[C-0-1] MUST support the Android permissions model as defined in the Android developer documentation. Specifically, they MUST enforce each permission defined as described in the SDK documentation; no permissions may be omitted, altered, or ignored.
MAY add additional permissions, provided the new permission ID strings are not in the
[C-0-2] Permissions with a
PROTECTION_FLAG_PRIVILEGED MUST only be granted to apps preloaded in the privileged path(s) of the system image and within the subset of the explicitly whitelisted permissions for each app. The AOSP implementation meets this requirement by reading and honoring the whitelisted permissions for each app from the files in the
etc/permissions/ path and using the
system/priv-app path as the privileged path.
Permissions with a protection level of dangerous are runtime permissions. Applications with
targetSdkVersion > 22 request them at runtime.
android.permission.RECOVER_KEYSTOREpermission only to system apps that register a properly secured Recovery Agent. A properly secured Recovery Agent is defined as an on-device software agent that synchronizes with an off-device remote storage, that is equipped with secure hardware with protection equivalent or stronger than what is described in Google Cloud Key Vault Service to prevent brute-force attacks on the lockscreen knowledge factor.
If device implementations include a pre-installed app or wish to allow third-party apps to access the usage statistics, they:
android.settings.ACTION_USAGE_ACCESS_SETTINGSintent for apps that declare the
If device implementations intend to disallow any apps, including pre-installed apps, from accessing the usage statistics, they:
android.settings.ACTION_USAGE_ACCESS_SETTINGSintent pattern but MUST implement it as a no-op, that is to have an equivalent behavior as when the user is declined for access.