Google states that permissions with dangerous as the value of protectionLevel have to be granted by the user on installation time.
One example for such a dangerous permission is android.permission.INTERNET. But although apps have declared to use this permissions, it's treated like a normal permission, thus the user won't be asked about it. This is also mentioned on How-To Geek.
Where does Google itself explain this behaviour?
Why is the INTERNET permission still dangerous, but treated like a normal one? (instead of changing it to normal in the mapping file)
Where does that happen? Is there another mapping for "dangerous, but too important to worry users" permissions? Or is it hardcoded?
Are there other dangerous permissions than INTERNET where this applies?
Related
requestPermissions(permissionsToRequest.toArray(new String[permissionsToRequest.size()]), 101);
In Android, after Marshmallow version, is there any way to turn on dangerous permissions like accessing device's fine location, camera or microphone automatically without user's consultation? If not, why is it so? What is the reason behind it?
I wish I would be able to closely monitor my iPad by using my smartphone while I am at office and it would be good if it were possible to do it without user's consultation. I also know that once an app is installed and if a user accepts for a dangerous permission at least once, then it would not prompt for it again.
By the way, why it is known as dangerous permission and not something like sensitive permission, as it intrudes user's privacy and makes it possible to access stored files on any given user's mobile device?
Dangerous permissions
Dangerous permissions cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps. For example, the ability to read the user's contacts is a dangerous permission. If an app declares that it needs a dangerous permission, the user has to explicitly grant the permission to the app. Until the user approves the permission, your app cannot provide functionality that depends on that permission.
To use a dangerous permission, your app must prompt the user to grant permission at runtime. For more details about how the user is prompted, see Request prompt for dangerous permission.
Throughout my app I request permissions runtime, but for the READ_SMS permission, I would like to have that permission enabled on download from playstore. How can I request permissions from play store install instead of at runtime?
You can't. It used to be that all permissions were granted at install time. Now, important permissions like that can only be granted at runtime. This is to improve the user's security, allow them to prevent apps from accessing data they don't want to share without realizing it, and allow them to revoke permissions when no longer applicable.
How does I determine which permissions should I ask at runtime and which one is 'enough' to have declared in the manifest?
From the documentation:
System permissions are divided into two categories, normal and dangerous:
Normal permissions do not directly risk the user's privacy. If your app lists a normal permission in its manifest, the system grants the permission automatically.
Dangerous permissions can give the app access to the user's confidential data. If your app lists a normal permission in its manifest, the system grants the permission automatically. If you list a dangerous permission, the user has to explicitly give approval to your app.
See the documentation on normal permissions and dangerous permissions for more details.
Dangerous permissions should ask in runtime, normal enough in manifest. List of dangerous and normal permissions you can see here.
From docs:
System permissions are divided into several protection levels. The two
most important protection levels to know about are normal and
dangerous permissions:
Normal permissions cover areas where your app needs to access data or
resources outside the app's sandbox, but where there's very little
risk to the user's privacy or the operation of other apps. For
example, permission to set the time zone is a normal permission. If an
app declares that it needs a normal permission, the system
automatically grants the permission to the app. For a full listing of
the current normal permissions, see Normal permissions.
Dangerous
permissions cover areas where the app wants data or resources that
involve the user's private information, or could potentially affect
the user's stored data or the operation of other apps. For example,
the ability to read the user's contacts is a dangerous permission. If
an app declares that it needs a dangerous permission, the user has to
explicitly grant the permission to the app. Special Permissions There
are a couple of permissions that don't behave like normal and
dangerous permissions. SYSTEM_ALERT_WINDOW and WRITE_SETTINGS are
particularly sensitive, so most apps should not use them. If an app
needs one of these permissions, it must declare the permission in the
manifest, and send an intent requesting the user's authorization. The
system responds to the intent by showing a detailed management screen
to the user.
For details on how to request these permissions, see the
SYSTEM_ALERT_WINDOW and WRITE_SETTINGS reference entries.
You should always put every permission you want access to in the Manifest. Devices before Android Marshmallow cannot handle runtime permissions, so unless you are targeting only Marshmallow and above, this part is important.
You do not need to ask at runtime for any "Normal Permissions". Only permissions designated as "dangerous" are not given automatically.
If you're targeting Android Marshmallow and above, you've to request for dangerous permissions at runtime. You can find the list here. You should also read this.
I have a multiple module Android M app. Several modules require "WRITE_EXTERNAL_STORAGE" & "READ_EXTERNAL_STORAGE" permissions.
I would like to ask the user for permissions once:
1. Where would be the right place to do that?
1.1 Are permissions granted per activity?
1.2 Would asking for permission in module 1 give permissions to all app?
1.3 Is there a way to ask for both READ & WRITE permissions?
Google has published guidelines describing when to ask for permissions. It depends on context. Your questions 1.1 and 1.2 can be answered with the same info: permissions are granted and denied at the app level. It applies to every part of your app package. For 1.3: they are limited together into a group. When you ask for one you automatically get everything in the group.
This talk from DroidconNYC NYC will give you more details: https://youtu.be/WGz-alwVh8A.
Where would be the right place to do that?
From somewhere in your UI, before you need those permissions.
Are permissions granted per activity?
No, they are for the entire application.
Would asking for permission in module 1 give permissions to all app?
Asking for a permission in a module will give that permission to the entire app, if the user grants you the permission.
Is there a way to ask for both READ & WRITE permissions?
In this case, AFAIK you do not need both. Just ask for WRITE_EXTERNAL_STORAGE. In general, you can request as many permissions as you want; the requestPermissions() method takes a String[] of permission names.
I have noticed in an application I wrote, in-spite of me not specifying any permission in the manifest file, the application throws up permissions granted, such as
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.READ_PHONE_STATE
What is all that about? I was not even aware my application needs to write into external store, and I am pretty sure it doesn't need to. So why are these permission being granted when I never requested for them?
Thoose two were default in earlier API versions. Read more about it: here.