Device implementations:
[C-0-1] MUST support the Android permissions model as defined in the Android developer documentation. Specifically, they MUST enforce each permission defined as described in the SDK documentation; no permissions may be omitted, altered, or ignored.
MAY add additional permissions, provided the new permission ID strings are not in the android.\*
namespace.
[C-0-2] Permissions with a protectionLevel
of PROTECTION_FLAG_PRIVILEGED
MUST only be granted to apps preinstalled in the privileged path(s) of the system image and within the subset of the explicitly whitelisted permissions for each app. The AOSP implementation meets this requirement by reading and honoring the whitelisted permissions for each app from the files in the etc/permissions/
path and using the system/priv-app
path as the privileged path.
Permissions with a protection level of dangerous are runtime permissions. Applications with targetSdkVersion
> 22 request them at runtime.
Device implementations:
android.permission.RECOVER_KEYSTORE
permission only to system apps that register a properly secured Recovery Agent. A properly secured Recovery Agent is defined as an on-device software agent that synchronizes with an off-device remote storage, that is equipped with secure hardware with protection equivalent or stronger than what is described in Google Cloud Key Vault Service to prevent brute-force attacks on the lockscreen knowledge factor.Device implementations:
[C-0-7] MUST adhere to Android location permission properties when an app requests the location or physical activity data through standard Android API or proprietary mechanism. Such data includes but not limited to:
More specifically, device implementations:
* [C-0-8] MUST obtain user consent to allow an app to access the location or physical activity data. * [C-0-9] MUST grant a runtime permission ONLY to the app that holds sufficient permission as described on SDK. For example,
TelephonyManager#getServiceState requires android.permission.ACCESS_FINE_LOCATION
).
Permissions can be marked as restricted altering their behavior.
[C-0-10] Permissions marked with the flag hardRestricted
MUST NOT be granted to an app unless:
hardRestricted
permissions to an app.hardRestricted
to an app.hardRestricted
on an earlier Android version.[C-0-11] Apps holding a softRestricted
permission MUST get only limited access and MUST NOT gain full access until whitelisted as described in the SDK, where full and limited access is defined for each softRestricted
permission (for example, READ_EXTERNAL_STORAGE
).
If device implementations provide a user affordance to choose which apps can draw on top of other apps with an activity that handles the ACTION_MANAGE_OVERLAY_PERMISSION
intent, they:
ACTION_MANAGE_OVERLAY_PERMISSION
intent have the same UI screen, regardless of the initiating app or any information it provides.