In this document
- Introduction
- Permission Groups
- Permission Requests and App Downloads
- Permission Requests Trend Downward
You should also read
Permissions protect sensitive information available from a device and should only be used when access to information is necessary for the functioning of your app.
This document provides a high-level overview on how permissions work in Android so you can make better, more informed decisions about the permissions you're requesting. The information in this document is not use-case specific and avoids complex, low-level discussions of the underlying code.
For specific recommendations on how to manage permissions, please see Best Practices for App Permissions. For best practices on using unique identifiers on Android, please see Best Practices for Unique Identifiers. For details on how to work with permissions in your code, see Working with System Permissions.
Introduction
Every Android application must have a manifest file that presents essential information about the app to the Android system. The Android system also requires apps to request permission when they want to access sensitive device or user information, and these requests must be documented in advance as a part of your app's manifest. Moreover, accessing sensitive information can affect user behavior, so it's important to make sure you are only making permission requests when that information is necessary for the functioning of your app.
Permission Groups
Permissions in Android are organized into permission
groups
that organize, and group, permissions related to a device's
capabilities or features. Under this system, permission requests are handled
at the group level and a single permission group
corresponds to several permission declarations in
the app manifest; for example, the SMS group includes both the
READ_SMS
and the RECEIVE_SMS
declarations.
This arrangement is simpler and more informative for users; once an app is granted permission to access the group, it can use API calls within that group and users with auto-update enabled will not be asked for additional permissions because they have already granted access to the group. Grouping permissions in this way enables the user to make more meaningful and informed choices, without being overwhelmed by complex and technical permission requests.
This also means that when you request access to a particular API call or
query a content provider behind a permission, the user will be presented with
a request to grant permission for the whole group rather than the specific
API call. For example, if you request the WRITE_CALL_LOG
permission, the user will be asked to grant access to the PHONE
group (in API level 23 and higher), which is composed of the
READ_PHONE_STATE
, CALL_PHONE
,
READ_CALL_LOG
, WRITE_CALL_LOG
,
ADD_VOICEMAIL
, USE_SIP
, and
PROCESS_OUTGOING_CALLS
permissions, and
all their associated methods.
One consequence of grouping permissions is that a single API call within your app can have a multiplying effect in terms of the number of permissions requested by your app.
- API Call →
- Triggers a specific Permission Group access request →
- Successful request grants access to all permissions in group (if auto-update enabled) →
- Each permission grants access to all APIs under that permission
As another example, let's assume your application uses one or more TelephonyManager
methods, such as:
TelephonyManager.getDeviceId()
TelephonyManager.getSubscriberId()
TelephonyManager.getSimSerialNumber()
TelephonyManager.getLine1Number()
TelephonyManager.getVoiceMailNumber()
To use these methods, the READ_PHONE_STATE
permission must be
declared in the app's manifest, and the associated permission group,
PHONE, will be surfaced to the user. This
is important, because it means the user will be asked to grant permission for
the relevant group and all its associated permissions and API calls, rather
than for the specific API call you're requesting.
For a full mapping between permissions and their associated permission groups, please refer to the appropriate version-specific documentation below:
Permission Requests and App Downloads
I'm currently using the READ_PHONE_STATE permission in Android to pause my media player when there's a call, and to resume playback when the call is over. The permission seems to scare a lot of people...1
Research shows that among apps that are otherwise identical (e.g., functionality, brand recognition), requesting fewer permissions leads to more downloads. Publicly available sources exist that assign grades to apps based on their permissions usage and allow users to compare related apps by score; such grades exist for many of the current Android apps and users pay close attention to the related rankings.
One study2, in which users were shown two unbranded apps with similar ratings that had the same functionality but different sets of permission requests, showed that users were, on average, 3 times more likely to install the app with fewer permissions requests. And a similar study 3 showed that users are 1.7 times more likely, on average, to select the application with fewer permission requests.
Finally, permissions usage is not evenly distributed across apps within a similar category of Play apps. For example, 39.3% of arcade game apps in the Play store request no permissions that are surfaced to the user while only 1.5% of arcade games request the Phone permission group (see Figure 1).
Users comparing your app to other similar apps may determine that it is making unusual permission requests for that category - in this case, Arcade Games apps accessing the Phone permission group. As a result, they may install a similar app in that category that avoids those requests.4
Permission Requests Trend Downward
A recent analysis of Play store apps over time indicated that many developers trim permissions after first publishing their apps, suggesting that they may be employing more caution around which permission groups they declare.
The graph in Figure 2 illustrates this trend. There has been a
steady decrease in the average percentage of developers' apps requesting at
least one of the three most popular permissions in the Play store
(READ_PHONE_STATE
, ACCESS_FINE_LOCATION
, and
ACCESS_COARSE_LOCATION
). These results indicate that developers
are reducing the permissions their apps request in response to user behavior.
The bottom line is that providing the same functionality to the user with minimal access to sensitive information means more downloads for your app. For specific recommendations on how to achieve this, please see Best Practices for Application Permissions.
References
[1] Developer quote on StackOverflow. (source)
[2] Using Personal Examples to Improve Risk Communication for Security and Privacy Decisions, by M. Harbach, M. Hettig, S. Weber, and M. Smith. In Proceedings of ACM CHI 2014.
[3] Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings, by J. Lin B. Liu, N. Sadeh and J. Hong. In Proceedings of SOUPS 2014.
[4] Teens and Mobile Apps Privacy. (source)