1## 9.1\. Permissions 2 3Device implementations: 4 5* [C-0-1] MUST support the [Android permissions model]( 6http://developer.android.com/guide/topics/security/permissions.html) 7as defined in the Android developer documentation. Specifically, they 8MUST enforce each permission defined as described in the SDK documentation; no 9permissions may be omitted, altered, or ignored. 10 11* MAY add additional permissions, provided the new permission ID strings 12are not in the `android.\*` namespace. 13 14* [C-0-2] Permissions with a `protectionLevel` of 15[`PROTECTION_FLAG_PRIVILEGED`]( 16https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_PRIVILEGED) 17MUST only be granted to apps preinstalled in the privileged path(s) of the system 18image and within the subset of the explicitly whitelisted permissions for each 19app. The AOSP implementation meets this requirement by reading and honoring 20the whitelisted permissions for each app from the files in the 21`etc/permissions/` path and using the `system/priv-app` path as the 22privileged path. 23 24Permissions with a protection level of dangerous are runtime permissions. 25Applications with `targetSdkVersion` > 22 request them at runtime. 26 27Device implementations: 28 29* [C-0-3] MUST show a dedicated interface for the user to decide 30 whether to grant the requested runtime permissions and also provide 31 an interface for the user to manage runtime permissions. 32* [C-0-4] MUST have one and only one implementation of both user 33 interfaces. 34* [C-0-5] MUST NOT grant any runtime permissions to preinstalled 35 apps unless: 36 * The user's consent can be obtained before the application 37 uses it. 38 * The runtime permissions are associated with an intent pattern 39 for which the preinstalled application is set as the default handler. 40* [C-0-6] MUST grant the `android.permission.RECOVER_KEYSTORE` permission 41 only to system apps that register a properly secured Recovery Agent. A 42 properly secured Recovery Agent is defined as an on-device software agent 43 that synchronizes with an off-device remote storage, that is equipped with 44 secure hardware with protection equivalent or stronger than what is 45 described in 46 [Google Cloud Key Vault Service]( 47 https://developer.android.com/preview/features/security/ckv-whitepaper.html) 48 to prevent brute-force attacks on the lockscreen knowledge factor. 49 50Device implementations: 51 52* [C-0-7] MUST adhere to [Android location permission]( 53 https://developer.android.com/privacy/device-location) properties when an app 54 requests the location or physical activity data through standard Android API 55 or proprietary mechanism. Such data includes but not limited to: 56 57 * Device's location (e.g. latitude and longitude). 58 * Information that can be used to determine or estimate the device's 59 location (e.g. SSID, BSSID, Cell ID, or location of the network that the 60 device is connected to). 61 * User's physical activity or classification of the physical activity. 62 63More specifically, device implementations: 64 65 * [C-0-8] MUST obtain user consent to allow an app to access the 66 location or physical activity data. 67 * [C-0-9] MUST grant a runtime permission ONLY to the app that holds 68 sufficient permission as described on SDK. 69 For example, 70[TelephonyManager#getServiceState](https://developer.android.com/reference/android/telephony/TelephonyManager.html#getAllCellInfo()) 71 requires `android.permission.ACCESS_FINE_LOCATION`). 72 73Permissions can be marked as restricted altering their behavior. 74 75* [C-0-10] Permissions marked with the flag `hardRestricted` MUST NOT be 76 granted to an app unless: 77 * An app APK file is in the system partition. 78 * The user assigns a role that is associated with the `hardRestricted` 79 permissions to an app. 80 * The installer grants the `hardRestricted` to an app. 81 * An app is granted the `hardRestricted` on an earlier Android version. 82 83* [C-0-11] Apps holding a `softRestricted` permission MUST get only limited 84 access and MUST NOT gain full access until whitelisted as described in the 85 SDK, where full and limited access is defined for each `softRestricted` 86 permission (for example, [`WRITE_EXTERNAL_STORAGE`]( 87 https://developer.android.com/reference/android/Manifest.permission.html#WRITE_EXTERNAL_STORAGE) 88 and [`READ_EXTERNAL_STORAGE`]( 89 https://developer.android.com/reference/android/Manifest.permission#READ_EXTERNAL_STORAGE)). 90 91If device implementations include a pre-installed app or wish to allow 92third-party apps to access the usage statistics, they: 93 94* [SR] are STRONGLY RECOMMENDED provide user-accessible mechanism to grant 95 or revoke access to the usage stats in response to the 96 [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`]( 97 https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS) 98 intent for apps that declare the `android.permission.PACKAGE_USAGE_STATS` 99 permission. 100 101If device implementations intend to disallow any apps, including pre-installed 102apps, from accessing the usage statistics, they: 103 104* [C-1-1] MUST still have an activity that handles the 105 [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`]( 106 https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS) 107 intent pattern but MUST implement it as a no-op, that is to have an 108 equivalent behavior as when the user is declined for access. 109