MASTG-TEST-0254: Dangerous App Permissions
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
In Android apps, permissions are acquired through different methods to access information and system functionalities, including the camera, location, or storage. The necessary permissions are specified in the AndroidManifest.xml file with <uses-permission> tags.
Steps¶
There are multiple tools that can help in finding permissions in use by an app. Refer Obtaining Compiler-Provided Security Features to and use any of the mentioned tools.
- Extract the
AndroidManifest.xmlfile from the APK (see Obtaining Information from the AndroidManifest). - Obtain the list of declared permissions (see Obtaining App Permissions).
Observation¶
The output shows the list of permissions declared by the app.
Evaluation¶
The test fails if there are any dangerous permissions in the app.
Compare the list of declared permissions with the list of dangerous permissions defined by Android. You can find more details in the Android documentation.
Context Consideration:
Context is essential when evaluating permissions. For example, an app that uses the camera to scan QR codes should have the CAMERA permission. However, if the app does not have a camera feature, the permission is unnecessary and should be removed.
Also, consider if there are any privacy-preserving alternatives to the permissions used by the app. For example, instead of using the CAMERA permission, the app could use the device's built-in camera app to capture photos or videos by invoking the ACTION_IMAGE_CAPTURE or ACTION_VIDEO_CAPTURE intent actions. This approach allows the app to access the camera functionality without directly requesting the CAMERA permission, thereby enhancing user privacy.
Demos¶
MASTG-DEMO-0033: Dangerous Permissions in the AndroidManifest with semgrep