Permissions that can have a large impact on user privacy, marked as dangerous or "not for use by third-party applications" by Android,
should be requested only if they are really necessary to implement critical features of an application.
Ask Yourself Whether
- It is not sure that
dangerous permissions requested by the application are really necessary.
- The users are not clearly informed why and when
dangerous permissions are requested by the application.
You are at risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to carefully review all the permissions and to use dangerous ones only if they are really necessary.
Sensitive Code Example
In AndroidManifest.xml:
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <!-- Sensitive -->
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> <!-- Sensitive -->
Compliant Solution
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <!-- Compliant -->
See
