Google I/O 2015—Android M Permissions: Best Practices for Developers
Android is a privilege-separated operating system, in which each app runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates apps from each other and from the system.
Because each Android app operates in a process sandbox, apps must explicitly request access to resources and data outside their sandbox. They request this access by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Depending on how sensitive the area is, the system may grant the permission automatically, or may prompt the user to approve or reject the request.
This page describes how apps can request standard system permissions. The following document, Defining Permissions, describes how apps can define their own permissions, so they can securely share their data and capabilities with other apps.
A basic Android app has no permissions associated with it by default,
meaning it cannot do anything that would adversely impact the user experience
or any data on the device. To make use of protected features of the device,
you must include one or more
tags in your app
For example, an app that needs to monitor incoming SMS messages would specify:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest>
For more information about the different protection levels for permissions, see Normal and Dangerous Permissions.
If your app lists normal permissions in its manifest (that is, permissions that don't pose much risk to the user's privacy or the device's operation), the system automatically grants those permissions. If your app lists dangerous permissions in its manifest (that is, permissions that could potentially affect the user's privacy or the device's normal operation), the system asks the user to explicitly grant those permissions. The way Android makes the requests depends on the system version, and the system version targeted by your app:
- If the device is running Android 6.0 (API level 23) or higher,
and the app's
targetSdkVersionis 23 or higher, the app requests permissions from the user at run-time. The user can revoke the permissions at any time, so the app needs to check whether it has the permissions every time it runs. For more information about requesting permissions in your app, see the Working with System Permissions training guide.
- If the device is running Android 5.1 (API level 22) or lower, or
targetSdkVersionis 22 or lower, the system asks the user to grant the permissions when the user installs the app. If you add a new permission to an updated version of the app, the system asks the user to grant that permission when the user updates the app. Once the user installs the app, the only way they can revoke the permission is by uninstalling the app.
Often times a permission failure will result in a
SecurityException being thrown back to the app. However,
this is not guaranteed to occur everywhere. For example, the
sendBroadcast(Intent) method checks permissions as data is
being delivered to each receiver, after the method call has returned, so you
will not receive an exception if there are permission failures. In almost all
cases, however, a permission failure will be printed to the system log.
The permissions provided by the Android system can be found at
Manifest.permission. Any app may also define and enforce its
own permissions, so this is not a comprehensive list of all possible
A particular permission may be enforced at a number of places during your program's operation:
- At the time of a call into the system, to prevent an app from executing certain functions.
- When starting an activity, to prevent apps from launching activities of other apps.
- Both sending and receiving broadcasts, to control who can receive your broadcast or who can send a broadcast to you.
- When accessing and operating on a content provider.
- Binding to or starting a service.
Automatic permission adjustments
new restrictions may be added to the platform such that, in order
to use certain APIs, your app must request a permission that it previously did not need.
Because existing apps assume access to those APIs is freely available,
Android may apply the new permission request to the app's manifest to avoid
breaking the app on the new platform version.
Android makes the decision as to whether an app might need the permission based on
the value provided for the
attribute. If the value is lower than the version in which the permission was added, then
Android adds the permission.
For example, the
WRITE_EXTERNAL_STORAGE permission was
added in API level 4 to restrict access to the shared storage space. If your
is 3 or lower, this permission is added to your app on newer versions of Android.
Caution: If a permission is automatically added to your app, your app listing on Google Play lists these additional permissions even though your app might not actually require them.
To avoid this and remove the default permissions you don't need, always update your
to be as high as possible. You can see which permissions were added with each release in the