• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android permissions explained, security tips, and avoiding malware

I've noticed this permission pop up a lot recently. I don't know if it's new or if I just never noticed it before.

  • System toolstest access to protected storage
    Allows the app to test a permission for USB storage that will be available on future devices.
Click to expand...


Is it legit?
 
I am not sure if this is the right forum but I will put my question here. I am looking for a list of all the Android permissions for each of the four protection levels. I would appreciate it if somone could point me to the right resource.

Regards
 
Hiya and welcome to android forums!

I couldn't find a thread here, but I did find an article explaining all of the permissions, it's in the hide/show tag since it's fairly long

This list was initially prepared by alostpacket who talks about android security in greater detail. The list is not definitive by any means and will be updated as and when it is needed.

Services that cost you money
 
What is the four protection levels you are talking about? i havent noticed those before.


on a side note, android has typically had a bad condition of lumping permissions together, which can hurt honest developers. fortunately, they have been doing a better job being more exact about what the application is asking to do lately.
 
winstonfitch said:
I am not sure if this is the right forum but I will put my question here. I am looking for a list of all the Android permissions for each of the four protection levels. I would appreciate it if somone could point me to the right resource.

Regards
Click to expand...

Hi winston, I've merged your thread in to the massive thread artaxerxes mentions. If you check the OP, you should find all the info you need.

If you're stuck with anything though, please ask! :)
 
out of ideas said:
What is the four protection levels you are talking about? i havent noticed those before.


on a side note, android has typically had a bad condition of lumping permissions together, which can hurt honest developers. fortunately, they have been doing a better job being more exact about what the application is asking to do lately.
Click to expand...


Protection levels denote what is required for an app to obtain a permission.

There are basically 3 levels, the first two being very similar.

Signature
- Only apps signed with the same key as the ROM will be granted these. For a regular app to get this it needs to be signed by the same key the ROM developer used to sign the ROM.

System
- Only System apps will be granted these, for an app to get this it would need root.

Dangerous
- All apps can request this. A user grants this kind of permission when installing. These are the kinds of permissions most commonly known to users and what most people are familiar with (e.g. FULL_INTERNET_ACCESS or READ_PHONE_STATE)


(The 4th type is just called signature_or_system and an app can be either one to request the permission)


Note this is off the top of my head and I haven't looked into permissions in awhile but hope to refresh some of this info soon :)


Almost all apps that come from Google Play will only be requesting permissions with the protection level of dangerous. Exceptions include root-requiring tools, Google apps, etc.

However, many regular apps may protect their OWN permission by using the system (or signature) protection level.

Say for instance I have an app that downloads RSS feeds. Well maybe I want them to be searchable by the system app Google Search.

What I do is write a custom permission and set the protection level to system. Then I can control which apps have access to my ContentProvider (content providers are ways of sharing info between apps).

Thus the RSS my app downloads is searchable by Google Search (because it is a system app) but not any normal, non-system apps.
 
I've checked my app permission, and almost all of it have medium till high dangerous level, even this android forum app. Is there anything else we can do to avoid this phissing? You know it's non sense if we uninstall every app that we need but do such a thing.

Regard
HMP
 
artaxerxes said:
So I've found a permission from the new update of the Maps app. It's called "Activity Recognition". Is this permission new? What does it entail?
Click to expand...

Sounds a bit like an unfortunately named custom permission for Maps.

i.e. Maps grants that permissions to other apps so they can request map data.

just a guess though, haven't looked at it yet.
 
Thanks for a great explaination.

I do not allow hardware controls that say "you give us permission to use the camera and/or audio, at any time, without your confirmation". To date I have found several of these.

I don't even allow the CHASE bank app because it wants to review my contacts.

Can you offer any suggestions on how not to allow or how to protect and still use these apps?

Even google play update asks for this permission.
I won't update google play!!

Thanks,
BNRusso

I have more time than money..........I hope!!
 
bnrusso said:
Thanks for a great explaination.

I do not allow hardware controls that say "you give us permission to use the camera and/or audio, at any time, without your confirmation". To date I have found several of these.

I don't even allow the CHASE bank app because it wants to review my contacts.

Can you offer any suggestions on how not to allow or how to protect and still use these apps?

Even google play update asks for this permission.
I won't update google play!!

Thanks,
BNRusso

I have more time than money..........I hope!!
Click to expand...

I wouldn't worry about Google Play, but I never trusted Chase even before smartphones :P

Google Play is pretty essential to update for the usability of your phone. Many apps make use of "Google Play Services" (my new, yet to be released app included)

Anyways, for more fine-grained permission control you will probably need to root. You might look into CyanogenMod as a ROM, or just check out Permission Denied (or similar apps) in the Play store.
 
alostpacket said:
I wouldn't worry about Google Play, but I never trusted Chase even before smartphones :P

Google Play is pretty essential to update for the usability of your phone. Many apps make use of "Google Play Services" (my new, yet to be released app included)

Anyways, for more fine-grained permission control you will probably need to root. You might look into CyanogenMod as a ROM, or just check out Permission Denied (or similar apps) in the Play store.
Click to expand...

My phone seeme to be working fine without the google play services update.
Please explain a bit more.
How is someone looking at my contacts CHASE, anywhere near as malicious as allowing google play service update or flashlight app to use my camera at anytime without my permission.
I don't understand. What am I missing?
Thanks again,
 
bnrusso said:
flashlight app to use my camera at anytime without my permission.
I don't understand. What am I missing?
Thanks again,
Click to expand...
The reason a flashlight app would need to access your camera is because the flash function is part of your camera app. (And to use that led as a flashlight the app needs to access the camera's functions...) :p
 
bnrusso said:
My phone seeme to be working fine without the google play services update.
Please explain a bit more.
How is someone looking at my contacts CHASE, anywhere near as malicious as allowing google play service update or flashlight app to use my camera at anytime without my permission.
I don't understand. What am I missing?
Thanks again,
Click to expand...


Indeed it's all about context. As Lordvincent 90 said, A camera app would need to turn on your LED light without turning on the camera, so that permission makes sense in the context of how that app should function.

However a Chase app has no legitimate reason (that I can think of) to know your contacts other than to spy* or advertise to you.

* (By spy I mean collect data for a credit rating or something similar)


Google Play (and Google Play Services) have legitimate need for your contacts for 2 reasons that I can think of:

1) I believe you can gift your contacts an app, book, or song, etc.

2) Google Play services probably helps all of Google's apps manage syncing your contacts. Gmail does this already, so it just a way for Google Voice, Google+, Google Maps, and others to handle integration with that.

I'm sure they collect some data regarding your contacts but I don't think it is very much. I think the primary goal here is to enable features across all of Google services.

I do encourage people to read Google's Privacy Policy when they get the chance though. It's good to know, and it isn't as scary as some people think.

Ultimately though, you need to decide what level of privacy works for you. If you find most Google apps work without updating the Play store or Google Play services, and that is what you want, then that is perfectly OK. :)

Hope that helps :santaclaus:



 
alostpacket said:
Indeed it's all about context. As Lordvincent 90 said, A camera app would need to turn on your LED light without turning on the camera, so that permission makes sense in the context of how that app should function.

However a Chase app has no legitimate reason (that I can think of) to know your contacts other than to spy* or advertise to you.
Click to expand...
I don't know the Chase app specifically (do they just do credit cards, or are they a bank, too?). If Chase is a bank, sometimes you can use the camera to scan in and deposit a check.
 
aysiu said:
I don't know the Chase app specifically (do they just do credit cards, or are they a bank, too?). If Chase is a bank, sometimes you can use the camera to scan in and deposit a check.
Click to expand...


Indeed you are correct, my bank app does this too. And it is an excellent feature. And the reason it need to capture without notice is that it uses a detection system to "see" the check.

But I think bnrusso was referring to Chase requesting contacts.
 
BaelRathLian said:
Phone calls
read phone status and identity

What is the story on this one? I was told it gives full access to the phone.
Click to expand...


AFAIK it's to indicate if there's a phone call in progress or not. Media player apps often have this permission, so that they know to stop playing when you're making or receiving a phone call.

There are other phone permissions that give much more access to the phone, such as call monitoring and recording.
 
I recently installed two permission blocker apps on my device to compare what each will list for apps on my device. I chose A.I.Type in this example.

The two apps revealed a different set of permissions. One app didn't not reveal that A.I.Type has 'record audio' permission while Permission Blocker (Rooted) listed this permission.

I used Permission Blocker to remove the "record audio" permission.

Question: Any ideas why two different permission blockers list a different set of data? - both with root access and says it can modify user-installed apk's.

Is there a way to really confirm if record audio has been blocked for A.I.Type (recompiled apk) - other than the app isn't crashing with this access removed? The second permission blocker doesn't show any changes made to the app.

pb2.jpg
 
You must log in or register to reply here.
Back
Top Bottom