Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

So today I want to talk about Android app permissions and the reason for that is recently I was on a consultation call with a client. I was helping them figure out some issues they were having with an app. Turns out they had some permissions disabled. They don’t know when it happened but I showed them how to access them, how to work through the issue and they were extremely happy knowing that information.

To me that information seemed basic but after thinking about it I’ve been using Android, specifically Graphene OS, for about five years now. So something that might be basic to me could be extremely helpful to someone just getting started so that’s why I’m going to be going through this today.

I also think the art of troubleshooting and problem solving and just learning in general seems to be disappearing for some reason. If you’re looking to get into tech anytime soon, especially in this AI era or whatever you want to call it, there’s only so much you can memorize and so many things you can read about. But if you know how to troubleshoot and problem solve, you will be a much more valuable candidate.

So to get started, this is my test device I use with clients, so don’t trust as a recommendation any of the apps you see listed here. I was just helping people troubleshoot stuff. But what we’re going to be using today as an example is WhatsApp. I don’t use WhatsApp personally, but WhatsApp requests a lot of permissions, so it’s a great example to use.

So to get started, long press on the app. Go to App Info. Once you come to this screen, the second option down is Permissions, and this is what we’ll be talking about today.

The first one you’re going to see, at least on Graphene OS, is the Sensors Permission. This is allowed by default for all apps, which is why you might see it listed as allowed and wonder why it’s there. One side note, you can disable sensors from being allowed by default. If you go into Settings, Security and Privacy, More Security and Privacy, and then disable the third one down, allow sensors permission to apps by default.

Now when that’s disabled and you install any new apps, this will not apply to existing app installations. The sensor permission or sensors permission will not be granted. Sensors are things like your GPS module or the gyroscope module inside your phone. So if you then have an app that has sensors disabled, then that app cannot access those things.

So the reason this is allowed by default is that on GrapheneOS, this permission is exposed to users. Typical Android, it’s not. So if you do have it disabled, just remember you’ll need to enable it if you have an app that needs to use sensors. Otherwise it won’t work.

So getting back to the permissions, if we take a look, the second one, we have call logs. Call logs is just the log of calls on your device. Some of these permissions are self-explanatory based on the name. Some of them are not. Call logs is one that is.

Some of these permissions, I haven’t actually launched the app and gone through the setup yet, but you will be prompted to allow these when you initially launch the app to sign in. I have not yet, so everything is denied.

The second one down is camera. There’s a couple settings when it comes to camera and microphone as you’ll see. There’s allow while using the app and ask me every time or don’t allow. When it comes to something where you’re going to be video chatting regularly, like in Signal, I’ll leave that set to allow only while using the app instead of ask every time. So that’s the camera permission.

Closely tied to this, I’m just going to show you microphone for now. Again, same options for this.

Now this is where we’re going to get into some troubleshooting. Let’s say that you denied the microphone permission and a couple days later you go inside of WhatsApp to make a phone call. You launch the app. You start making a phone call. The person on the other side cannot hear you.

First thing you should check is the global microphone toggle enabled or disabled or global permission. In this case, in the swipe down menu, it’s disabled. So I would enable that. You also get a prompt on Android if it’s disabled. But again, just going through some troubleshooting steps.

So the person can’t hear you. You enable this. They still can’t hear you at that point. The overall phone permission is allowed. Next, you would check the actual app permission for microphone. You would go in there, permission, microphone, set to don’t allow, set it to whichever one you want. The person can now hear you. There you go.

So next we have contacts and accounts, and some of the options you’ll see here are a little different compared to stock Android OS, although I believe Android 17 will be adding this option, but the current Android version does not have this.

So for contacts, you have don’t allow and allow. WhatsApp, I believe, requires you to allow access to your contacts. If I was to use WhatsApp, I wouldn’t want to give it my entire address book. That’s where contact scopes come in.

Now what contact scopes do is they make the app think that it has full access to your contacts, but really you’re giving them a scoped version, thus the name. And in this case, you can do it by label, contact, number, email.

For the example, I’ll just do it by contact. So in these fake contacts, let’s assume that my friends Alex and Alex Wells both have WhatsApp and I want to talk with them. I would only select those contacts. Tap select. We could see the contacts that are allowed. Now when WhatsApp goes to read my contacts, it can only see those two contacts versus my entire contacts list.

Contact scopes are a great way to minimize the amount of data that an app can get, especially if it’s not privacy friendly. I’m a realist when it comes to privacy and security. I understand people have friends and family on WhatsApp or maybe they need to use it for work. If that’s you, don’t be afraid to use WhatsApp on Graphene OS. Just be aware of the added privacy features that are available and make sure to use them.

It’s also worth mentioning that with contact scopes, let’s say you met someone and you added them to your phone contacts and you now want to message them on WhatsApp, you will have to manually add them to the scoped contacts.

So again, you’d go into the app settings, contacts and accounts, contact scopes. Let’s say you met Cameron and you want to add them. Check the box, select. Now that contact will be accessible to WhatsApp.

So that’s contact scopes. That’s the contact permission.

The next one we have location. Location is GPS, things like that. There’s a couple options. I like to use ask every time. I don’t want to give an app permission to use it right when I open it. But again, it’s up to you.

Music and audio. I believe by default, if you do allow, that gives it access to the music folder on Android. But music and audio is similar to contacts where you have storage scopes. Different from contact scopes. This is in regards to storage. So you can enable that. You can give it access to nothing by default. Or you can add a folder, file, things like that.

The next one is nearby devices. This one I usually leave off. Unless you’re pairing some headphones or a speaker or a smart camera something like that then you likely need to turn this on. Nearby Devices uses Bluetooth Low Energy and I think there’s some other things it uses but can’t recall right now. So if you allow that that gives the app access to that but typically you don’t need this.

The next one is Network. This is another permission that Graphene OS exposes. This is a popular one where people have issues so let’s get back to the troubleshooting.

So let’s say you just installed an app you likely saw this box pop up where you could uncheck the allow network permission. If you uncheck it you’ll see something like this where allowed no network under not allowed is network. I found that some people think that just disabling network makes the app more secure but what that means is if you don’t allow network then the app has no network access so it can’t connect to the internet can’t sign into accounts.

Now what that looks like is let’s open WhatsApp. Agree and continue. We now have an alert. A cellular data network is required to activate WhatsApp Messenger.

If I was now troubleshooting this, I’m wondering what was going on. First thing I would check is my network connection working. So what does that look like? Open your browser, pick a website to go to. If the page loads, that means your internet is working on your device and you can access external resources.

So next thing to me is, okay, good network connection. Let’s see what the app permissions look like. Again, long press, app info, permissions. If we look here, as we expected, network is disabled. Change that to allow. Let’s go open WhatsApp again. Agree and continue. And now the app proceeds to load because it can now access the network.

So again, these might seem like basic things, but understanding what’s going on underneath is extremely helpful, especially if you encounter issues. If you’re on iOS, you don’t have any control over a lot of this, which is. things just work. You also don’t have a private device, but that’s another story.

So back to permissions. The next one is the phone permission. And from what I recall, this allows the app to see your phone number. It allows to see if you have a cellular connection, the SIM installed, I think, as well. That’s what the phone permission requires or allows.

Once you sign into WhatsApp or other apps that request this or require it, they will prompt for that permission. But this is, again, just going through it before the initial signup.

We have photos and videos. This is photos and videos on your device. If you change it to always allow all, that’ll allow all access to photos and videos on your device. There’s allow limited access. And with that, you can select the exact photos that you want to allow or the select the exact albums you want. Or there’s also the don’t allow plus storage scopes. And again, that gives you access to add a folder, file, images.

And the last one is SMS. Again this one’s pretty straightforward this gives the app access to your sms messages on your phone and the main reason whatsapp requests this permission is that when you sign up for an account they send you a text message this allows whatsapp to directly read your messages and verify that the verification code is correct it also means they can read all your messages so take that with a grain of salt.

That’s the main permissions. These only show up because the app it’s bundled and i believe the manifest for the app where it’s going to request these permissions. If there’s an app that’s a little more privacy friendly let’s pick the calendar app if you look for the permissions that one has or can request you can see it’s much smaller.

We have calendar access for obvious reasons notification sensors again that’s just one by default and not allowed as contacts and accounts besides that we don’t see any other ones so if you don’t see a bunch of permissions listed for an app that’s because that app did not require those or did not list those in the app’s manifest.

I know we’re getting into the weeds a little bit at this point, but just pointing that out. And if you really want to get into the weeds for the permissions an app has, you can click on the three dots, select all permissions, and you can see the exact things it’s getting when you allowed certain things.

So in this case with contacts and accounts, it can modify your contacts. It can find accounts on the device and read your contacts. You can also tap things in here to get more information. I’d say go here if you’re curious, but you likely don’t need to come here regularly or at all.

That’s all I got for today. I just want to say don’t be afraid to tinker, experiment, learn more, troubleshoot. Even if things go horribly wrong, you can always uninstall the app and start over again. And regardless, you’ll still learn something.

On this channel, I don’t take any sort of sponsorship, but I do have a paid membership that comes with a monthly Q&A along with bonus videos and early access to YouTube videos. So if you want to support me and what I create, you can find out more at membership.com. members.sideofburritos.com.

Thanks again for being here, and I’ll see you next time.

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

Google has been working with the community to make your device security more robust while still being respectful of platform freedom.

That is not my opinion. I am loosely paraphrasing a post on the Android Developers Blog about Android developer verification. But instead of referencing a post clearly written by a marketing team, let’s look at an Ars Technica article talking about this.

Google details a new 24-hour process to sideload unverified Android apps.

Now, I really don’t like this word. I understand why it came about a couple of decades ago, but “sideloading” is just installing an app on your device. Big tech has been using it to demonize installing applications outside official app stores.

If you install an app outside of the Google Play Store on Android, that is called sideloading. If you install an EXE downloaded from the internet on a Windows machine outside of the Microsoft Store, that is also sideloading.

I could keep ranting about this, but I won’t. Just know this: if you sideload an app, you installed an app. Stop using the word “sideload.” It is doing more harm than good.

But Google uses that term, so we will use it here.

With these new limits, Android phones will only install apps from verified developers. To become verified, developers releasing apps outside Google Play will need to provide identification such as a passport or driver’s license, upload signing keys, and pay a 25 dollar fee.

Apps from unverified developers will not be installable unless you go through a new advanced workflow buried in developer settings.

Right now, Android phones alert users about enabling unknown sources and guide them through it. The new process is different and will not be obvious. You have to know where it is and enable it yourself, and it is not quick.

Here is how it works.

First, you must confirm that no one is instructing you. This is meant to prevent scammers from coaching victims.

Next, you must restart your phone and re-authenticate. This is supposed to cut off remote access or active scam calls.

Then you have to wait 24 hours. This delay is intended to break the sense of urgency scammers rely on.

After the wait, you return and verify again.

Finally, you can enable installation of unverified apps. You can choose to allow it temporarily for seven days or indefinitely, although the indefinite option is marked as not recommended.

Once you complete all of this, you can install apps again.

This entire process is difficult to describe without using harsh language. There are several dark patterns here. It is buried in settings, requires a long delay, and discourages enabling it permanently.

It is easy to imagine a future where the indefinite option is removed and the wait time increases.

Yes, users need protection. In 2023, Americans lost over 150 billion dollars to online scams, according to the FTC.

But a 25 dollar fee and ID verification will not stop scammers. If that much money is involved, they will find ways around it. They can buy verified accounts, purchase existing apps, or publish under someone else’s identity.

This is not about protecting users. This is about control. It is about deciding what you can install on your own device and where it can come from.

GrapheneOS recently stated that their system will remain available worldwide without requiring personal identification or accounts. They also said that if their devices cannot be sold in certain regions due to regulations, so be it.

This relates to upcoming rules like operating system age restrictions in places like California.

Some people asked for my thoughts. I do not have much to add. It is terrible.

This will affect what users can install and may also hurt independent developers. If you are building apps for the community, are you going to pay a fee and identify yourself, or stop developing entirely?

That is all for today. The future looks bleak with these changes, but there are still alternatives. You just have to be willing to accept a little discomfort.