MASTG-TEST-0254: Dangerous App Permissions
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
In Android apps, permissions are acquired through different methods to access information and system functionalities, including the camera, location, or storage. The necessary permissions are specified in the AndroidManifest.xml
file with <uses-permission>
tags.
Steps¶
There are multiple tools that can help in finding permissions in use by an app. Refer Obtaining Compiler-Provided Security Features to and use any of the mentioned tools.
- Extract the
AndroidManifest.xml
file from the APK (see Obtaining Information from the AndroidManifest). - Obtain the list of declared permissions (see Obtaining App Permissions).
Observation¶
The output shows the list of permissions declared by the app.
Evaluation¶
The test fails if there are any dangerous permissions in the app.
Compare the list of declared permissions with the list of dangerous permissions defined by Android. You can find more details in the Android documentation.
Context Consideration:
Context is essential when evaluating permissions. For example, an app that uses the camera to scan QR codes should have the CAMERA
permission. However, if the app does not have a camera feature, the permission is unnecessary and should be removed.
Also, consider if there are any privacy-preserving alternatives to the permissions used by the app. For example, instead of using the CAMERA
permission, the app could use the device's built-in camera app to capture photos or videos by invoking the ACTION_IMAGE_CAPTURE
or ACTION_VIDEO_CAPTURE
intent actions. This approach allows the app to access the camera functionality without directly requesting the CAMERA
permission, thereby enhancing user privacy.
Demos¶
MASTG-DEMO-0033: Dangerous Permissions in the AndroidManifest with semgrep