Permissions that can have a large impact on user privacy, marked as https://developer.android.com/reference/android/Manifest.permission[dangerous or "not for use by third-party applications" by Android], should be requested only if they are really necessary to implement critical features of an application. == Ask Yourself Whether * It is not sure that ``++dangerous++`` permissions requested by the application are https://developer.android.com/training/permissions/usage-notes#avoid_requesting_unnecessary_permissions[really necessary]. * The users are not https://developer.android.com/training/permissions/usage-notes#be_transparent[clearly informed] why and when dangerous permissions are requested by the application. You are at risk if you answered yes to any of those questions. == Recommended Secure Coding Practices It is recommended to carefully review all the permissions and to use ``++dangerous++`` ones only if they are really necessary. == Sensitive Code Example In AndroidManifest.xml: ----

---- == Compliant Solution ---- ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements * https://www.owasp.org/index.php/Mobile_Top_10_2016-M1-Improper_Platform_Usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage * https://cwe.mitre.org/data/definitions/250.html[MITRE, CWE-250] - Execution with Unnecessary Privileges * https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices * https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] endif::env-github,rspecator-view[]