Why is this an issue?

Namespaces act as a container for grouping together permissions with a common theme or purpose. They also prevent conflicts when multiple apps want to use the same permission name.

The android.permission namespace holds all of the permissions defined by the Android operating system. It is not intended to be a general use container for all permissions.

Defining permissions in the android.permission namespace increases the risk of a permission name collision. The collision could be due to a new Android system permission, or it could be due to another app using the same permission name.

What is the potential impact?

Below are some examples of the problems caused by a collision of Android permission names.

App installations may fail

Android will not allow multiple apps to define the same permission unless they are signed with the same key. This will be checked during when an app is installed or upgraded, and can cause the installation to fail with an INSTALL_FAILED_DUPLICATE_PERMISSION error.

If the permission name collision is with an Android system permission, your app will no longer be allowed to install or upgrade.

If the permission name collision is with another app, only one of the apps can be installed at a time. The presence of either app on the device will prevent the other app from being installed.

Unexpected permission grants

Permissions can be restricted so that they are only granted to apps signed with the same key. This allows apps from the same developer to work together but doesn’t expose that functionality to other apps.

When an app is granted a permission, that grant exists for as long as the app is installed. It remains in place even if the app that defined the permission is removed.

If your app reuses a permission that had previously been defined, any apps that retain the that permission will be able to bypass the signing key check.

How to fix it

Applications should define custom permissions in an application-specific namespace. This greatly reduces the chance of a permission name conflict.

It is common practice to use the application package name as part of the namespace.

Code examples

Noncompliant code example

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.organization.app">

    <permission
        android:name="android.permission.MY_PERMISSION" /> <!-- Noncompliant -->

</manifest>

Compliant solution

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.organization.app">

    <permission
        android:name="com.organization.app.permission.MY_PERMISSION" />

</manifest>

Resources

Standards

• Mobile AppSec Verification Standard - Platform Interaction Requirements
• OWASP - Mobile Top 10 2016 Category M1 - Improper Platform Usage
• OWASP - Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization
• OWASP - Mobile Top 10 2024 Category M8 - Security Misconfiguration
• CWE - CWE-265 - Privilege Issues
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource

External coding guidelines

• Android Developers - Define a Custom App Permission