[C-0-1] MUST support the Android permissions model as defined in the Android developer documentation. Specifically, they MUST enforce each permission defined as described in the SDK documentation; no permissions may be omitted, altered, or ignored.
MAY add additional permissions, provided the new permission ID strings are not in the
[C-0-2] Permissions with a
PROTECTION_FLAG_PRIVILEGED MUST only be granted to apps preinstalled in the privileged path(s) of the system image and within the subset of the explicitly whitelisted permissions for each app. The AOSP implementation meets this requirement by reading and honoring the whitelisted permissions for each app from the files in the
etc/permissions/ path and using the
system/priv-app path as the privileged path.
Permissions with a protection level of dangerous are runtime permissions. Applications with
targetSdkVersion > 22 request them at runtime.
android.permission.RECOVER_KEYSTOREpermission only to system apps that register a properly secured Recovery Agent. A properly secured Recovery Agent is defined as an on-device software agent that synchronizes with an off-device remote storage, that is equipped with secure hardware with protection equivalent or stronger than what is described in Google Cloud Key Vault Service to prevent brute-force attacks on the lockscreen knowledge factor.
[C-0-7] MUST adhere to Android location permission properties when an app requests the location or physical activity data through standard Android API or proprietary mechanism. Such data includes but not limited to:
More specifically, device implementations:
* [C-0-8] MUST obtain user consent to allow an app to access the location or physical activity data. * [C-0-9] MUST grant a runtime permission ONLY to the app that holds sufficient permission as described on SDK. For example,
Permissions can be marked as restricted altering their behavior.
[C-0-10] Permissions marked with the flag
hardRestricted MUST NOT be granted to an app unless:
hardRestrictedpermissions to an app.
hardRestrictedto an app.
hardRestrictedon an earlier Android version.
[C-0-11] Apps holding a
softRestricted permission MUST get only limited access and MUST NOT gain full access until whitelisted as described in the SDK, where full and limited access is defined for each
softRestricted permission (for example,
If device implementations provide a user affordance to choose which apps can draw on top of other apps with an activity that handles the
ACTION_MANAGE_OVERLAY_PERMISSION intent, they:
ACTION_MANAGE_OVERLAY_PERMISSIONintent have the same UI screen, regardless of the initiating app or any information it provides.