- -
support.google
Permissions (work in progress, almost done)
When you install an application the Market will tell you all of the permissions it needs to function. These are important to read as it can give you an idea if the application is asking for permission to do more than it needs. While some legitimate apps often ask for more permission than they need, it should at least raise an eyebrow when deciding if an application is safe and of good quality. Again, to see the permission given to an application after installation, go to the Market, press menu > downloads, then select the app, press menu again, then press security.
This list is a work in progress and by no means definitive. It also may contain errors or inaccuracies and I welcome any additions and corrections.
Services that cost you money : make phone calls
This permission is of moderate to high importance. This could let an application call a 1-900 number and charge you money. However this is not as common of a way to cheat people in today's world. Legitimate applications that use this include: Google voice and... (suggestions needed here).
Services that cost you money : send SMS or MMS
This permission is of moderate to high importance. This could let an application send an SMS on your behalf, and much like the phone call feature above, it could cost you money. Certain SMS numbers work much like 1-900 numbers and automatically charge your phone company money when you send them an SMS.
Storage : modify/delete SD card contents
This permission is of high importance. This will allow the applications to read, write, and delete anything stored on your phone's SD card. This includes, pictures, videos, mp3s, and even data written to your SD card by other applications. However there are many legitimate uses for this permission. Many people want their applications to store data on the SD card, and any application that stores information on the SD card will need this permission. You will have to use your own judgment and be cautious with this permission knowing it is very powerful but very often used by legitimate applications. Applications that typically need this permission include (but are not limited to): camera applications, video applications, note taking apps, backup applications.
A lot of Android Market apps want access to your SD card! I imagine this is mostly for storing configuration and cache files. What I don't know is whether this permission grants access to files created by other apps. I hope not...
Your personal information : read contact data
As you might think, this one's probably the most dangerous permission when it comes to privacy. Do apps really need access to your browser history? With access to your contacts, and Internet (or SMS) access, your phone could be used as a full-blown spam factory! (This is why there are concerns about malware on Android...)
This permission is of high importance. Unless an app explicitly states a specific feature that it would use your contact list for, there isn't much of a reason to give an application this permission. The one exception to that rule includes typing or note taking applications and/or quick-dial type applications. Those might require your contact information to help make suggestions to you as you type. Typical application that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Your personal information : read calendar data, write calendar data
This permission is of moderate to high importance. While most people would consider their calendar information slightly less important than their list of contacts and friends, this permission should still be treated with care when allow ing applications access.
Phone calls : read phone state and identity
This permission is of moderate to high importance. Unfortunately this permission seems to be a bit of a mixed bag. While it's perfectly normal for an application to want to know if you are on the phone or getting a call, this permission also gives an application access to 3 unique numbers that can identify your phone. The numbers are the IMEI, IMSI and a 64 bit unique id that Google provides for your phone. Some software developers use this as a means of tracking piracy. Additionally, any developer targeting older versions of android (1.6 and earlier I believe) will get this permission automatically added to their app. Nevertheless, while this permission can be innocuous, it is one to keep a good watch on. As someone posted in this thread the application Locale was caught sending this information over the internet unencrypted to a third party -- much to to the surprise of it's users.
Modify Phone Calls:This one's odd, and another one that you shouldn't see very often in legitimate apps. You could see some kind of voicemail app needing this permission, or an app that redirects incoming calls -- I don't know why you would want to interceptoutgoing calls.
Your location : fine (GPS) location
While not a danger for stealing any of your personal information, this will allow an application to track where you are. Typical applications that might need this include (but are not limited to) restaurant directories, movie theater finders, and mapping applications. This one's fairly simple, but still: watch out for apps requesting your fine (GPS) location when it's not necessary. Ask yourself whether an app really needs to know your exact location, especially when combined with some of the 'transmission' permissions.
Your location : coarse (network-based) location
This setting is almost identical to the above GPS location permission, except that it is less precise when tracking your location.
Network Communication : create Bluetooth connection
Bluetooth (Wikipedia: Bluetooth - Wikipedia, the free encyclopedia) is a technology that lets your phone communicate wirelessly over short distances. It is similar to Wi-fi in many ways. It itself is not a danger to your phone, but it does enable a way for an application to send and receive data from other devices. Typical applications that would need bluetooth access include: (? need suggestions here).
Network Communication : full internet access
This is probably the most important permission you will want to pay attention to. Many apps will request this but not all need it. For any malware to truly be effective it needs a means by which to transfer data off of your phone, this is one of the setting it would definitely have to ask for. However, in this day and age of cloud computing and always-on internet connectivity, many, many legitimate applications also request this. You will have to be very careful with this setting and use your judgment. It should always peak your interest to think about whether your application needs this permission. Typical applications that would use this include but are not limited to: web browsers, social networking applications, internet radio, cloud computing applications, weather widgets, and many, many more.
Almost every app has this permission -- and that's fair enough in most cases. But does a Play Your Own Vuvuzela!!1 app really need Internet access? This permission, combined with almost any other, is a potential recipe for disaster!
Network communication : view network state, view Wi-Fi state
This permission is of low importance as it will only allow an application to tell if you are connected to the internet via 3G or Wi-Fi.
System tools :
This isn't as scary as it looks! Well, it could expose sensitive data, but I doubt it. Just be aware that some apps might stop your screen from turning off, or might force your Wi-Fi on and off -- apps that play with your System Tools will probably affect your phone's battery life.
System tools : Prevent phone from sleeping
This is almost always harmless. An application sometimes expects the user to not interact with the phone directly sometimes, and as such would need to keep the phone from going to sleep so that the user can still use the application. Many applications will often request this permission. Typical applications that use this are: Video players, e-readers, alarm clock 'dock' views and many more.
System tools : Modify global system settings
This permission is pretty important but only has the possibility of moderate impact. Global settings are pretty much anything you would find under Android's main 'settings' window. However there are a lot of these setting that are perfectly reasonable for an application to want to change. Typical applications that would use this include: Volume control widget, notifications, widgets, settings widgets.
System tools : read sync settings
This permission is of low impact. It merely allow s the application to know if you have background data sync (such as for Facebook or Gmail) turned on or off.
System tools : Write Access Point name settings
I need a bit of clarification on this setting myself. I believe this relates to turning on and off wifi and your 3G data network. (if someone can comment and clarify I would greatly appreciate it and update this guide to reflect). Essentially however I believe this to be similar to the 'modify global settings' permission above.
System tools : automatically start at boot
This permission is of low to moderate impact. It will allow an application to tell Android to run the application every time you start your phone. While not a danger in an of itself, it can point to an applications intent.
System tools : restart other applications
This permission is of low to moderate impact. It will allow an application to tell Android to 'kill' the process of another application. However that application should have the option of immediately restarting itself.
System tools : retrieve running applications
This permission is of moderate impact. It will allow an application to find out what other applications are running on your phone. While not a danger in an of itself, it would be a useful tool for someone trying to steal your data. Typical legitimate applications that require this permission include: task killers and battery history widgets.
System tools : set preferred applications
This permission is of moderate impact. It will allow an application to set the default application for any task in Android. For instance clicking on a hyperlink in your email will bring up a browser. However if you have more than one browser on your phone, you may want to have one set as your 'preferred' browser. Typical legitimate applications that require this permission include any applications that replace, compliment, or augment default Android functionality. Examples of this include web browsers, enhanced keyboards, email applications, Facebook applications and many more.
Hardware controls : control vibrator
This permission is of low importance (but could be lots of fun). As it states, it lets an app control the vibrate function on your phone. This includes for incoming calls and other events.
Hardware controls : take pictures
This permission is of low importance. As it states, it lets an app control the camera function on your phone.
OK! Now it's getting a bit creepy -- in the wrong context at least. Android apps can request access to your camera and take photos -- they can even use the flash! Apps can also record audio. Again, just ask yourself whether an app should be able to use your camera...
Your accounts [[ clarification needed ]] : discover known accounts
This permission is of low importance. Tells the application if you have a Google or Facebook account, but nothing about that account.
Notes:
Your Messages-With this permission, an app could in theory forward your most private and treasured text messages to anyone (via the Internet). Combined with the next permission, an app could send the worst SMSes to your ex-girlfriend or boyfriend...
Services That Cost Money, Notice how this permission is nicely separated from the 'reading SMSes' permission. If you see this warning when installing an Android Market app, think twice. Unless it's Skype or Google Voice, does an app really need the ability to make telephone calls?
How to Protect Yourself
There are no full-proof ways to avoid all bad situations in the world, but any sane person with a reasonable head on their shoulders knows that a few good habits can keep you safe for a long, long time in whatever you do. Here are a few tips I have learned from many years as a professional software developer and from reading these forums that have many people smarter and more knowledgeable than I about Android
Read the ALL comments in the Market prior to download. Comments should also be read EVERY time you update an app.
Check the Rating, less than 3 stars,forget it. Most all good apps have between 4 and 5 stars. general rule for finding both safe, AND quality apps.
Check the permission, Any app does what YOU gave permission when you download and install it. Your phone will show you a list of the things that application needs to function. Read them. Ask what application does for you, if permission seems unnessary, forget it unless you investigate why. AND find A good reason!
market, menu, downloads, select the app, menu, security.
To see the permission given to an application after installation, go to the market, press menu, downloads, then select the app, press menu again, then press security.
Check the developer's website
Make sure the developer has a website and not just some Wordpress blog. This is often again a good indication of quality as well as safety. If the developer cares about their app they will likely have a relatively nice looking website or, if they are open source, a site on Google Code. Note: sites on Google code are NOT verified or approved by Google. However, open source is usually (but not always) more likely to indicate a safe application.
Updating applications is the same as installing them fresh
Each time you update an application on your phone, you should use the same diligence as if you were installing it for the first time. Reread the permissions to see that it is only asking for what it needs and no more. Reread the comments to see if anything has changed in the opinions of the users and to see if it still works for your phone.
If you are still unsure, ask around -- the community is your anti-virus
If you see an app you want, but it seems to be asking for more permissions that it should, or it's comments and ratings are mediocre, go ahead and ask about the app in these (and other) forums. You will often find dozens if not more people who know the answers and another whole bunch wishing to know the answers to the same questions you have.
Posting your own comments
After you have downloaded an app you can post you own comments. The comment will be visible to all other android users but it will only show your first name. To do this go into the Market and press menu > downloads. You should see five empty stars at the top which you can tap to rate the app. Once you have rated the app you should see an option to add a comment under the stars.
low >
low >
moderate