7.13 Request Android permissions carefully

    Misconfigured or over-privileged apps can sometimes open the door to attackers by granting unintended permissions.

    Newer Android versions support runtime permissions, which allow developers to request the permissions from the user when they are needed. This has a number of positive impacts to security including delaying the granting of so called dangerous permissions.

    • Only request the permissions needed for your application to function. Note that even if you request minimum permissions, a logic flaw may still exist that, if exploited, can make your app a confused deputy.
    • In general it is best to only request the permissions needed for the app to function, and as of Android 6.0 (Marshmallow), were introduced to help users and developers agree on acceptable permissions.

    Granting dangerous permissions to your app can make it more of a target. Requesting/gaining the permission only if the user actually needs the functionality can help reduce the specific targeting of your app, or otherwise make it harder to execute an attack.