Want to keep learning?

This content is taken from the University of Southampton's online course, Secure Android App Development. Join the course to learn more.

Using permissions

In the previous step we looked at how to create permissions, now we will look at how to use them.

Requesting permissions

To request a permission an app must include a <uses-permission> tag in its AndroidManifest.xml file.

<manifest >
  <uses-permission android:name="com.example.myamazingapp.SOME_PERMISSION"></manifest>

This example requests the permission SOME_PERMISSION in order to access some capability provided by myamazingapp.

Android has many built-in permissions that an app can request. For example, an app can request access to the internet as follows:

<manifest >
  <uses-permission android:name="android.permission.INTERNET"></manifest>

If the requested permission is a dangerous permission the user will have to agree to grant the app that permission.

Enforcing permissions

To use a permission to control access to a component an app can add an android:permission attribute to the component’s declaration in the app’s AndroidManifest.xml file.

<manifest >
  <application >
    <activity android:name="com.example.myamazingapp.SomeActivity"

In the above example, for an app to start SomeActivity (a component of myamazingapp) it must have requested, and been granted, the permission SOME_PERMISSION.

The android:permission attribute can also be set for the <application> element in the app’s AndroidManifest.xml file. This becomes the overall default permission for all the app’s components that do not have their own attribute:permission set.

Permissions and the Principle of Least Privilege

The tag <uses-permission> is used to request a permission, and the attribute android:permission is used to enforce a permission.

If a component enforces a particular permission, then your app must request that permission if it wants to access that component.

Following the Principle of Least Privilege, only request those permissions that your app really needs to perform its function.

Dangerous permissions and Android 6.0

From Android 6.0 (API level 23) onwards the user is asked to grant dangerous permissions requested by an app when that app is run, not when it is installed.

If your app’s target SDK is 23 or higher, and the device is running Android 6.0 or higher, then in addition to requesting permissions in your app’s AndroidManifest.xml file your app must also call requestPermissions() to request them at runtime.

Moreover, the user can revoke an app’s permissions at anytime, so your app should call checkSelfPermission() to determine if it has the permissions it needs whenever it performs an operation that needs a dangerous permission. See the Android documentation for further details.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton