Hyrje
Android's permission model gates access to sensitive resources through a combination of install-time declarations and runtime user consent.
Teoria
Permissions are categorized as normal (automatically granted, low-risk), signature (granted only to apps signed by the same key, used by OEMs), and dangerous (user-consent required at runtime since Android 6). Dangerous permissions include location, camera, microphone, contacts, SMS, call logs and body sensors. A malicious app that acquires READ_SMS or READ_CALL_LOG can perform banking fraud by intercepting one-time codes or stealing authentication data.
From Android 10 onward, Google has continuously tightened permission scope. Location permissions now distinguish foreground, background, precise and approximate; the photo picker replaces READ_EXTERNAL_STORAGE for media-only apps; Google Play policy restricts which apps can request SMS and call log permissions at all. Newer permissions like POST_NOTIFICATIONS (Android 13) also require explicit opt-in.
For security analysis, the first step is to enumerate every permission in the manifest and classify whether each is justified by the app's stated purpose. A flashlight app requesting READ_CONTACTS is a red flag. The next step is to check how the permission is used inside the code — some apps over-declare permissions and never actually use them, but any use of a sensitive permission needs scrutiny to understand the data flow and potential for leakage.
Mjetet
Kategoritë:
- Normal (auto-granted): INTERNET, VIBRATE.
- Dangerous (runtime prompt): CAMERA, RECORD_AUDIO, READ_CONTACTS, ACCESS_FINE_LOCATION.
- Signature / Privileged / Special: SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, PACKAGE_USAGE_STATS.
Praktika
Kontrolli i lejeve në runtime (Kotlin):
if (ContextCompat.checkSelfPermission(this, Manifest.permission.CAMERA)
!= PackageManager.PERMISSION_GRANTED) {
ActivityCompat.requestPermissions(this, arrayOf(Manifest.permission.CAMERA), 1)
}ADB list të lejeve të një aplikacioni:
adb shell dumpsys package com.example.app | grep permission Ushtrime
- Listo 5 aplikacione në telefonin tënd dhe lejet e tyre 'dangerous'. Vlerëso a justifikohet çdo njëra.
- Konfiguro Privacy Dashboard (Android 12+).
Burime
- Android Permissions Overview.
- OWASP MASVS-PLATFORM.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re