Lejet e Android-it në Thellësi

Fillestar 12 min Siguria Mobile

Hyrje

Android's permission model gates access to sensitive resources through a combination of install-time declarations and runtime user consent.

Teoria

Permissions are categorized as normal (automatically granted, low-risk), signature (granted only to apps signed by the same key, used by OEMs), and dangerous (user-consent required at runtime since Android 6). Dangerous permissions include location, camera, microphone, contacts, SMS, call logs and body sensors. A malicious app that acquires READ_SMS or READ_CALL_LOG can perform banking fraud by intercepting one-time codes or stealing authentication data. From Android 10 onward, Google has continuously tightened permission scope. Location permissions now distinguish foreground, background, precise and approximate; the photo picker replaces READ_EXTERNAL_STORAGE for media-only apps; Google Play policy restricts which apps can request SMS and call log permissions at all. Newer permissions like POST_NOTIFICATIONS (Android 13) also require explicit opt-in. For security analysis, the first step is to enumerate every permission in the manifest and classify whether each is justified by the app's stated purpose. A flashlight app requesting READ_CONTACTS is a red flag. The next step is to check how the permission is used inside the code — some apps over-declare permissions and never actually use them, but any use of a sensitive permission needs scrutiny to understand the data flow and potential for leakage.

Mjetet

Kategoritë:

  • Normal (auto-granted): INTERNET, VIBRATE.
  • Dangerous (runtime prompt): CAMERA, RECORD_AUDIO, READ_CONTACTS, ACCESS_FINE_LOCATION.
  • Signature / Privileged / Special: SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, PACKAGE_USAGE_STATS.

Praktika

Kontrolli i lejeve në runtime (Kotlin):

if (ContextCompat.checkSelfPermission(this, Manifest.permission.CAMERA)
    != PackageManager.PERMISSION_GRANTED) {
    ActivityCompat.requestPermissions(this, arrayOf(Manifest.permission.CAMERA), 1)
}

ADB list të lejeve të një aplikacioni:

adb shell dumpsys package com.example.app | grep permission

Ushtrime

  1. Listo 5 aplikacione në telefonin tënd dhe lejet e tyre 'dangerous'. Vlerëso a justifikohet çdo njëra.
  2. Konfiguro Privacy Dashboard (Android 12+).

Burime

  • Android Permissions Overview.
  • OWASP MASVS-PLATFORM.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re