Sensitive Permissions on Android: How-To Guide, Changes, and Policies

Privacy on Android has taken a huge leap forward in recent years, yet it remains a topic worth staying up to date on. Sensitive permissions on Android are the key to accessing your data and critical device functions., as happens when a app is collecting too much data, and understanding how they are granted, reviewed, and limited, helps us better decide what to install and what to authorize.

In addition to the system itself, Google Play and its policies have tightened control with reviews, restrictions, and informational labels. Recent changes include new types of permissions, more granular controls, and visible alerts when an app uses the camera, microphone, or location.Below you'll find a complete, practical, and up-to-date guide to safely navigate this terrain.

Sensitive permission categories that require special attention

There are sensitive permission groups on Android that directly impact your privacy or system security. It is useful to know them in order to detect unjustified requests and make informed decisions. when to authorize or when to deny.

• SMS and call log.
• Location.
• Access to all files.
• Photo and video permissions.
• Package (application) visibility.
• Accessibility API.
• Request package installation.
• VPN service.
• Exact alarms.
• Full screen intent.

Body sensor permissions and the change in Android 16

Data from health sensors (heart rate, oxygen saturation, skin temperature, etc.) is personal and sensitive. Apps that request access to this data are reviewed to ensure usage is aligned with direct benefits to the user., such as fitness, wellness, condition monitoring, research with approvals, or wearable features.

Traditionally, it has been used BODY_SENSORS (and in the background BODY_SENSORS_BACKGROUND), but from Android 16 migration towards more precise space permits android.permissions.health.*. This introduces specific authorizations such as READ_HEART_RATE, READ_OXYGEN_SATURATION o READ_SKIN_TEMPERATURE, strengthening privacy by limiting exactly what type of data is requested.

For apps targeting Android 16 and later, It is mandatory to use the new detailed permissions instead of the broad permission, and each request is reviewed to confirm that it fits into approved and user-visible cases.

Health Connect centralizes health and fitness data on your device. May only be used for approved purposes such as fitness, wellness, rewards, training, corporate wellness, research, and healthcare., and apps cannot extend that access for undisclosed purposes.

To request Health Connect permissions, your app must offer features that benefit health or fitness. Valid examples include recording, monitoring and analyzing physical activity, sleep, mental well-being, nutrition or health measures., store that data on the device and share it with other integrated apps that comply with approved uses, for example in wearable functions such as sync your Fitbit.

Types of permissions on Android and levels of protection

Sensitive permissions in Android are classified by their impact and how they are granted. Understanding these categories helps you anticipate when you will need to request authorization at runtime. and what users will see.

Permissions at installation time

They are automatically granted when installing the app and represent a low risk. Normal and signature permissions come in here., with different levels of protection.

• Normal permissions. They allow actions outside the sandbox, but with minimal risk to privacy and the functioning of other apps. Android marks them as having a normal protection level, and they are granted without a runtime dialog.
• Signature permissions. They are only granted if the app is signed with the same certificate that defined the permission (the platform or OEM). Privileged services like Autofill or VPN use signing permissions, and many are not available to third parties (see enable root permissions on Android).

Runtime permissions

Also called dangerous, they give access to sensitive data and actions (contacts, location, camera, microphone, etc.). You should request them at the appropriate time of use and not assume that they are already granted.The system displays a dialog box for the user to decide.

Special permissions

This type of sensitive permission on Android restricts key operations such as drawing over other apps or managing full-screen notifications. System settings include a Special App Access panel to toggle many of these operations. Technically, Android associates them with an appop-type protection level.

Recommended workflow for using permissions

When working with sensitive permissions on Android, it is advisable to follow these guidelines:

• Before declaring a permission, consider whether you can fulfill the use case without accessing restricted data. Many functions can be solved without permissions or with less invasive alternatives. (content selectors, system intents, etc.).
• If you need a permit, declare it and apply for authorization where appropriate. Associates the request with a specific user actionFor example, it asks for the microphone right when it's time to send an audio message, not before.
• Check the dependencies: The libraries you integrate may have additional permission requirements.. Document what they are used for and whether they are really necessary.
• Transparency drives conversion: Explain what data you need, why, and what is lost if it is deniedAnd when accessing sensitive hardware, add your own indicators if the system doesn't display them, so the user knows when it's being used.
• You can also restrict how other apps interact with components of yours, Using permissions on components to limit access and exports to the essentials.

Review and adjust sensitive permissions on Android

From the Play Store, go to the app's listing, scroll down to the technical information section, and tap "View details" in the permissions section. There you will see in summary what permissions that application requests. before even installing it.

In your device's Settings, go to Apps, select the app, and then tap Permissions. You can grant or revoke one by one according to your criteria. Another shortcut is the Permissions Manager, where you can filter by type (location, camera, etc.).

If you find an unjustified permission, revoke it and consider uninstalling the app. You can also report it as inappropriate from the menu on its Play Store page. so that other users are notified and Google reviews it if reports accumulate.

Remember that even solid platforms require caution. Popular forums and networks display cookie and privacy notices, but the ultimate responsibility for what you install and what you authorize is yours.

Installation, runtime and technical aspects

Sensitive permissions on Android include so-called installation permissions, such as those for internet access or reading external storage. They are declared in the manifest and granted upon installationAlthough they appear in the store, many people don't check them, so their impact is often considered less than runtime listings.

For location, there are two levels: ACCESS_COARSE_LOCATION (approximate) and ACCESS_FINE_LOCATION (precise). Since Android 12 you can only give approximate to limit precision, depending on what each app asks of you and what seems reasonable to you.

Dangerous permissions are requested at runtime, using modern compatibility APIs. The app should check if it already has the permission and, if not, ask for it at the right point in the flow.The system returns the decision asynchronously so the app can react (continue, show an alternative, or explain the reason).

It is advisable to manage versions: The request logic applies from Android 6 onwardsIn previous versions, these permissions were granted upon installation. It's also good practice to provide a prior explanation when the permission is sensitive, to improve acceptance.

Since Android 11, if you don't use an app for months, The system may automatically revoke previously granted permissions. That's why it's recommended that the app verify each sensitive access at the time of use.

Good practices for developers and users

• Less is more: Request the minimum number of permits necessary and as late in the flow as possible.If there's another, less intrusive way that accomplishes the goal, use it.
• Inform clearly: Say what data you are requesting, why, and what is gained or lost by granting it.Maintain a comprehensive, accessible privacy policy that's tailored to your product's needs.
• Take care of the dependencies: When integrating libraries, check the permissions they carry and avoid adding those that ask for access you don't need.
• Control exposure: Restrict exported components and use permissions on components to limit interactions with other apps to what is essential.
• And as a user, be wary of anything that doesn't fit: Revoke suspicious permissions, uninstall on demand, and report to the store to help the community and force reviews where appropriate.

Ultimately, optimal management of sensitive permissions on Android is a combination of granular permissions, Google Play reviews, dashboards, and real-time notifications. In short, more tools than ever to protect you. By granting access only when it adds value, regularly reviewing and understanding what each app requests, you can enjoy Android with much greater peace of mind.

Related article:

How to detect if apps are spying on you in the background on Android

Daniel Terrasa

Editor specialized in technology and internet issues with more than ten years of experience in different digital media. I have worked as an editor and content creator for e-commerce, communication, online marketing and advertising companies. I have also written on economics, finance and other sectors websites. My work is also my passion. Now, through my articles in Tecnobits, I try to explore all the news and new opportunities that the world of technology offers us every day to improve our lives.