Android App Permissions Explained: What to Allow and What to Refuse

By The ApkcortJuly 12, 202615 min read
Android App Permissions Explained: What to Allow and What to Refuse — The Apkcort

Here is android app permissions explained in plain terms: a permission is a request for access to something that can be used against you, and the only sensible default is to say no until the app proves it needs the access to do the job you installed it for. Grant location to a maps app, refuse it to a torch app. Grant the microphone to a voice recorder, refuse it to a photo editor. Most apps that ask for everything are collecting data, not building features. The rest of this guide explains which permissions actually matter, which ones are noise, and how to audit what you have already given away. It is the Android guide of The Apkcort.

What a permission actually is, underneath the pop-up

Android runs every app in its own sandbox. By default an app can read and write its own private files, talk to the internet, and draw on the screen. It cannot read your messages, see your photos, know where you are, or hear what you are saying. Permissions are the doors out of that sandbox. When an app asks for the camera, it is asking the operating system to hand it a live feed of what your camera sees, for as long as the app is allowed to run.

That framing matters because people treat permission prompts as bureaucratic friction, something to click through so the app will finally open. They are not friction. They are the entire security model. Android’s sandbox is genuinely strong; the overwhelming majority of harm done by ordinary apps happens because a user tapped Allow on a dialogue they did not read. Malware rarely breaks Android. It asks politely, and we say yes.

There is a second, quieter reason permissions matter: data brokerage. A large number of otherwise legitimate apps embed advertising and analytics SDKs that hoover up whatever the host app is permitted to see. The app developer may never look at your location history. The ad network bundled into their app will, and it will merge it with the same identifier collected from forty other apps on forty million other phones. The permission you granted to a photo filter becomes a line in a dataset sold to whoever pays.

The permission tiers Android uses

Not all permissions are equal, and Android sorts them into rough tiers. Understanding the tiers is more useful than memorising a list.

Normal permissions

These are granted automatically at install with no prompt: internet access, vibration, setting an alarm, seeing whether you are connected to Wi-Fi. They are considered low risk. Note that internet access is in this tier. Every app you install can phone home, and there is no toggle in stock Android to stop it. That is worth sitting with for a moment, because it means the real question is never “can this app send data” — it always can — but “what does this app have access to that it could send”.

Runtime permissions

These are the ones you see in dialogues: camera, microphone, location, contacts, calendar, phone, SMS, nearby devices, body sensors, notifications, and access to photos or media files. They are requested when the app first needs them, and you can revoke them later. This is where nearly all of your decisions live.

Special access permissions

These are the dangerous ones that do not get a simple pop-up, because Google deliberately makes them awkward. Instead you are bounced into a settings screen and have to flip a toggle yourself. They include: display over other apps, install unknown apps, accessibility services, notification access, usage access, all files access, and ignore battery optimisations. If an app is pushing you into one of these screens, stop and think properly. This tier is where real damage happens.

Permission by permission: what to allow and what to refuse

The honest rule is contextual, not absolute. A permission is fine when it is obviously load-bearing for the feature you want, and suspicious when it is not. The table below is a starting point, not gospel.

Permission Legitimate reason to grant Red flag if requested by Default stance
Precise location Maps, navigation, ride-hailing, weather with live radar, fitness tracking a route Torch, calculator, wallpaper, keyboard, most games, photo editors “While using the app” only
Background location Turn-by-turn navigation that continues with the screen off, geofenced reminders Almost anything else, including shopping and social apps Refuse unless you can name the feature
Camera Camera apps, video calling, document and QR scanning, AR features Keyboards, file managers, note apps that do not scan Grant, but check it is not “always”
Microphone Voice recording, calls, dictation, music identification, video capture Anything with no audio feature at all Grant only for the obvious use
Contacts Messaging and calling apps, email clients, contact backup Games, utilities, photo apps, “find your friends” prompts in unrelated apps Refuse by default
SMS and call logs Your default messaging or dialler app, and essentially nothing else Any app that offers to “auto-read your OTP” for convenience Refuse. This is the highest-value target for fraud
Photos and media Galleries, editors, backup tools, anything you upload images from Apps that only need one image — use the system picker instead Prefer “select photos” over “allow all”
All files access File managers, serious backup tools, some offline media players Everything else, and especially cleaners and boosters Refuse unless the app’s entire purpose is files
Accessibility service Genuine assistive tools, password managers doing autofill on older devices, some automation apps Any app that says it needs it to “work properly” without explaining why Refuse unless you fully trust the developer
Display over other apps Chat heads, screen recorders with a floating button, timers Random utilities, and any app you sideloaded from an unknown source Refuse by default
Install unknown apps Your browser or file manager, temporarily, when you are deliberately sideloading Any app that asks for it without you initiating an install Turn it back off afterwards
Notification access Smartwatch companions, notification history tools, some car interfaces Anything else — it can read the content of every notification you get Refuse by default

The three permissions that do the most damage

Accessibility services

Accessibility exists so that people who cannot see the screen or use a touchscreen normally can still operate a phone. To do that, the service is allowed to read everything on screen and to perform taps and gestures on your behalf. Put plainly: an app with accessibility access can see what you type, read what is displayed in your banking app, and press buttons without you touching the phone.

Every serious piece of Android banking malware in the last decade has hinged on this. The infection routine is almost always the same. You install something from outside the Play Store, it opens with a screen saying it needs accessibility to “enable overlay protection” or “for the app to function”, it bounces you to the settings page, and from that point on it can quietly drain accounts while you look at a fake loading screen. If an app that is not obviously an assistive tool asks for accessibility, the answer is no. There is no version of that request that ends well for a normal user. This is one of the clearest lessons in our guide to how to remove Android malware.

SMS and the OTP shortcut

Read SMS is a permission that sounds trivial and is not. One-time passcodes still travel by text for a great many banks, exchanges and government services. An app with SMS read access can intercept those codes before you see them, and combined with a leaked password that is a complete account takeover. Modern Android provides an SMS Retriever API precisely so that apps can auto-fill an OTP without ever getting blanket SMS access. Legitimate developers use it. An app demanding full SMS permission “for your convenience” is either lazy or hostile, and you cannot tell which from the outside.

Display over other apps

Overlay permission lets an app draw on top of whatever else is running. Used well, that is a floating chat bubble. Used badly, it is an invisible layer that captures your taps, or a pixel-perfect fake login screen drawn over the real banking app. Newer Android versions have hardened against the worst tapjacking tricks, but the permission is still powerful and it is still one of the standard components of a malicious toolkit. Very few apps need it. Grant it to the two or three that clearly do, and refuse the rest.

Where sideloaded APKs change the calculation

Everything above applies to apps from the Play Store, where at least there is some review, a developer identity, and a takedown mechanism. When you sideload, the safety net thins out considerably, and permissions become your main line of defence rather than a secondary one.

The important thing to understand is that an APK from an unofficial source can be a repackaged version of a real app. The icon is right, the interface is right, the features work — and an extra payload has been bolted on, along with extra permissions the real app never asked for. This is exactly why the permission list of a sideloaded app deserves scrutiny that a Play Store app does not always need. If a supposedly identical build of a well-known app is requesting accessibility, SMS or device admin when the official version does not, you are holding a modified build. Delete it.

Before you install anything from outside the store, it is worth reading our explainers on are APK files safe and how to spot a fake APK. The short version: the file format is neutral, the source is everything, and the permission screen is the last checkpoint before you hand over the keys.

How to audit the permissions you have already granted

Most people’s phones carry years of accumulated Allows from apps they no longer use. An audit takes about fifteen minutes and is genuinely worth doing once or twice a year.

Use the permission manager, not the app list

Go to Settings, then Privacy or Security and Privacy depending on your manufacturer, then Permission manager. This flips the view around: instead of one app at a time, you see one permission at a time and every app that holds it. Open Location. Open Microphone. Open Camera. Open Contacts. You will find things you do not remember agreeing to, and the ones that surprise you are the ones to revoke.

Revoking is safe. If you cut off a permission an app genuinely needs, the app will simply ask again the next time it needs it, and you can reconsider then with the context of what you were trying to do. Nothing breaks permanently. This is the single reason the audit is low risk and high value: the cost of a wrong revoke is one extra tap later.

Check the special access screens separately

The permission manager does not show the dangerous tier. You need to look at those individually, usually under Settings, Apps, Special app access. Work through: Install unknown apps, Display over other apps, Accessibility (often under Settings, Accessibility, Downloaded apps or Installed services), Notification access, Usage access, and Device admin apps. Device admin in particular deserves a look, because malware uses it to make itself hard to uninstall.

Watch the privacy indicators

Modern Android shows a small green dot or icon in the status bar whenever the camera or microphone is in use. Pull down the notification shade and it will tell you which app. If that dot appears while you are not doing anything that needs a camera or a mic, find out why immediately. It is one of the most useful security features Google has shipped and almost nobody looks at it.

Uninstall, do not just revoke

The most effective permission management is deletion. An app you do not use cannot leak anything, cannot run in the background, and cannot be exploited later when it is abandoned by its developer and stops receiving security updates. Abandoned apps are a real risk: the code stops being patched but the permissions stay granted. Go through your app drawer and remove everything you have not opened in six months. It also helps with improving Android battery life, which is a nice side effect of a security clean-up.

The mistakes people make repeatedly

Tapping Allow to make the dialogue go away. This is the big one. The prompt appears mid-task, you are impatient, and Allow is the fast path. Slow down for two seconds and ask what the app is currently doing. If you tapped “attach a photo”, a photo permission makes sense. If you tapped “open app”, it does not.

Granting “Allow all the time” for location out of habit. Android offers “while using the app” and, on newer versions, “only this time”. For the vast majority of apps, “while using” is the correct answer and costs you nothing. Background location is what feeds the data brokers.

Believing a cleaner app needs all-files access to “optimise” storage. Cleaner and booster apps are, as a category, close to useless on modern Android — the system manages memory better than they do — and they ask for enormous permissions to do it. If you want to reclaim space, our guide on how to free up storage on Android covers what actually works without handing your entire filesystem to an ad-funded utility.

Assuming Play Store means safe. It means safer. Apps with aggressive data collection and dark-pattern permission requests do get through review, particularly in the free utility and casual games categories. Play Protect scanning is a floor, not a ceiling. Read the permission list anyway.

Ignoring the “why” text. Android lets developers show a rationale before the system prompt. A good developer explains exactly which feature needs the access. A bad one shows a generic “we need this permission to continue”. The quality of that explanation tells you a great deal about who wrote the app.

What a well-behaved app looks like

It asks for nothing on first launch. It lets you use the core features with no permissions at all. When you tap something that genuinely needs access — the scan button, the record button, the “find near me” button — it explains why in one sentence and then asks. If you refuse, it degrades gracefully instead of refusing to run. It uses the system photo picker so it never needs blanket media access. It has a privacy policy you can actually read.

That is not a fantasy standard; plenty of apps do exactly this. Once you have seen a few of them, badly behaved apps become obvious by contrast. An app that demands six permissions before showing you a single screen is telling you what its business model is, and it is not the one printed on the store listing.

Quick Reference: Permission Do’s and Don’ts

  • Do ask yourself what the app is doing at the moment it asks — a permission request that matches the button you just pressed is usually honest, and one that arrives on launch usually is not.
  • Do choose “while using the app” or “only this time” for location, camera and microphone whenever the option exists; background access is where the real data harvesting happens.
  • Don’t ever grant accessibility service access to an app that is not an assistive tool, no matter how convincingly it explains itself — this is the single most abused permission on Android.
  • Don’t hand over SMS or call log access for the sake of automatic OTP entry; a competent developer uses the SMS Retriever API and never sees your other messages.
  • Do run a permission manager audit twice a year and uninstall anything you have not opened in six months, because an abandoned app keeps its permissions long after it stops getting security patches.

Frequently Asked Questions

Can an Android app spy on me without any permissions at all?

It cannot access your camera, microphone, location, contacts or messages without the corresponding permission — the sandbox genuinely holds. It can, however, talk to the internet without asking, read some non-sensitive device information, and see which other apps are installed in certain circumstances. So a permission-free app is limited, but not entirely inert, and that is why deleting unused apps beats simply revoking their access.

Is it safe to revoke a permission from an app I already use?

Yes. Android is designed for exactly this: if the app needs the permission again it will prompt you the next time you use the relevant feature, and you can decide with full context. Some poorly written apps may crash or show an error, but nothing is permanently broken, and an app that crashes rather than asking again is telling you something useful about its quality.

Why does the same app ask for more permissions on a sideloaded APK than on the Play Store?

Because it is probably not the same app. Repackaged builds are a common tactic: the attacker takes the real APK, injects extra code, adds the permissions that code needs, and redistributes it with the original name and icon. If the permission list does not match the official listing, treat the file as hostile and delete it rather than trying to work out what the extra access is for.

Do I still need location permission granted for Wi-Fi and Bluetooth scanning?

On older Android versions, yes — scanning for nearby Wi-Fi networks or Bluetooth devices could reveal your position, so Google gated it behind location permission, which is why some apps ask for location for reasons that seem unrelated. Newer versions introduced a separate “nearby devices” permission that does not imply location access. If an app on a current Android release still demands location purely to find a Bluetooth speaker, it has not been updated in a long time.

Are permission-blocking or firewall apps worth installing?

A local VPN-based firewall can genuinely stop specific apps from reaching the internet, which is the one gap the standard permission model leaves open, and that has real value if you have a particular app you want to keep offline. But you are also routing all of your traffic through a third party’s code, which is a large amount of trust to extend. If you use one, pick an open-source, well-audited option and understand that for most people, granting fewer permissions in the first place is simpler and safer than adding another layer.

Final Thoughts

Permissions are the one part of Android security that is entirely in your hands, and they reward about ten seconds of thought per decision. The operating system has done the hard engineering: the sandbox works, the special-access screens are deliberately awkward, the privacy indicators tell you when the camera is live, and revoking is free. What it cannot do is decide for you whether a photo editor has any business knowing where you live. The habit worth building is not paranoia but proportion — grant what the task in front of you plainly requires, refuse the rest, treat accessibility and SMS as effectively off-limits, and be significantly more sceptical of anything you installed from outside the store than anything you installed from within it. Do that consistently and you have neutralised the large majority of what actually goes wrong on Android phones, without installing a single security app.

Explore more honest Android guides, APK explainers and app reviews across The Apkcort.

Scroll to Top