1## 9.1\. Permissions
2
3Device implementations:
4
5*   [C-0-1] MUST support the [Android permissions model](
6http://developer.android.com/guide/topics/security/permissions.html)
7as defined in the Android developer documentation. Specifically, they
8MUST enforce each permission defined as described in the SDK documentation; no
9permissions may be omitted, altered, or ignored.
10
11*   MAY add additional permissions, provided the new permission ID strings
12are not in the `android.\*` namespace.
13
14*   [C-0-2] Permissions with a `protectionLevel` of
15[`PROTECTION_FLAG_PRIVILEGED`](
16https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_PRIVILEGED)
17MUST only be granted to apps preinstalled in the privileged path(s) of the system
18image and within the subset of the explicitly whitelisted permissions for each
19app. The AOSP implementation meets this requirement by reading and honoring
20the whitelisted permissions for each app from the files in the
21`etc/permissions/` path and using the `system/priv-app` path as the
22privileged path.
23
24Permissions with a protection level of dangerous are runtime permissions.
25Applications with `targetSdkVersion` > 22 request them at runtime.
26
27Device implementations:
28
29*   [C-0-3] MUST show a dedicated interface for the user to decide
30     whether to grant the requested runtime permissions and also provide
31     an interface for the user to manage runtime permissions.
32*   [C-0-4] MUST have one and only one implementation of both user
33     interfaces.
34*   [C-0-5] MUST NOT grant any runtime permissions to preinstalled
35     apps unless:
36     *   The user's consent can be obtained before the application
37         uses it.
38     *   The runtime permissions are associated with an intent pattern
39         for which the preinstalled application is set as the default handler.
40*   [C-0-6] MUST grant the `android.permission.RECOVER_KEYSTORE` permission
41     only to system apps that register a properly secured Recovery Agent. A
42     properly secured Recovery Agent is defined as an on-device software agent
43     that synchronizes with an off-device remote storage, that is equipped with
44     secure hardware with protection equivalent or stronger than what is
45     described in
46     [Google Cloud Key Vault Service](
47     https://developer.android.com/preview/features/security/ckv-whitepaper.html)
48     to prevent brute-force attacks on the lockscreen knowledge factor.
49
50Device implementations:
51
52*   [C-0-7] MUST adhere to [Android location permission](
53    https://developer.android.com/privacy/device-location) properties when an app
54    requests the location or physical activity data through standard Android API
55    or proprietary mechanism. Such data includes but not limited to:
56
57    *  Device's location (e.g. latitude and longitude).
58    *  Information that can be used to determine or estimate the device's
59       location (e.g. SSID, BSSID, Cell ID, or location of the network that the
60       device is connected to).
61    *  User's physical activity or classification of the physical activity.
62
63More specifically, device implementations:
64
65        *   [C-0-8] MUST obtain user consent to allow an app to access the
66            location or physical activity data.
67        *   [C-0-9] MUST grant a runtime permission ONLY to the app that holds
68            sufficient permission as described on SDK.
69            For example,
70[TelephonyManager#getServiceState](https://developer.android.com/reference/android/telephony/TelephonyManager.html#getAllCellInfo())
71            requires `android.permission.ACCESS_FINE_LOCATION`).
72
73Permissions can be marked as restricted altering their behavior.
74
75*   [C-0-10] Permissions marked with the flag `hardRestricted` MUST NOT be
76     granted to an app unless:
77     *   An app APK file is in the system partition.
78     *   The user assigns a role that is associated with the `hardRestricted`
79         permissions to an app.
80     *   The installer grants the `hardRestricted` to an app.
81     *   An app is granted the `hardRestricted` on an earlier Android version.
82
83*   [C-0-11] Apps holding a `softRestricted` permission MUST get only limited
84    access and MUST NOT gain full access until whitelisted as described in the
85    SDK, where full and limited access is defined for each `softRestricted`
86    permission (for example, [`WRITE_EXTERNAL_STORAGE`](
87    https://developer.android.com/reference/android/Manifest.permission.html#WRITE_EXTERNAL_STORAGE)
88    and [`READ_EXTERNAL_STORAGE`](
89    https://developer.android.com/reference/android/Manifest.permission#READ_EXTERNAL_STORAGE)).
90
91If device implementations include a pre-installed app or wish to allow
92third-party apps to access the usage statistics, they:
93
94*   [SR] are STRONGLY RECOMMENDED provide user-accessible mechanism to grant
95    or revoke access to the usage stats in response to the
96    [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`](
97    https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS)
98    intent for apps that declare the `android.permission.PACKAGE_USAGE_STATS`
99    permission.
100
101If device implementations intend to disallow any apps, including pre-installed
102apps, from accessing the usage statistics, they:
103
104*   [C-1-1] MUST still have an activity that handles the
105    [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`](
106    https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS)
107    intent pattern but MUST implement it as a no-op, that is to have an
108    equivalent behavior as when the user is declined for access.
109