App permissions help support user privacy by protecting access to the following:
- Restricted data, such as system state and a user's contact information.
- Restricted actions, such as connecting to a paired device and recording audio.
This page provides an overview to how Android permissions work, including a high-level workflow for using permissions, descriptions of different types of permissions, and some best practices for using permissions in your app. Other pages explain how to evaluate whether your app needs to request permissions, declare permissions, request runtime permissions, and restrict how other apps can interact with your app's components.
To view a complete list of Android app permissions, visit the permissions API reference page.
To view some sample apps that demonstrate the permissions workflow, visit the Android permissions samples repository on GitHub.
Workflow for using permissions
If your app offers functionality that might require access to restricted data or restricted actions, determine whether you can get the information or perform the actions without needing to declare permissions. You can fulfill many use cases in your app, such as taking photos, pausing media playback, and displaying relevant ads, without needing to declare any permissions.
If you decide that your app must access restricted data or perform restricted actions to fulfill a use case, declare the appropriate permissions. Some permissions, known as install-time permissions, are automatically granted when your app is installed. Other permissions, known as runtime permissions, require your app to go a step further and request the permission at runtime.
Figure 1 illustrates the workflow for using app permissions:
Types of permissions
Android categorizes permissions into different types, including install-time permissions, runtime permissions, and special permissions. Each permission's type indicates the scope of restricted data that your app can access, and the scope of restricted actions that your app can perform, when the system grants your app that permission.
Install-time permissions give your app limited access to restricted data, and they allow your app to perform restricted actions that minimally affect the system or other apps. When you declare install-time permissions in your app, the system automatically grants your app the permissions when the user installs your app. An app store presents an install-time permission notice to the user when they view an app's details page, as shown in Figure 2.
Android includes several sub-types of install-time permissions, including normal permissions and signature permissions.
These permissions allow access to data and actions that extend beyond your app's sandbox. However, the data and actions present very little risk to the user's privacy, and the operation of other apps.
The system assigns the "normal" protection level to normal permissions, as shown on the permissions API reference page.
If the app declares a signature permission that another app has defined, and if the two apps are signed by the same certificate, then the system grants the permission to the first app at install time. Otherwise, that first app cannot be granted the permission.
The system assigns the "signature" protection level to signature permissions, as shown on the permissions API reference page.
Runtime permissions, also known as dangerous permissions, give your app additional access to restricted data, and they allow your app to perform restricted actions that more substantially affect the system and other apps. Therefore, you need to request runtime permissions in your app before you can access the restricted data or perform restricted actions. When your app requests a runtime permission, the system presents a runtime permission prompt, as shown in Figure 3.
Many runtime permissions access private user data, a special type of restricted data that includes potentially sensitive information. Examples of private user data include location and contact information.
The microphone and camera provide access to particularly sensitive information. Therefore, the system helps you explain why your app accesses this information.
The system assigns the "dangerous" protection level to runtime permissions, as shown on the permissions API reference page.
Special permissions correspond to particular app operations. Only the platform and OEMs can define special permissions. Additionally, the platform and OEMs usually define special permissions when they want to protect access to particularly powerful actions, such as drawing over other apps.
The Special app access page in system settings contains a set of user-toggleable operations. Many of these operations are implemented as special permissions.
Each special permission has its own implementation details. The instructions for using each special permission appear on the permissions API reference page. The system assigns the "appop" protection level to special permissions.
App permissions build upon system security features and help Android support the following goals related to user privacy:
- Control: The user has control over the data that they share with apps.
- Transparency: The user understands what data an app uses, and why the app accesses this data.
- Data minimization: An app accesses and uses only the data that's required for a specific task or action that the user invokes.
This section presents a set of core best practices for using permissions effectively in your app. For more details on how you can work with permissions on Android, visit the app permissions best practices page.
Request a minimal number of permissions
When the user requests a particular action in your app, your app should request only the permissions that it needs to complete that action. Depending on how you are using the permissions, there might be an alternative way to fulfill your app's use case without relying on access to sensitive information.
Associate runtime permissions with specific actions
Request permissions as late into the flow of your app's use cases as possible. For example, if your app allows users to send audio messages to others, wait until the user has navigated to the messaging screen and has pressed the Send audio message button. After the user presses the button, your app can then request access to the microphone.
Consider your app's dependencies
When you include a library, you also inherit its permission requirements. Be aware of the permissions that each dependency requires, and what those permissions are used for.
When you make a permissions request, be clear about what you're accessing, and why, so users can make informed decisions.
Make system accesses explicit
When you access sensitive data or hardware, such as the camera or microphone, provide a continuous indication in your app if the system doesn't already provide these indicators. This reminder helps users understand exactly when your app accesses restricted data or performs restricted actions.
Permissions in system components
Permissions aren't only for requesting system functionality. Your app's system components can restrict which other apps can interact with your app, as described on the page about how to restrict interactions with other apps.
To learn more about app permissions on Android, consult the following additional resources:
- Android Permissions Samples Repository on GitHub