Skip to content

Android Permissions Model

Android permissions control what apps can access
Each app declares required permissions in AndroidManifest.xml and since Android 6.0 users grant dangerous permissions at runtime instead of install-time approval

Permission Levels

  • Normal - Granted automatically , minimal risk (INTERNET, VIBRATE)
  • Dangerous - User must approve at runtime (CAMERA, LOCATION, READ_CONTACTS)
  • Signature - Only granted to apps signed with same certificate
  • SignatureOrSystem - Signature OR system app (very restricted)

Protection Levels Since Android 11

  • STRONG_BOX - Requires hardware-backed keystore
  • INSTALLER - Only app installer can grant
  • VERIFIER - Only package verifier can grant
  • PRIVILEGED - Only privileged/system apps

High-Value Target Permissions

CAMERA                     # Visual surveillance
RECORD_AUDIO               # Audio surveillance
ACCESS_FINE_LOCATION       # Physical tracking
READ_CONTACTS              # Social graph harvesting
READ_SMS                   # SMS intercept (OTP bypass)
READ_EXTERNAL_STORAGE      # File content access
SYSTEM_ALERT_WINDOW        # Overlay attacks (tapjacking)
BIND_ACCESSIBILITY_SERVICE # Keylogging , screen reading
QUERY_ALL_PACKAGES         # App fingerprinting (Android 11+)

Runtime Permission Model

Since Android 6.0 (API 23) dangerous permissions use runtime grants:

# Check granted permissions
adb shell dumpsys package package.name | grep -A 100 "runtime permissions"

Users can grant , deny , or grant while in use. Permission revocation triggers app termination in Android 11+

Manifest Permission Declaration

App declares permissions in AndroidManifest.xml:

<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.INTERNET" />

Permission Bypass Techniques

  • Target SDK downgrade - Older API level avoids runtime permission checks
  • Accessibility Service abuse - Grant permissions through accessibility
  • Backup exploitation - Steal data without permission via adb backup
  • Intent injection - Access content providers without permission
  • File world-readable - Apps storing data in world-readable paths bypass permission checks

Permission Addition (Auto-Grant)

adb shell pm grant package.name android.permission.CAMERA
adb shell pm revoke package.name android.permission.CAMERA

Only works on debuggable apps or with root

Content Provider Security

Content providers expose data across app boundaries and permissions only protect the provider itself not the URI paths within it

  • Path traversal via content URIs
  • SQL injection in custom providers
  • Temporary URI grants bypass permissions