android-kotlin
/

Android Permissions – Security and User Privacy

Last Sync: Today

On this page

5
0%
5 min read
Remaining
5 minleft

Click any section to jump — progress syncs automatically

android-kotlin

Android Permissions – Security and User Privacy

The Permission Hierarchy

Android categorizes permissions into different types based on the level of risk they pose to user privacy. As an Architect, your goal is to follow the 'Principle of Least Privilege'—only requesting what is strictly necessary for Revochamp to function. In 2026, the system is more aggressive about revoking unused permissions for apps that haven't been opened in months.

  • Normal Permissions: Lower risk to privacy (e.g., INTERNET). These are granted automatically by the OS at install time if declared in the Manifest.
  • Signature Permissions: Granted only if the requesting app is signed with the same certificate as the app that declared the permission.
  • Dangerous (Runtime) Permissions: High risk to privacy (e.g., CAMERA, LOCATION, FILES). The user must explicitly grant these while the app is running.

  1. Declaration in the Manifest

All permissions must first be declared in the AndroidManifest.xml. This informs the Google Play Store and the OS about the app's requirements. For your project, this is where you enable your AI backend communication and camera access.

XMLRead-only
1

<uses-permission android:name="android.permission.INTERNET" />


<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.READ_MEDIA_IMAGES" />

  1. The Runtime Request Flow

For dangerous permissions, simply declaring them isn't enough. In 2026, we use the ActivityResultLauncher for a type-safe, lifecycle-aware way to request permissions. You must check if the permission is already granted, show a rationale if the user previously denied it, and then request it.

KOTLINRead-only
1
// Modern way to request camera for Revochamp AI Preview
val requestPermissionLauncher = registerForActivityResult(
    ActivityResultContracts.RequestPermission()
) { isGranted: Boolean ->
    if (isGranted) {
        startCamera() // Logic for AI-powered UI scanning
    } else {
        showPermissionDeniedUI()
    }
}

fun checkCameraPermission() {
    when {
        ContextCompat.checkSelfPermission(this, Manifest.permission.CAMERA) == 
            PackageManager.PERMISSION_GRANTED -> {
            startCamera()
        }
        shouldShowRequestPermissionRationale(Manifest.permission.CAMERA) -> {
            showInAppExplanationDialog() // Explain why AI needs the camera
        }
        else -> {
            requestPermissionLauncher.launch(Manifest.permission.CAMERA)
        }
    }
}

  1. Scoped Storage and Media Access

In recent Android versions, global 'Read/Write External Storage' is deprecated. If Revochamp needs to save a generated code file or read an image for UI analysis, you should use Scoped Storage. This allows your app to access its own folders without any permission, or use the 'Photo Picker' to let the user select a specific file without granting full storage access.

Permission Comparison

FeatureAndroid NativeFlutter (permission_handler)
Manifest EntryRequired (XML)Required (XML)
Request LogicregisterForActivityResultpermission.request()
Status CheckcheckSelfPermissionpermission.status
RationaleshouldShowRequestPermissionRationaleshouldShowRequestRationale
Storage AccessScoped Storage / Media APIPlatform-specific implementation
Security LevelOS-enforced sandboxWrapper around native APIs

Test Your Knowledge

Q1
of 3

Which type of permission is automatically granted by the system if it's declared in the Manifest?

A
Dangerous Permissions
B
Normal Permissions
C
Special Permissions
D
Signature Permissions
Q2
of 3

What is the recommended modern API for requesting runtime permissions in 2026?

A
startActivityForResult
B
RequestPermission Intent
C
ActivityResultLauncher
D
SystemBroadcast
Q3
of 3

What should you show the user if they have denied a permission once but the feature is still needed?

A
A system error message
B
A rationale (explanation) of why the permission is needed
C
A link to the Play Store
D
Nothing, just request it again silently

Frequently Asked Questions

What happens if I forget to declare a permission in the Manifest?

Your app will crash with a 'SecurityException' as soon as you try to perform the restricted action, even if the user would have granted it. The OS uses the Manifest as the master list of possible permissions.

Can I request multiple permissions at once?

Yes. You can use 'RequestMultiplePermissions()' to request a group (e.g., Camera and Microphone). The system will show a single dialog or a sequence of dialogs to the user.

What is 'One-time' permission?

Introduced in Android 11, users can grant 'Only this time' for sensitive permissions like Camera or Location. The permission is revoked as soon as the user closes the app, so you must always check for the permission every time you launch a feature.

Previous

android json

Next

android authentication

Related Content

Need help?

Explore our comprehensive docs or start a chat with our tech experts.