Dangerous Android Permissions To Look Out For In Your Apps

As of API level 23, the following permissions are classified as PROTECTION_NORMAL:

Android permissions: How can I learn which are dangerous vs normal?

Android defines a set of permissions that third-party apps can request. Permissions are categorized by sensitivity; most permissions are either “normal” or “dangerous”. Normal permissions are granted automatically, without prompting the user; dangerous permissions are presented to the user when the app is installed and the user is asked to consent to granting them. Question: For any particular Android permission I have in mind, how can I tell whether it is a normal permission or a dangerous permission? Is there a list of dangerous permissions and a list of normal permissions? (I know that third-party apps can declare their own permissions. I’m only asking about standard permissions. I know it may not be possible to get a 100%-complete list. I’m only looking for best-effort; something is better than nothing.) For a related but different question, see also Where can I get a list of Android permissions (however, that’s a different question; it doesn’t at the normal vs dangerous distinction, and I don’t necessarily need a complete list).

1 1 1 silver badge
asked Sep 7, 2011 at 19:51
3,395 7 7 gold badges 45 45 silver badges 110 110 bronze badges

7 Answers 7

For more simplicity, below are list of Normal permissions taken from official docs:

As of API level 23, the following permissions are classified as PROTECTION_NORMAL:

ACCESS_LOCATION_EXTRA_COMMANDS ACCESS_NETWORK_STATE ACCESS_NOTIFICATION_POLICY ACCESS_WIFI_STATE BLUETOOTH BLUETOOTH_ADMIN BROADCAST_STICKY CHANGE_NETWORK_STATE CHANGE_WIFI_MULTICAST_STATE CHANGE_WIFI_STATE DISABLE_KEYGUARD EXPAND_STATUS_BAR FLASHLIGHT GET_PACKAGE_SIZE INTERNET KILL_BACKGROUND_PROCESSES MODIFY_AUDIO_SETTINGS NFC READ_SYNC_SETTINGS READ_SYNC_STATS RECEIVE_BOOT_COMPLETED REORDER_TASKS REQUEST_INSTALL_PACKAGES SET_TIME_ZONE SET_WALLPAPER SET_WALLPAPER_HINTS TRANSMIT_IR USE_FINGERPRINT VIBRATE WAKE_LOCK WRITE_SYNC_SETTINGS SET_ALARM INSTALL_SHORTCUT UNINSTALL_SHORTCUT 

CALENDAR : READ_CALENDAR, WRITE_CALENDAR CAMERA : CAMERA CONTACTS : READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS LOCATION : ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION MICROPHONE : RECORD_AUDIO PHONE : READ_PHONE_STATE, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, ADD_VOICEMAIL, USE_SIP, PROCESS_OUTGOING_CALLS SENSORS : BODY_SENSORS SMS : SEND_SMS, RECEIVE_SMS, READ_SMS, RECEIVE_WAP_PUSH, RECEIVE_MMS STORAGE : READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE 

answered Oct 7, 2015 at 12:40
4,426 3 3 gold badges 52 52 silver badges 86 86 bronze badges

Normal permissions are granted automatically, without prompting the user

AFAIK, the documentation is wrong here.

dangerous permissions are presented to the user when the app is installed and the user is asked to consent to granting them

AFAIK, all permissions have this behavior.

What this may have morphed into is that dangerous permissions are always displayed and normal permissions are ones that might be “below the fold” if there are enough dangerous ones.

For any particular Android permission I have in mind, how can I tell whether it is a normal permission or a dangerous permission? Is there a list of dangerous permissions and a list of normal permissions?

6,851 3 3 gold badges 49 49 silver badges 79 79 bronze badges
answered Sep 7, 2011 at 21:33
CommonsWare CommonsWare
987k 190 190 gold badges 2391 2391 silver badges 2496 2496 bronze badges
Feb 18, 2015 at 16:58

stackoverflow.com/questions/32681513/… I think there is one difference which is ought to be explained in the above description. Dangerous permissions are granted at runtime and introduced in API level 23

Oct 15, 2015 at 13:22

this answer is not so satisfying; but just tells the diff between them; the questioner wanted the list of dangerous permission i believe!

May 24, 2016 at 15:06
@DJphy: The roster of dangerous permissions changes with every Android release.
May 24, 2016 at 15:24

@CommonsWare, look at me I am so dumb. I didn’t think about this. Its so very true; Thanks for the enlightenment and sorry!

May 24, 2016 at 15:29

I found this blogpost listing the “default” permissions by protection level. I think, this is the kind of list you were looking for.

The list might have changed in the meantime though, as the post is 10 months old. It provides sample code to recompile the list by yourself.

answered Aug 24, 2012 at 10:09
359 2 2 silver badges 6 6 bronze badges

From android M permissions will be granted at runtime. User consent is not required for Normal permissions but for Dangerous permissions user is required to grant the permission to application.

Dangerous permissions: Dangerous permissions cover areas where the app wants data or resources that involve the user’s private information https://developer.android.com/guide/topics/security/permissions.html#normal-dangerous

answered Oct 5, 2015 at 13:18
singularity singularity
147 1 1 silver badge 11 11 bronze badges

Here is a good article which describes every thing about run time permissions ,

android.permission.ACCESS_LOCATION_EXTRA_COMMANDS android.permission.ACCESS_NETWORK_STATE android.permission.ACCESS_NOTIFICATION_POLICY android.permission.ACCESS_WIFI_STATE android.permission.ACCESS_WIMAX_STATE android.permission.BLUETOOTH android.permission.BLUETOOTH_ADMIN android.permission.BROADCAST_STICKY android.permission.CHANGE_NETWORK_STATE android.permission.CHANGE_WIFI_MULTICAST_STATE android.permission.CHANGE_WIFI_STATE android.permission.CHANGE_WIMAX_STATE android.permission.DISABLE_KEYGUARD android.permission.EXPAND_STATUS_BAR android.permission.FLASHLIGHT android.permission.GET_ACCOUNTS android.permission.GET_PACKAGE_SIZE android.permission.INTERNET android.permission.KILL_BACKGROUND_PROCESSES android.permission.MODIFY_AUDIO_SETTINGS android.permission.NFC android.permission.READ_SYNC_SETTINGS android.permission.READ_SYNC_STATS android.permission.RECEIVE_BOOT_COMPLETED android.permission.REORDER_TASKS android.permission.REQUEST_INSTALL_PACKAGES android.permission.SET_TIME_ZONE android.permission.SET_WALLPAPER android.permission.SET_WALLPAPER_HINTS android.permission.SUBSCRIBED_FEEDS_READ android.permission.TRANSMIT_IR android.permission.USE_FINGERPRINT android.permission.VIBRATE android.permission.WAKE_LOCK android.permission.WRITE_SYNC_SETTINGS com.android.alarm.permission.SET_ALARM com.android.launcher.permission.INSTALL_SHORTCUT com.android.launcher.permission.UNINSTALL_SHORTCUT 

Dangerous permissions

Dangerous Android Permissions To Look Out For In Your Apps

Android is the leading mobile operating system in the world with over 70% of all mobile devices worldwide running Android as of July 2021. You can download almost any kind of app from the Play Store, but before installing it, do you just select Accept to all permissions? Most people do. But what exactly are you consenting to? Certain permissions can allow an app, and the corporation that created it, to go as far as infringing on your privacy. To prevent companies from flagrantly accessing your private data, you must first understand what is at stake.

Apart from giving companies access to your data, apps with dangerous permissions are also used to disseminate malware, orchestrate espionage campaigns, and defraud individuals. In 2019, customers of several Czech banks reported money unexpectedly missing from their accounts. Investigators eventually traced it back to hackers who were employing malicious Android applications to overlay phony permission pop-up windows on top of real ones, to carry out unauthorized transactions to customers’ bank accounts.

What are Android Permissions?

An app usually comes with in-built features to do its job. However, there are still a number of permissions it needs to interact with you and your device. For example, a scanning app that needs access to your camera will request your permission to access your camera. This permission is known as CAMERA and is in most cases a safe permission to grant. However, it would be questionable for a calculator app to ask for this permission.

Be wary of Android apps that request permission to your device’s:

• Audio
• Location
• Contacts
• Camera
• Calendar
• Messages
• Biometrics
• Cloud storage (Read or Write access)

The Extent of the Problem

Analysis of over 148,000 apps indexed on BeVigil, the world’s first security search engine, showed that Educational apps, which account for 7.94% of the apps scanned, request for dangerous permissions more than any other category of apps. This is especially concerning, given that these apps are primarily used by children, who may not be able to discern the consequences of these permissions.

Of the permissions categorized as dangerous, the most commonly requested one was WRITE_EXTERNAL_STORAGE, with 64.45% of the total apps requesting it, followed by READ_EXTERNAL_STORAGE, which was requested by 50.67% of apps.

We also performed Permission Analysis For Android Malware Detection (PAMD) which is a method to evaluate the security level of Android applications based on their permissions by calculating the weighted averages. We found that 1564 of the totals app scanned had a Risk Score >0.5. Moreover, we also found that children’s gaming apps required a lot of unnecessary permissions like access to location, external storage, etc. Some apps with a high Risk Score and requiring strange permissions were: Temple Jungle Prince Run, City Construction Trucks Sim, and Fruit Link – Line Blast to name a few.

Some Dangerous Permissions To Look Out For!

“Allows a calling app to carry on a conversation that began in another app.”

This permission enables a call to be routed to an app or service that you may not be aware of. If it switches you to a service that uses your data allowance instead of your mobile plan, this might cost you money. It might also be used to capture discussions in secret.

“Allows a background program to access a user’s location.”

You must additionally request either ACCESS COARSE LOCATION or ACCESS FINE LOCATION when seeking this privilege. Simply requesting this permission does not provide you with location access. This permission, by itself, will not allow Google to monitor you, as Google claims. However, even if you believe you’ve stopped the app and it’s no longer tracking your position, it may still follow you.

“Allows an application to read the user’s calendar data.”

The app would know where you’ll be and when. If you make notes with your appointments, it’ll also know why you’re there. Add location information, and the app will know how you got there too.

1. READ_EXTERNAL_STORAGE/WRITE_EXTERNAL_STORAGE

“Allows a program to access external storage.”

If you grant the READ_EXTERNAL_STORAGE permission, any data storage that connects to your devices, such as a microSD card or even a laptop, might be accessed. The READ_EXTERNAL_STORAGE permission is implicitly given if you provide the WRITE_EXTERNAL_STORAGE permission. Using these permissions, the app can arbitrarily read/write data to any location on your device.

Analysis of Popular Apps on BeVigil

Now that we have realized how dangerous granting random permissions is, let us survey how widespread these are on the Playstore.

We analyzed popular apps on BeVigil: the world’s first security search engine, and here’s what we found.

A leading messaging app with 5B+ downloads:

Dangerous permission: REQUEST_INSTALL_PACKAGES

Impact: With this permission, the application can request to install external packages which may be harmful to your device.

Popular social media platforms with over 5B+ downloads:

Dangerous Permissions: SYSTEM_ALERT_WINDOW and BATTERY_STATS

Impact: BATTERY_STATS allows an application to collect battery usage statistics from your phone. This permission is a highly unnecessary permission to be required by a social media platform.

Mobile web browser with over 1B+ downloads:

Dangerous Permission: GET_ACCOUNTS_PRIVELEGED and WRITE_SETTINGS

Impact: GET_ACCOUNTS_PRIVELEGED which allows the app access to the list of accounts in the Accounts Service and WRITE_SETTINGS allows an application to read or write the system settings.

Emailing App with 1B+ downloads:

Dangerous Permissions: BIND_DEVICE_ADMIN and SYSTEM_ALERT_WINDOW

Impact: This app requests for the BIND_DEVICE_ADMIN permission which must be required by the device administration receiver, to ensure that only the system can interact with it. In Android, a screen overlay, often known as “Draw On Top,” allows one app to show content over another. This is made available by the Android app permission SYSTEM_ALERT_WINDOW. Because of its links to tap jacking assaults, this permission should be a source of concern to everyone. And, thanks to some Google adjustments, applications may now obtain that permission without the user’s awareness.

Using BeVigil To Find Dangerous Permissions

If you are ever unsure about permissions requested by an app, you can use BeVigil to ascertain the severity of permissions and then make an informed decision.

CloudSEK’s BeVigil is the world’s first security search engine that helps app users, cybersecurity researchers, app developers, and organizations identify vulnerabilities in the source code, exposed/ hardcoded secret keys, and app permissions mitigate the risks in a timely manner.

Just follow these simple steps to appraise an app:

Step1: Go to https://bevigil.com/search and type the name of any app, whose permissions you are curious about. As you start typing the name in the search bar, a dropdown will display the list of possible results.

Step 2: Once you select the app, you will be redirected to the app’s security report.

Step 3: On the left, you will see a Summary panel, click on the Permissions option under About the app.

The permissions required by the app are color-coded according to the level of severity. On the right, you can find a bar chart that shows the number of permissions categorized by their safety level.

Step 4: Click on any permission you want to find more information on.

Also, by clicking the Additional Settings button, under the search bar, you will find many useful filters to enhance your search experience. One of them is the Permissions filter with which you can filter apps by specific permissions.

Protect Your Device And Yourself

Although many tech companies have started to acknowledge user privacy, Android permissions remain a grey area. This article covered only a small subset of the hundreds of permissions that modern Android apps utilize. Most users fail to understand the profound implications of these permissions.

As a user, the easiest way to protect your device and yourself from apps with these dangerous permissions is to be aware of all the permissions that an app requires. This way, you know exactly what you’re in for before downloading the app. A list of safe and dangerous permissions is available here.

There are nine categories of “dangerous” permissions on Android. Each of these risky permission groups has several permissions, and accepting one permission in a group automatically authorizes all of the other rights in that group. They are:

1. Body sensors
2. Calendar
3. Camera
4. Contacts
5. GPS location
6. Microphone
7. Calling
8. Texting
9. Storage

Besides the permissions listed above, Android contains administrator privileges and root privileges, which are the most harmful category of permissions Apps with device administrator access can change your system settings, modify your device password, lock your phone, or even permanently delete all the data from your device. Any program with root access may do whatever it wants, regardless of which permissions you’ve banned or enabled previously.

There are, of course, going to be apps that genuinely require these permissions to function correctly. For example, it is reasonable for a fitness app to request the Body Sensors permissions and for a messaging app to request the Contacts permission. As a user, you must assess permissions based on the functionality of the app requesting them.

References

1. https://www.inmobi.com/blog/2021/08/09/understanding-android-users-worldwide
2. Giang, Pham & Duc, Nguyen & Vi, Pham. (2015). Permission Analysis for Android Malware Detection.
3. https://www.avg.com/en/signal/guide-to-android-app-permissions-how-to-use-them-smartly
4. https://www.online-tech-tips.com/smartphones/30-app-permissions-to-avoid-on-android
5. https://in.pcmag.com/news/134176/android-malware-abuses-app-permissions-to-hijack-phones