One of the critical parts of Android that is often overlooked is app permissions. Any app that you install on your phone has to ask for explicit access to potentially sensitive areas of your device, but they don’t always ask for these honorably.
Thankfully, Android permissions have taken a turn for the better in its most recent update (Android 6.0 Marshmallow), but less than 3% of people have Marshmallow on their devices. Thus, it’s important to know how Android permissions have worked in the past, and how they’ll look in the future.
Let’s take a complete look at permissions under both systems, what they mean for you, why you should care, and what these actually look like in real apps. You’ll learn a lot!
In case these seems like déjà vu — we’ve explained Android permissions before in the past, but they’ve changed so much recently that it’s worth going over again.
What Are Permissions?
It’s simple: Permissions are special privileges that apps must ask for if they want to access sensitive media on your phone.
Because our phones contain so much personal information — like our exact location, contact data, and cameras that can record us — apps can’t just use these unless you tell them it’s okay.
You can check the permissions of an app at any time. If it’s an app that you already have installed, go to Settings > Apps and find the app you’d like to examine. Tap an app and on its info screen, click the Permissions field or scroll down to find the list. Here you can view everything that the app asks for.
If you’d like to view permissions for an app that you’re not using yet, find it on the Google Play Store (either on your phone or using the Web interface) and click Permission Details to view them. They’ll be grouped by type; if you don’t understand them yet, don’t worry! We’ll review some soon.
Why This Matters
Don’t get the idea that permissions are inherently bad, because they’re not! Modern phones are capable of so much, which means they can naturally be used for harm too. Permissions help you keep your device protected from shady apps — just because an app wants a permission doesn’t mean it’s awful.
For instance, Google Maps would be pretty useless if it couldn’t access your location, but when a calculator app needs access to your contacts, that should raise concern. This was the source of the Facebook Messenger app’s controversy a while ago, because people felt that the app was overstepping its bound on permissions.
Wow. I have never seen more Android permission requests than by Facebook Messenger. Nope. Not installing.
— Michael Dexter (@michaeldexter) March 9, 2016
We’ve written about how invasive the Facebook app’s permissions are, but you have to be prudent with everyday apps too. For instance, when I played a bunch of knockoff Mario games on Android, the majority of them asked for permissions like Contacts and Location.
These apps have no business requesting these, because they’re not necessary for the functionality of the app. Even if an app clearly defines what it wants the permission for (which more developers should do), there’s no guarantee that it’s not abusing the permission.
It’s not fair to say that certain permissions are inherently bad 100% the time, but because it’s easier for certain ones (location, camera, etc.) to abuse your information, you should treat those permissions with greater care.
The clock on my Android is asking permission for media and photos… No clock, you can not have access to that. Only time due! TIME
— D Smith (@landandwater) February 23, 2016
In the old days, Google would list every single permission that an app required (even minor items like vibration). Now, those are pretty much expected; they’ve moved these into the Other category of permissions, including Full network access since it’s so common these days, especially for in-app ads.
If you’re curious, below is a screenshot of what it looks like to add app permissions when you’re writing an Android app. This is from an app I’m actually writing for a college class — you can see that we need access to the phone’s storage (so we can keep track of user preferences), but we also have to ask for permission to vibrate and access the network. If we didn’t declare those permissions and tried to perform those functions, the app wouldn’t work.
A lot of permissions are self-explanatory, and you’ll likely come across a similar set in many apps, so they shouldn’t take too long to get down. Let’s have a look at a few common ones and what they mean.
- In-app purchases: Allows you to make purchases inside the app. Nearly every free game these days contains in-app purchases, or microtransactions. Most of them are “freemium” games that pretend to be free, but really just want to addict you and take your money. These can be really expensive, so you might want to secure your phone against in-app purchases to keep kids from inadvertently buying them in games.
- Note that in-app purchases aren’t always bad. Some games use them honorably, and non-game apps often use them so you can upgrade to the Pro version — this lets the developer avoid publishing two different app versions. In general, though, “Farm Crush Dice Clash” is going to be laden with microtransactions.
- Camera: Allows full access of your camera. This group only has one permission, so it’s all-or-nothing.
- Microphone: Another group with only one permission; this allows for full access to your microphone in order to record audio.
- Storage: Apps can read your files, save files, or both. A common reason for reading your storage is picking a file to share with a friend, while an app might need to write to storage so it can save a picture you edited.
- Location: This can be your approximate location, which is gathered from Wi-Fi networks near you, or your exact location, which uses your phone’s GPS.
- Identity — Find accounts on the device: This is used when an app wants to find what other accounts you’re signed into on your phone, such as an app letting you sign in with your Google or Facebook account.
- Phone/Device ID — Read phone status and identity: This lets the app know when you’re in a call, so it can avoid interrupting the call. Directly call phone numbers lets an app make a phone call without prompting you to go to the dialer app.
- Device & app history — Retrieve running apps: This lets an app know what other apps are on your phone. This could be abused, but is used “legitimately” by task killer and battery optimizer apps that you should never use.
These are some of the most common, but there are lots of other permissions in the Other category, including Download files without notification, Run at startup, Change network connectivity, and Change your audio settings, all of which could be used maliciously.
By the way, when I was compiling this list, I solely referenced the Facebook app for Android, which asks for all of these permissions and more. Quite frankly, it’s absurd that they ask for some of these permissions; you’re better off with a slim third-party Facebook alternative on your phone.
The Old System (Lollipop and Earlier)
Since the vast majority of Android users aren’t on Marshmallow yet, let’s look at how the permissions system worked in the past, even though it’s (thankfully) on its way out. If you’re not sure which Android version your phone is running, you can go to Settings > About Phone and look for Android Version. 6.0 is Marshmallow, 5.x is Lollipop, and 4.4.x is KitKat; earlier than that is the same for our purposes.
So, the old system of permissions is a blanket choice — you either have to accept every permission an app asks for when you install it, or decline to install the app. This is frustrating for a number of reasons, the most prominent being that a rogue permission could keep you from installing otherwise useful apps. As useful as some Android apps are, you don’t want to make your contacts available to every app that asks for them.
The problems with this method don’t stop there, though. Years ago, each permission was listed separately. If you chose, apps updated automatically — unless a new permission was added. When this happened, you had to explicitly click Accept on the new permission before you updated it, so the same “take it or leave it” rule applied, and apps could be ruined by adding new permissions.
Eventually this meant that permission listings were pretty lengthy, so Google decided to start grouping similar permissions. When you install an app now, you’ll notice these — SMS, for example, contains all possible permissions around your text messages. The problem is that app updates can add additional permissions in a group without asking your permission as they did before.
So, for example, one of the possible SMS permissions is Read your text messages. Perhaps you use the excellent keyboard, SwiftKey, which allows you to personalize your dictionary by reading in how you type from your texts, Gmail, and other sources. You don’t mind giving it access to your texts, so you go ahead and enable it.
A few months down the road, SwiftKey could update to include the Send text messages permission without you even realizing it — this could cost you money if SMS messages are sent to premium numbers or you don’t have unlimited texting! SwiftKey is a reputable app and would never do this, but it’s an example of how unsafe permission groups are.
Apps' gradual hoovering of every Android permission as a metaphor for life.
— Miss Amy (@MissAmyTobey) February 18, 2016
Your only defense under this system is to avoid apps whose permissions you don’t like, or root your phone and install an app that lets you toggle permissions on or off. Because rooting can be complicated and voids your warranty, though, this isn’t a viable solution for most users.
Hopefully now you see the issues with this system, especially when contrasted with iOS, where you can turn individual permissions on or off in any app you please. Android has needed a better way for a long time, and it finally has one.
The New Way (Marshmallow and the Future)
Android Marshmallow arrived with plenty of changes in October 2015 — a new permissions system was among them. Now, permissions are granular, and you don’t have to agree to a blanket set of permissions to install an app.
When you install an app built for Marshmallow, the Play Store will let you know that you can decide on each permission as it comes up. Let’s say your favorite SMS app lets you take pictures inside the messenger, for example. Once you click the button to open the camera in the app, you’ll get a pop-up asking for access to your camera. Obviously you prompted this action, so it makes sense to confirm it.
If you deny a permission, the app won’t be able to use that feature — so if you deny your location to Google Maps, it will appear to not be working right for no reason. If app developers know what they’re doing, they’ll have a check in place to let you know that the app can’t function if you don’t grant the app that permission. Ideally, the app will ask you for permission as you take actions in the app that require them, not all at once as soon as you open it.
There’s still a drawback hanging on from the old system, though. If apps aren’t built to take advantage of Marshmallow’s new features, you’ll still be asked to agree to every permission as soon as you install the app. Once it’s installed, you can find the app in Settings > Apps and toggle its permissions, but the app may break without warning. Even if the app is built for Marshmallow, you can tweak permissions here at any time if you change your mind
By this point, developers really should be on board with Marshmallow, but you’re bound to come across some apps that are still on the old system. Essentially, you’re free to turn permissions off for any app even if you have to agree to them all at once, but this could break things since the developer hasn’t accounted for them.
Some Real App Examples
Let’s wrap up by looking at a couple of popular apps and the permissions they ask for. I can’t claim to know the reason for all of them, but I’ve speculated where appropriate.
Snapchat requires the following:
- In-app purchases
- Finding accounts on your device, and reading your contact card
- Reading your contacts
- Your exact location
- Receiving text messages
- Reading whether you’re on the phone
- Reading, saving, and deleting files on your phone
- Full access to your camera and microphone
- The ability to view information about the WiFi you’re connected to
- Preventing your device from sleeping
- Turning on the phone’s flashlight
That’s a pretty big list! Most make sense in the app’s context (which is key when analyzing permissions) — you can sign in with other accounts, and when messaging you can share your location, take pictures, and record voice.
The app requests the ability to prevent sleep so that you get notifications even if your phone isn’t awake. As you see, most permissions can be explained, but it’s up to you if you trust the developer with them.
Pandora asks for these permissions:
- In-app purchases (for subscribing to their premium service)
- Find accounts on device (for signing in with Facebook, etc.)
- Add or modify calendar events and send email to guests without owners’ knowledge (no idea why they need this)
- Read your contacts (for sharing tracks with friends)
- Read phone status and identity (for knowing when you get a call, so it can halt the music)
- Modify or delete the contents of your USB storage and read the contents of your USB storage (for caching data so the music doesn’t have to buffer as much)
- View Wi-Fi connections (likely to determine the quality of your current connection)
- Various other settings, such as Bluetooth control
Overall, Pandora isn’t awful. I don’t understand why they need calendar info, and you could probably do without them knowing your contacts, but there are far worse apps.
Not sure why the @pandora_radio android app needs access to my calendar. This is why I always read permissions in updates.
— System Reset (@iamuhura) April 2, 2013
Let’s take a game for our last sample:
Candy Crush Soda Saga wants to access these on your device:
- In-app purchases (so they can nickel and dime you at every corner)
- Find accounts on the device (for signing in with Facebook)
- Read your contacts (so you can annoy your friends and ask for lives)
- View Wi-Fi connections (likely so they know if you’re on a quality connection)
- A few other permissions, including prevent device from sleeping
Overall, this one isn’t too bad in terms of permissions. The game itself is a different story, but at least this app doesn’t need to know your contacts or calendar information.
No Josh Justice, I don't want to play Candy Crush Soda Saga. Stop sending me invites
— Adam Rice (@AdamRice12) March 9, 2016
You Have Permission
That was a lot to take in, but permissions impact your privacy and are important! Hopefully you learned a lot about the different permissions, how they used to work, and what’s ahead for them.
The takeaway here is to be sure that you don’t install apps recklessly on your phone. All kinds of apps, especially popular ones, are laced with more permissions than they need. If you’re on Marshmallow, be sure to only enable permissions that you’re okay with. If you’re on an older version, always review the list of permissions before you install an app. Be aware of what you’re putting on your phone!
Most permissions don’t do a whole lot if you’re offline, so take a break and enjoy some Android games that don’t need an Internet connection to play.
What other questions do you have about permissions? Are you excited to upgrade to Marshmallow and get control over your permissions? Share your thoughts and questions about permissions in the comments!