1 ## 9.1\. Permissions 2 3 Device implementations: 4 5 * [C-0-1] MUST support the [Android permissions model]( 6 http://developer.android.com/guide/topics/security/permissions.html) 7 as defined in the Android developer documentation. Specifically, they 8 MUST enforce each permission defined as described in the SDK documentation; no 9 permissions may be omitted, altered, or ignored. 10 11 * MAY add additional permissions, provided the new permission ID strings 12 are not in the `android.\*` namespace. 13 14 * [C-0-2] Permissions with a `protectionLevel` of 15 [`PROTECTION_FLAG_PRIVILEGED`]( 16 https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_PRIVILEGED) 17 MUST only be granted to apps preloaded in the privileged path(s) of the system 18 image and within the subset of the explicitly whitelisted permissions for each 19 app. The AOSP implementation meets this requirement by reading and honoring 20 the whitelisted permissions for each app from the files in the 21 `etc/permissions/` path and using the `system/priv-app` path as the 22 privileged path. 23 24 Permissions with a protection level of dangerous are runtime permissions. 25 Applications with `targetSdkVersion` > 22 request them at runtime. 26 27 Device implementations: 28 29 * [C-0-3] MUST show a dedicated interface for the user to decide 30 whether to grant the requested runtime permissions and also provide 31 an interface for the user to manage runtime permissions. 32 * [C-0-4] MUST have one and only one implementation of both user 33 interfaces. 34 * [C-0-5] MUST NOT grant any runtime permissions to preinstalled 35 apps unless: 36 * the user's consent can be obtained before the application 37 uses it 38 * the runtime permissions are associated with an intent pattern 39 for which the preinstalled application is set as the default handler 40 41 42 If device implementations include a pre-installed app or wish to allow 43 third-party apps to access the usage statistics, they: 44 45 * [SR] are STRONGLY RECOMMENDED provide user-accessible mechanism to grant 46 or revoke access to the usage stats in response to the 47 [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`]( 48 https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS) 49 intent for apps that declare the `android.permission.PACKAGE_USAGE_STATS` 50 permission. 51 52 If device implementations intend to disallow any apps, including pre-installed 53 apps, from accessing the usage statistics, they: 54 55 * [C-1-1] MUST still have an activity that handles the 56 [`android.settings.ACTION_USAGE_ACCESS_SETTINGS`]( 57 https://developer.android.com/reference/android/provider/Settings.html#ACTION_USAGE_ACCESS_SETTINGS) 58 intent pattern but MUST implement it as a no-op, that is to have an 59 equivalent behavior as when the user is declined for access. 60