“Normal” vs. “dangerous” permissions
System permissions are divided into two groups: “normal” and “dangerous.” Normal permission groups are allowed by default, because they don’t pose a risk to your privacy. (e.g., Android allows apps to access the Internet without your permission.) Dangerous permission groups, however, can give apps access to things like your calling history, private messages, location, camera, microphone, and more. Therefore, Android will always ask you to approve dangerous permissions.
In earlier versions of Android, accepting potentially dangerous permission groups was an all-or-nothing affair. You either allowed all permissions an app needed to function — before installation — or you declined them all, which meant you couldn’t install the app. Sketchy app developers could abuse this system to sneak in permissions that went beyond the scope of their app (e.g., calendar apps that not only requested access to your calendar, but also your microphone). Thankfully, that mostly changed with the release of Android 6.0 back in October 2015. Now Android allows you to decide which permissions to accept on a case-by-case basis — after the app is installed.
Sketchy app developers sneak in permissions they don't need. Why would a calendar app need access to your microphone?
“This approach streamlines the app install process, since the user does not need to grant permissions when they install or update the app,” Google says. “It also gives the user more control over the app's functionality; for example, a user could choose to give a camera app access to the camera but not to the device location.”
However, lazy or malicious app developers can skirt this new permission system by intentionally targeting older API levels, which is why you can still find apps on Google Play that request all permissions before installation. This loophole should be closed later in 2018, though.
Potentially dangerous permissions to look out for
Anyone concerned about their privacy and security should keep an eye out for apps that request access to following nine permission groups. Each group contains multiple permissions, and approving a single permission from any group automatically approves all other permissions within that same group. (For example, if you allow an app to see who’s calling you, you’ll allow it to make phone calls, too.)
Allows access to your health data from heart-rate monitors, fitness trackers, and other external sensors.
The good: Fitness apps need this permission to monitor your heart rate while you exercise, provide health tips, etc.
The bad: A malicious app could spy on your health.
Allows apps to read, create, edit, or delete your calendar events.
The good: Calendar apps obviously need this permission to create calendar events, but so do social networking apps that allow you to add events and invitations to your calendar.
The bad: A malicious app can spy on your personal routines, meeting times, etc. — and even delete them from your calendar.
Allows apps to use your camera to take photos and record videos.
Allows apps to read, create, or edit your contact list, as well as access the list of all accounts (e.g., Facebook, Instagram, Twitter, etc.) used on your device.
The good: A communication app can use this to let you text or call other people in your contact list.
The bad: A malicious app can steal the entire contents of your address book and then target your friends and family with spam, phishing scams, etc.
Allows apps to access your approximate location (using cellular base stations and Wi-Fi hotspots) and exact location (using GPS).
The good: Navigation apps can help you get around; camera apps can geo-tag your photos so you know where they were taken; and shopping apps can estimate your address for delivery.
The bad: A malicious app can secretly track your location to build a profile on your daily habits, or even let thieves know when you’re not at home.
Allows apps to use your microphone to record audio.
The good: A music recognition app like Shazam uses this to listen to any music you want to identify; a communication app can use this to allow you to send voice messages to your friends.
The bad: A malicious app can secretly record what’s going on around you, including private talks with your family, conversations with your doctor, and confidential business meetings.
Allows apps to know your phone number, current cellular network information, and ongoing call status. Apps can also make and end calls, see who’s calling you, read and edit your calling logs, add voicemail, use VoIP, and even redirect calls to other numbers.
Allows apps to read, receive, and send SMS messages, as well as receive WAP push messages and MMS messages.
The good: Communication apps can use this to let you message your friends.
The bad: A malicious app can spy on your messages, use your phone to spam others, and even subscribe you to unwanted paid services.
Allows apps to read and write to your internal or external storage.
The good: A music app can save downloaded songs to your SD card, or a social networking app can save your friends’ photos to your phone.
The bad: A malicious app can secretly read, change, and delete any of your saved documents, music, photos, and other files.
Other permission types
In addition to the permissions above, Android also has administrator privileges and root privileges. Here’s what these mean:
What are device administrator privileges?
Device administrator privileges (sometimes called “admin rights”) allow apps to change your device password, lock your phone, or even permanently wipe all data from your device. Malicious apps can use these privileges against you, but they’re also important for legitimate apps. For example, security apps with admin privileges are difficult to uninstall, which helps stop thieves from removing them from your phone. Our free AVG AntiVirus FREE for Android uses device administrator privileges to let you remotely lock or wipe your device if it’s ever lost or stolen.
What are root privileges?
Root privileges (sometimes called “root access”) are the holy grail of permissions. They’re the most dangerous, because any app with root privileges can do whatever it wants — regardless which permissions you’ve already blocked or enabled. As you can imagine, malicious apps with root privileges can wreak havoc on your phone. Thankfully, Android blocks these by default. But malware makers are always looking for ways to get them.
How to check app permissions
Curious which permissions an app requires before you install it? Want to see which permissions are already being used on your phone? Here are 4 ways to check.
1. See app permissions on Google Play before you install
When viewing an app description in Google Play, scroll down to the developer info at the bottom of the screen and tap “Permission details” to see which permissions the app will ask for. (These descriptions are generic and written by Google, so they won’t tell you exactly why that particular app needs the permissions, but they can still help you know what to expect before you install.)
Permission details for any app can be viewed right in Google Play.
2. See all permissions used by a specific app
If you’ve already installed an app, here’s how to check which permissions it has access to.
Open your device Settings and tap Apps. Choose any app, and tap Permissions.
3. See all apps that are using a specific permission
This is similar to the method above, but it works from the opposite direction. You first pick a permission, and then you see every app that’s currently using it.
Open your device Settings and tap Apps. Tap the gear icon, then App permissions. Choose any permission to see which apps are using it.
4. See app permissions by using AVG AntiVirus for Android
Our free AVG AntiVirus app can also show you which of your apps are using high, average, or low permissions — and let you easily change any that you're uncomfortable with. (Get AVG AntiVirus for free from Google Play)
Open AVG AntiVirus and tap the menu icon. Then scroll down and tap App Permissions.
Why am I getting two requests for the same permission?
You might sometimes see two back-to-back notifications for the same permission. This is because the first is from the app itself, explaining why it needs the permission. The second is from Android, and is a generic request for the permission. Only this second request actually allows or rejects the permission.
As Google explains to app developers, “[I]f a user launches a photography app, the user probably won't be surprised that the app asks for permission to use the camera, but the user might not understand why the app wants access to the user's location or contacts. Before you request a permission, you should consider providing an explanation to the user.”
App permissions exist to protect you. They might seem annoying at first, but you only need to approve them once per app, and it’s well worth your time to carefully read and consider these popups before tapping. After all, even malicious apps can sneak into Google Play.