Android Q privacy: Changes to permissions

This document describes several changes to the permissions model. These changes serve to enhance user privacy.

The following changes affect all apps running on Android Q, even if they target Android 9 (API level 28) or lower.

Restricted access to screen contents

To protect users' screen contents, Android Q prevents silent access to the device's screen contents by changing the scope of the READ_FRAME_BUFFER, CAPTURE_VIDEO_OUTPUT, and CAPTURE_SECURE_VIDEO_OUTPUT permissions so that they're signature-access only.

Apps that need to access the device's screen contents should use the MediaProjection API, which displays a prompt asking the user to provide consent.

User-facing permission check on legacy apps

If your app targets Android 5.1 (API level 22) or lower, users see a permissions screen when running your app on Android Q for the first time, as shown in Figure 1. This screen gives users the opportunity to revoke access to permissions that the system previously granted to your app at install time.

Screen capture of dialog
Figure 1. User-facing dialog that allows review of legacy permissions

Physical activity recognition

Android Q introduces a new ACTIVITY_RECOGNITION runtime permission for apps that need to detect the user's movement, such as walking, biking, or in a vehicle. This is designed to give users visibility of how device sensor data is used in Settings.

If your app targets Android 9 (API level 28) or lower and specifies the permission in its manifest file, the system auto-grants this permission to your app if needed. However, the user can revoke this permission at any time in system settings.

Permission groups removed from UI

As of Android Q, apps cannot look up how permissions are grouped in the UI.