Developer

Understanding Android app permissions

Android's permission mechanism enforces that each app can only perform actions that it declared it could do. Learn how to add permissions to your app's manifest.

The Android mobile OS uses a permission system to help ensure that apps behave appropriately. The system allows apps to request access to features on the device that can use power, access sensitive data, and incur charges.

This isn't just behind the scenes, though — your choices can affect how users perceive the app. It is worthwhile for you to carefully consider what permissions your app requests, because users can verify the appropriateness of those permissions before installing the app. If they deem a permission to be inappropriate, they might post a negative comment about your app.

How to add a permission to your Android app

There are a long list of permissions that an Android app can request. Many of the permissions you won't use, and some of them you cannot use unless you are building a system app.

The specific permissions that your app needs to request will depend on what your app does. Internet access is a common one (especially for ad-supported apps, which need to acquire the ads). Other permissions, such as reading and writing contacts or recording audio, should be tied to the purpose of your app.

Each permission is added to its own line in the manifest. The convention is to put the permissions above the application section, as such:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
      package="com.android.example"
      android:versionCode="1"
      android:versionName="1.0.0"
>
    <uses-sdk
        android:minSdkVersion="5"
        android:targetSdkVersion="10"
    />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <application>
        ...
    </application>
</manifest>

Missing any required permissions will cause your app to fail in the user's hands, so testing the final build on real devices is an important part of the process.

How permissions can affect app use and adoption

A few users may leave a negative comment in the store if your app requests inappropriate permissions, such as recording audio in an app that doesn't respond to audio. A few more users may complain about appropriate permissions, such as Internet access in an ad-supported app. Far more users will look at an app with too many permissions and simply move on without providing feedback, leaving you no way to track how many downloads you lost; the only way to combat this is to minimize permissions you don't need.

Apps such as Permission Explorer and Permission Friendly Apps can examine the permissions required by apps on a device, for users who are interested in investigating. Take a look at what permissions the other apps on your device are requesting — it's a zoo! Even so, being careful with permissions can help make it easier for users to make the leap to download your app.

Different permissions between different app markets and app versions

Removing unused permissions sounds simple enough, but sometimes you'll run into snags. For instance, in my recent app update to add in-app purchasing, I integrated support for Google Play and the Amazon Appstore. Both billing solutions are in one project, and I control which one is active with a build flag.

However, while my apps have been doing very well on the Samsung Store, their in-app billing library was a sticking point. My options were to:

  • Add new permissions to my app's manifest
  • Create a separate project for Samsung (read my post on library projects)
  • Wait until later to support in-app billing for Samsung

I didn't want to add unused permissions in the manifest, nor did I like the idea of adding additional maintenance effort for this app by creating an additional project. Therefore, support for Samsung in-app billing will have to wait.

I noticed that my Amazon build still has the "com.android.vending.BILLING" permission that is only needed on Google Play, but that is less of a concern to me than the GET_ACCOUNTS and SEND_SMS, which Samsung required for some of its billing methods. I have seen other Amazon apps do the same thing, so I will leave it that way unless I get a complaint from Amazon or a customer.

Conclusion

Savvy Android users will likely spot and complain about an app's unrelated permissions. It's worth the time it takes to add all of the necessary permissions and minimize unused or unrelated permissions. Your extra effort might pay off in app adoption numbers.

About Tim Mackenzie

Tim Mackenzie, author of the Android Income Series books, is a software engineer that escaped the cubicle world at a large company to go solo with Android app development. He uses this freedom to teach others how to make money with Android apps. Visi...

Editor's Picks

Free Newsletters, In your Inbox