Trending

Android Application Security Testing Part-7: Android Permission Model

September 26, 2018

Android Permission Model
            Android is a privilege-separated operating system, in which each app runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates apps from each other and from the system.
Apps can expose their functionality to other apps by defining permissions which those other apps can request. They can also define permissions which are automatically made available to any other apps which are signed with the same certificate.
Android Permissions:
            The purpose of a permission is to protect the privacy of an Android user. Android apps must request permission to access sensitive user data (such as contacts and SMS), as well as certain system features (such as camera and internet). Depending on the feature, the system might grant the permission automatically or might prompt the user to approve the request
Request App Permissions
            Every Android app runs in a limited-access sandbox. If an app needs to use resources or information outside of its own sandbox, the app has to request the appropriate permission. You declare that your app needs a permission by listing the permission in the app manifest and then requesting that the user approve each permission at runtime
By default, there are some Protected API’s in the Android Operating System which can only be accessed by Operating System. The Protected APIs include
  • Camera functions
  • Location data (GPS)
  • Bluetooth functions
  • Telephony functions
  • SMS/MMS functions
  • Network/data connections
If a particular application needs access to any of the API then it need to mention that permission in AndroidManifest.xml file. You might have observed that when installing a particular application from Google Play Store it asks for several permissions needed, if you don’t allow then app won’t install. If that user agrees to grant those permissions, then Android operating system gives access to that Protected API.

Useful Links:
https://developer.android.com/guide/topics/permissions/index.html

No comments

Subscribe to: Post Comments ( Atom )