Application permissions

Applications permissions is a widespread coarse-grained way to limit applications' access to sensitive information, like sound recorded by microphone, and valuable resources, like battery, internet traffic and account balance. They are implemented in major state of the art PDA operation systems (Android, iOS, Windows), web browsers and web services providing OAuth API.

Mobile devices

The list of available permissions usually contains accessing^[1]^[2]:

geolocation
- GNSS (GPS, GLONASS, QZSS)
- system providers, using trilateration to nearby wireless networks, though it is possible to implement providers utilising other sensors, like microphone, accelerometer, gysoscope and barometer and an online DB of ambient measurements
sensors and their identifiers and characteristics
- camera
- microphone
- biometric sensors used for identification and authentication, like fingerprint sensor
- biometric sensors used for medical and fitness purposes, like heart rate sensor
- unfortunately, other sensors are usually not behind permissions, but this can be fixed with additional software, like XPrivacy
internet access
wired and wireless interfaces access, including their hardware identifiers and signal strength where applicable
- WiFi
- BlueTooth
- 3G
- 4G
- NFC
- infrared port
- USB
making and receiving phone calls
sending and reading SMS
account to make in-app purchases
showing own GUI elements over other apps' GUI
installing, deleting and otherwise managing applications
changing device settings, including ...
enabling and disabling wireless interfaces
accessing storage
authentication tokens (i.e. OAuth ones) of web services stored in system storage for sharing them between apps
accessing dedicated interfaces registered by other apps, like
- contacts
- calendars, events and appointments
- superuser access on rooted phones
- push-services interfaces

On Android <6 permissions are not usually revokable, though there is AppOps mechanism in some OSes (it's usually present in vanilla Android and aftermarket OSes, but usually removed in stock OSes) allowing to deprive apps access to some personal data. In Android >=6 apps can request permissions in run time, but this requires app developer collaboration (developer is free to use non-runtime permissions only and the app will likely crash if permission is not granted and the ones not granting the permission is not a target audience of an app) ^[3] and some permissions marked as permissions in previous versions of the OS, like internet access, are non-revocable and are not even show on apps installation. This can be fixed with XPrivacy.

On iOS usage of permissions is regulated using the guidelines^[4].

WebPermissions

WebPermissions is a permission system for web browsers. When a web application needs some data behind a permission, it must request it first. When it does it, a user sees a window asking him to make a choice. The choice is remembered, but can be cleared lately.

Currently the following resources are controlled:

geolocation^[5]
desktop notifications^[6]
service workers^[7]^[8]
sensors
- audio capturing devices^[9], like soundcards, and their identifiers and characteristics
- video capturing devices^[9], like cameras, and their identifiers and characteristics

Controversy

In some cases permissions are implemented in 'all-or-nothing' approach: a user either has to grant all the requested permissions to an app, or be unable to use the app. Even if a user can revoke a permission, the app can blackmail a user by refusing to operate, for example just crashing. There are some solutions, such as XPrivacy, which instead of providing access to the requested data instead of throwing an exception and crashing an app returning disinformation to make an app operate as if it was granted.

References

^ "Manifest.permission - Android Developers". developer.android.com.
^ "iOS Security Guide" (PDF).
^ "Runtime Permissions - Android Open Source Project". Android Open Source Project. {{cite web}}: no-break space character in |title= at position 21 (help)
^ Inc., Apple. "Requesting Permission - App Architecture - iOS Human Interface Guidelines". developer.apple.com. {{cite web}}: |last= has generic name (help)
^ "Geolocation API Specification 2nd Edition". www.w3.org.
^ "Notifications API Standard". notifications.spec.whatwg.org.
^ "Push API". www.w3.org.
^ "Web Background Synchronization". wicg.github.io.
^ ^a ^b "Media Capture and Streams". w3c.github.io.

[1] "Manifest.permission - Android Developers". developer.android.com.

[2] "iOS Security Guide" (PDF).

[3] "Runtime Permissions - Android Open Source Project". Android Open Source Project. {{cite web}}: no-break space character in |title= at position 21 (help)

[4] Inc., Apple. "Requesting Permission - App Architecture - iOS Human Interface Guidelines". developer.apple.com. {{cite web}}: |last= has generic name (help)

[5] "Geolocation API Specification 2nd Edition". www.w3.org.

[6] "Notifications API Standard". notifications.spec.whatwg.org.

[7] "Push API". www.w3.org.

[8] "Web Background Synchronization". wicg.github.io.

[w3c.github.io-9] "Media Capture and Streams". w3c.github.io.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]