissions. For example, an application may declare that it requires network access. It can also define new permissions.

System permissions have different levels, e.g., protection levels.

The permission concept has changed since API 23. Before API level 23 the user was asked during installation, after API level the user is asked during runtime.

An Android application declares the required permissions in its Android manifest. It can also define additional permissions which it can use to restrict access to certain components.

1.3. Workflow before API 23

Before API 23 the requested permissions are presented to the user before installing the application. The user needs to decide if these permissions shall be given to the application.

If the user denies a required permission, the related application cannot be installed. The check of the permission is only performed during installation. Permissions cannot be denied or granted after the installation.

1.4. Runtime permissions

Android 6.0 Marshmallow (API 23) introduced a new runtime permission model. If your application targets Android 6.0, you must use the new permissions model.

The two most important protection levels are normal and dangerous permissions:

Normal permissions are permissions which are deemed harmless for the users privacy or the operation of other applications. For example, the permission to set the time zone. Normal permission are automatically granted to the application. See Normal permissions for a complete list.

Dangerous permissions affect the users private information, or could potentially affect his data or the operation of other application. For example, the ability to read the users contact data. Dangerous permissions must be granted by the user at runtime to the app.

You can check, if you have the permission, via the checkSelfPermission method.

If the user is asked to grant the permission, you receive a call back.

Understanding Permissions in the Android World

Want to save this article for later?

Download as PDF

The official meaning of the word permission means allowing someone to do a particular thing – it is consent or authorization given to perform any kind of action. In the Android world, permissions follow the definition to the letter. Android apps are built to perform a set of actions, some of them requiring permissions from users.

In this blog post, I will help you understand the importance of permissions, how Android has classified its permissions, and how to ask permission from your users.

Before Android Marshmallow (Android 6.0 or API 23)

Unlike iOS, Android arrived to the app permissions party a bit late. Android Marshmallow (Android M) was released on October 5th, 2015. Before its release, all permissions required for the smooth working of the app were specified by the developer in the build submitted to Google Play Store, which would in turn notify a user that the app required a specific set of permissions before installing.

As with any approach, there were pros and cons. The upside was clear: all permissions were approved by the user at once and the app didn’t need to worry about asking and handling permissions while the user used the app.

The downside was pretty obvious as well: developers started adding permissions to collect data, which breached the privacy of the user. Since Google did not check whether the app actually required the mentioned permissions, and there was no option for the user to not provide certain permissions and still use the app, developers had a grand time gaining access to system information or the microphone without any restraint.

Runtime Permissions with Android Marshmallow

With the public release of Android Marshmallow, Google introduced runtime permissions for Android, thereby changing the landscape of permissions for the better.

Now the developer no longer got all permissions at app install. Instead, the developer would now have to request for the permission to perform something specific like use the camera to click a picture or access the user’s storage to save a file. Google also divided the set of permissions in Android into normal and dangerous permissions.

Normal permissions are those which do not pose a risk to the user’s privacy or the device’s operation. The system grants these permissions automatically. These include connecting to the internet, getting network, Bluetooth, wifi, and NFC information, setting alarms & wallpapers, and modifying audio settings on a device.

Dangerous permissions are permissions which could potentially affect the user’s privacy or the device’s operation. The user must explicitly agree to grant those permissions. These include accessing the camera, contacts, location, microphone, sensors, SMS, and storage.

The complete list of normal and dangerous permissions are available in the Android Documentation.

Permission Groups

Permission groups are similar permissions organized together based on features and device capabilities.

For example, the CONTACTS group has both READ_CONTACTS and WRITE_CONTACTS permissions. If your app doesn’t have any permission under the CONTACTS group and you request for READ_CONTACTS , the system shows the permission request dialog to ask the user to allow your app to read the contacts of the user and upon approval, the system grants the app access to your contacts list.

Since you’ve already requested for a dangerous permission under a permission group, the system won’t request for other permissions under that permission group.

Ask for Permission When Needed

Since requesting and granting permissions is now a runtime activity, the whole process not only becomes important for the developer but also for the user experience.

To standardize the process, permission dialogs are generated by Android and are not customizable. Keeping the user’s experience in mind, developers are advised to request for a permission only when required.

So if your app requires the camera to click a picture, the CAMERA permission should be asked for only when the user wishes to take a photo in your app.

Declaring Permissions Needed by Your App

On all Android versions, to declare the permission needed by your app, you need to add the element into your app manifest file like this:

Depending on whether the permission is normal or dangerous, the app will ask the user to grant access.

Requesting Permissions for Your App

If your app requires a dangerous permission, check whether your app has been granted access for the operation that requires the permission:

If the app has permission, then the method ContextCompat.checkSelfPermission(thisActivity, Manifest.permission.CAMERA) will return PERMISSION_GRANTED . Or if the permission has been denied, then the method returns PERMISSION_DENIED . If the app receives PERMISSION_DENIED , then the app should prompt the user to grant the permission in the following way:

Handling Permissions Granted to Your App

When the user responds to the permission request dialog, the system invokes the onRequestPermissionsResult() method passing the response of the user. You can handle the response of the user in the following way:

Concluding Thoughts

Runtime permissions have now proven to be very important from a user’s perspective. Apps can no longer sneakily access parts or features of the user’s device without the user’s explicit permission. In today’s age where user and data privacy are of utmost importance, runtime permissions in Android are a small but important initiative in that direction.

The Android permissions model – Tutorial

1. Security and permissions

1.1. Security concept in Android

The Android system installs every Android application with a unique user and group ID. Each application file is private to this generated user, e.g., other applications cannot access these files. In addition, each Android application is started in its own process.

Therefore, by means of the underlying Linux kernel, every Android application is isolated from other running applications.

If data should be shared, the application must do this explicitly via an Android component which handles the sharing of the data, e.g., via a service or a content provider.

1.2. Permission concept in Android

Android contains a permission system and predefined permissions for certain tasks. Every application can request required permissions. For example, an application may declare that it requires network access. It can also define new permissions.

System permissions have different levels, e.g., protection levels.

The permission concept has changed since API 23. Before API level 23 the user was asked during installation, after API level the user is asked during runtime.

An Android application declares the required permissions in its Android manifest. It can also define additional permissions which it can use to restrict access to certain components.

1.3. Workflow before API 23

Before API 23 the requested permissions are presented to the user before installing the application. The user needs to decide if these permissions shall be given to the application.

If the user denies a required permission, the related application cannot be installed. The check of the permission is only performed during installation. Permissions cannot be denied or granted after the installation.

1.4. Runtime permissions

Android 6.0 Marshmallow (API 23) introduced a new runtime permission model. If your application targets Android 6.0, you must use the new permissions model.

The two most important protection levels are normal and dangerous permissions:

Normal permissions are permissions which are deemed harmless for the users privacy or the operation of other applications. For example, the permission to set the time zone. Normal permission are automatically granted to the application. See Normal permissions for a complete list.

Dangerous permissions affect the users private information, or could potentially affect his data or the operation of other application. For example, the ability to read the users contact data. Dangerous permissions must be granted by the user at runtime to the app.

You can check, if you have the permission, via the checkSelfPermission method.

If the user is asked to grant the permission, you receive a call back.

Android Working with Marshmallow (M) Runtime Permissions

Android is a privilege separated operating system, i.e. each application in android is separated from another through a distinct id, and each application file / data is private to that application only. Each Android application is started in its own process thus are isolated from all other applications (even from system / default applications). As a result an Android application can’t access any file or data outside its scope until and unless the file or data is shared with the application.

So, the conclusion is that if an application needs anything outside its scope, then it should request for permission to the user. Android comes with a set of predefined permissions (System permissions) for certain tasks. Every application can request required permissions. For example, an application may declare that it requires network access. It can also define new permissions.

1. Permission Workflow before and from M (API 23)

Now the question arises how an application can request for or get permission? Or rather, what workflow the developer should follow to request and get permission for the app? Let us have a look. The permission model / workflow has been changed from API 23 – Android M.

> Permission Model before M (API 23): Before API 23, the permission model was simpler to the developer but offered less control and security to the user – requested permissions are presented to the user before installing the application. The user needs to decide whether to give these permissions to the application and install it or to deny as a whole and don’t install the application. Permissions cannot be denied or granted after the installation. Thus developers were required only to declare all needed permissions in the manifest and then just forget; if the app is running then it has all the requested permissions.

> Permission Model from M (API 23): With Android 6.0 Marshmallow (API 23), a new runtime permission model has been introduced. According to this model users are not prompted for permission at the time of installing the app, rather developers need to check for and request permission at runtime (i.e. before performing any action that may require the particular permission), users can then allow or deny the permission, users can also grant or revoke permission anytime from settings. Making the user experience very secure on an Android device. But inversely this feature imposes a great deal of effort on development. Therefore developers have to handle all the use cases. Thankfully, requesting Android runtime permissions, is not that difficult.

Note: According to Google, beginning with Android 6.0 (API level 23), users can revoke permissions from any app at any time, even if the app targets a lower API level. You should test your app to verify that it behaves properly when it’s missing a needed permission, regardless of what API level your app targets.

2. Permission levels

System permissions have different protection levels. The two most important protection levels are normal and dangerous permissions.

Normal Permissions: Those permissions which will have very little or zero effect on users privacy or security are categorized as normal permissions. The system itself grants normal permissions when requested instead of prompting to the user. Examples would be ACCESS_WIFI_STATE, WAKE_LOCK etc.

Dangerous Permissions: Those permissions which may have a greater effect on users privacy or security are categorized as dangerous permissions. Examples would be the ability to read the user’s contacts READ_CONTACTS. If an app requests a dangerous permission, the user has to explicitly grant the permission to the app.

Here is the detailed information about permissions and their groups.

So now let us start with creating a sample app.

3. Creating Android Project

1. Create a new project in Android Studio from File ⇒ New Project and fill the project details.

2. Open strings.xml and add the below string values.

3. Open build.gradle (app level) and make sure that you have set minSdkVersion and targetSdkVersion as we have to support the permissions model in lower versions also. I am keeping minSdkVersion to 17 and targetSdkVersion to 23.

3.1 Requesting Single Permission

4. Though we will request the permissions at runtime, we should add it to the Manifest also, so that the user will be prompted first time when going to use the permission, and then the system will remember user’s decision until user updates from the settings. We will start with the WRITE_EXTERNAL_STORAGE_PERMISSION. Add the storage permission to your AndroidManifest.xml just before the application tag.

5. Open the layout file of main activity (activity_main.xml) and add the below xml. This layout contains few buttons to test various permission scenarios.

The above layout generates a screen something like this.

6. Now open MainActivity.java and add the below code in FAB click event.

Explanation:

> We checked for permission with checkSelfPermission() Method to check if the app already has permission to write on external storage. If it has then continue to else part, otherwise go to next step.

> Here we used shouldShowRequestPermissionRationale() method to check if we should show the explanation for the permission or not, if this returns true then we showed an alert dialog with explanation, and on the positive button click we requested the permission. If shouldShowRequestPermissionRationale returns false then we requested permission straightforward.

> We have successfully requested permission so far. We just need to override the method onRequestPermissionsResult to receive the result. In that method first we checked the requested code with our declared constant requestCode == EXTERNAL_STORAGE_PERMISSION_CONSTANT then checked if length of grantResult is greater than 0, so that it contains the user’s decision, then we cheked if the value of 0 index of the grant result, if the value is equal to PackageManager.PERMISSION_GRANTED then it means that the user has authorised the permission and we can continue our work, otherwise in the else part we can again request for permission with explanation.

> Add SharedPreferences, think of a situation where the user has denied permission by checking “Never Ask Again”. In that scenario the shouldShowRequestPermissionRationale method will return false and requestPermissions method will do just nothing. So we need to remember whether we ave priorly requested for permission or not, even after the app restarts. For that purpose we will use SharedPreferences, we will use the permission string as the key and boolean true or false as value.

Below is the complete code of MainActivity.java

3.2 Requesting Multiple Permissions

Think of a scenario where you might need to ask for multiple permissions. For this, instead of requesting multiple permissions in multiple dialogs, we can prompt all the permissions in a single dialog where permissions will be scrolled through one after another. Now we’ll test this case by creating a new activity.

7. Create a new Activity and name it as MultiplePermissionsActivity.java. Open the layout file this activity (activity_multiple_permissions.xml) and add the below layout code.

8. Initialize btnLaunchMultiplePermission inside oncreate on MainActivity.java, and implement onClickListener to open MultiplePermissionsActivity on click.

9. Add the below permissions to AndroidManifest.xml file.

10. Open MultiplePermissionsActivity.java and modify the code as below.

What we’ve done here is that created and string array with required permissions. While checking for permissions, checked by all elements of the array. The only exception is in while checking with SharedPreferences, here we’ve checked with only the first string, the reason is that for storing shared preferences on string is enough and only one shared preference can tell us whether we’ve already requested for permissions or not (as we are requesting for all permissions in one go).

In the onRequestPermissionsResult() method we used a for loop to determine whether all permissions are granted or not. If a single permission is not granted then we will not proceed further.

3.3 Requesting Permission From Fragment

We will now move forward to requesting permission from Fragments. Now let us take a different approach. We will request for Phone State permission (we will actually do nothing with the permissions, we just ask for the permissions and will show the permission we’ve got).

11. Create a new Activity and name it as FragmentPermissionActivity.java. Fill the required details and check Use a Fragment.

12. Initialize btnLaunchPermissionFragment inside oncreate on MainActivity.java, and implement onClickListener to open FragmentPermissionActivity on click.

13. Add below permission to AndroidManifest.xml

14. Open PermissionsFragment.java and modify the code as below.

So everything here is almost same when you request for permission from fragment or activity, except for that you should not use ActivityCompat.requestPermissions when requesting from Fragment instead use the inbuilt method of fragment.

I hope this article gave you very good overview of Marshmallow permission model. Feel free to ask any queries / doubts in comments section below.

What’s Next?

Although this article explains very well about Runtime Permissions, it’s still very tedious task implementing permissions and its needs lot of code. If you want to quickly add runtime permissions, consider using Dexter library.

HackMag

Android 6.0 permissions in protection and attack

Everyday, new vulnerabilities are discovered in mobile devices that can be exploited by intruders. They can send an SMS to a pay-per-call number, they can collect and sell a large database of contact details, and they can also compromise a specific individual. Successful exploitation of a vulnerability requires that a whole range of conditions are met. There is another way, however! Provide the user with a really useful application (a game with birds), whose manifest contains a list of device information that we are interested in. In this article, we will look at ways of obtaining and saving important information from an Android device.

Android OS architecture is built in a way that allows apps to exchange different kinds of information. An app which works with maps requires location, while a voice recorder requires access to the microphone. So, it all seems clear and transparent.

We openly write the required data or features in the application manifest and receive them upon installation. Nobody is being deceives, everything is voluntary. However, the problem is that users are highly illiterate as far as information technology is concerned. Few people wonder why the voice recorder, for example, needs their location or access to SMS. The application clearly declares its intentions in the manifest, and it would be strange to expect it to act differently.

Before the now famous disclosure, I understood that the game with the angry birds on your device is an informant, as, in addition to everything else, it wants to read the device ID and call data. A simple question “Why do you need this data?” reveals the true intentions of its creators.

When installing the application, the user either has to let it do anything it wants, or not have the application at all. Not many people will browse the store for an app with similar functions but fewer requests (there might not even be anything similar), so the users quickly develop the habit of pressing “yes-yes-yes” to all questions. Let’s accept that it is easy to get used to this, as for many years of living offline, users have developed the reflex to automatically sign multipage agreements on the principle “well, everybody signs it, there can’t be anything wrong with it. Anyway, I don’t have a choice, either I sign here or I don’t get what I want.”

If we remove all the application’s permissions, the OS, in order to prevent the app crashing, can simply give it empty values. The application can be deceived by providing it with knowingly false information (position of the North Pole) or simple zeroes. For example, the application may request a list of contacts on the device and the developer presupposes in its architecture that it can be empty (a brand-new device). There is nothing suspicious here; the data is saved and the application has not crashed.

Such tricks were necessary before Android 6.0 Marshmallow. It boasts a new mechanism for working with permissions and allows permissions to be granted and revoked when the application is working. For reverse compatibility of old applications (i.e. the ones whose targetSdkVersion is less than 23), an old mechanism for requesting permissions during installation has remained functional. Updated applications should request permissions when they are working. We can look at the app permissions in the application’s settings and revoke access if we so wish.

Let’s look at how this works on a device running Android 6.0.

Let’s install the birds but revoke all their rights before the first launch.
When the rights are requested during installation from Google Play, we can see that the app’s targetSdkVersion is less than 23.

Request of rights during installation of birds from the market

The settings display tells us that the app creators have slightly more interest.

Android Tutorial Runtime Permissions (Android 6.0+ Permissions)

Go to page

Similar threads

Administrator

If the targetSdkVersion is lower than 23 then the standard permissions system will be used on all devices including Android 6+, however soon all Google Play apps will need to set the targetSdkVersion to 26+.

B4A v6.0 adds support for runtime permissions. The nice thing about runtime permissions is that the user is not asked for any permission when they install your application from Google Play. Instead they will be asked to approve “dangerous” permissions at runtime.

Luckily most permissions are not considered dangerous. You can see the list of permissions that are considered dangerous here: https://developer.android.com/guide/topics/permissions/overview.html#permission-groups

Requesting permissions at runtime

RuntimePermissions.CheckAndRequest is the key method.

The method (simplified) logic:

CheckAndRequest is not a blocking method. The program flow will continue and only later Activity_PermissionsResult will be raised.

The CheckAndRequest method can only be called from an Activity.
There is another method named Check that only tests whether the permission has already been approved or not. This method can be called from any module.
It might be tempting to first test whether there is a permission and only if there is no permission call CheckAndRequest. However it will just make the program flow more complicated as you will need to deal with all cases anyway.
As a general rule, you shouldn’t call RuntimePermissions.Check from an Activity. It will be simpler to always call CheckAndRequest.

Listing the permissions

Not many are aware to the fact that you can see the project permissions by clicking on the List Permissions button that is inside the Logs tab:

The dangerous permissions are marked with * (in B4A v6+).
You don’t need to ask for non-dangerous permissions.

This is the most common dangerous permission. It is added automatically when you use File.DirDefaultExternal or File.DirRootExternal.
However there is a simple workaround for this.

1. Use RuntimePermissions.GetSafeDirDefaultExternal(“”) instead of File.DirDefaultExternal. The parameter passed is an optional subfolder that will be created under the default folder.

2. Add this code to the manifest editor:

The explanation for this is that GetSafeDirDefaultExternal doesn’t require any permission on Android 4.4+ (API 19) and requires the WRITE_EXTERNAL_STORAGE on older versions. The code above adds the permission to older devices.

You only need to deal with WRITE_EXTERNAL_STORAGE at runtime if you need access to a folder other than the app’s default external folder.