When you develop an Android app, your users will justifiably be concerned if your app requests access to a myriad of device features and personal information. You are risking decreased app installations and increased suspicions of your app’s motives if you ask your users for personal data, contacts, access to their phone, SMS messages, and so on. In this article I hope to pull back the curtains on Android permissions and help you develop and distribute your apps more efficiently, without raising the ire of your customers.
There are a lot of permissions to sort through on the Android platform. Did I say a lot, because I mean: A LOT. In the interest of space and time, I’ve provided you a handy chart you may use to look up any Android permission along with a plain English description of what that permission really means:
Now that you know what all of the permissions mean, you should next focus on limiting your exposure to certain ones. As a rule of thumb, you should only request a permission that your app literally NEEDS to run properly. At the same time, you should by all means avoid requesting the following permissions – as these are major red flags when it comes to securing your end user’s privacy:
CALL_PHONE: Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.RECEIVE_SMS: Allows an application to monitor incoming SMS messages, to record or perform processing on them.SEND_SMS: Allows an application to send SMS messages.READ_CONTACTS: Allows an application to read the user’s contacts data.ACCESS_FINE_LOCATION: Allows an app to access precise location from location sources such as GPS, cell towers, and Wi-Fi.Basically any permission that brings up the dreaded “this may cost you money” notification, you’ll want to avoid if at all possible.
Now we get to the important part for those of you who develop hybrid mobile apps with Cordova/PhoneGap. Say you’ve gone through and eliminated as many Android permissions as you possibly can. However, when you deploy your app on a device, the app still asks for permissions that you didn’t specify! What is going on here?!
The issue is that certain core Cordova plugins also enable some Android permissions by default. For your convenience, here is another handy list:
Unsure of which core Cordova plugins you need in your mobile app? Check out this guide.
WRITE_EXTERNAL_STORAGE permission.RECORD_AUDIO, RECORD_VIDEO, and WRITE_EXTERNAL_STORAGE permissions.READ_CONTACTS, WRITE_CONTACTS, and GET_ACCOUNTS permissions.ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions.WRITE_EXTERNAL_STORAGE permission.WRITE_EXTERNAL_STORAGE permission.ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions.RECORD_AUDIO, MODIFY_AUDIO_SETTINGS, WRITE_EXTERNAL_STORAGE, and READ_PHONE_STATE permissions.ACCESS_NETWORK_STATE permission.VIBRATE permission.Also, if you are a Telerik AppBuilder user, you may be using one of these plugins:
ACCESS_NETWORK_STATE, GET_ACCOUNTS, WAKE_LOCK and VIBRATE permissions.INTERNET and ACCESS_NETWORK_STATE permissions.INTERNET permission.And yes, of course we make it as easy as possible to manage your Android permissions within all of the AppBuilder clients. With a simple toggle next to each permission (along with a basic description), you can easily maintain permissions for your app:
Header image courtesy of Racchio
[cm_ad_changer campaign_id=11]
Rob Lauer
