List of ADB settable permissions

Question

I am searching for a list of permissions that can be set with adb.

I could just iterate through all permissions and ignore the failed ones but i'd rather filter out the ones that i know can't be set before hand.

— Bluscream | Sources

Answer

You can grant or revoke only runtime permissions (introduced in Android 6 with protection level: dangerous) - either from CLI (adb shell) or GUI (Settings). From package manager help:

~$ pm

...

  grant [--user USER_ID] PACKAGE PERMISSION

  revoke [--user USER_ID] PACKAGE PERMISSION


 These commands either grant or revoke permissions to apps.  The permissions


 must be declared as used in the app's manifest, be runtime permissions


 (protection level dangerous), and the app targeting SDK greater than Lollipop MR1.

...

To get a list of all on-device dangerous permissions:

~$ pm list permissions -g -d | awk -F: '/permission:/ {
print $2
}
'

Or get directly from Android source. This list excludes any dangerous permissions defined by non-AOSP packages e.g. those provided by Google Play Services. wget is a busybox applet, or get a static binary:

~$ wget -qO- https://raw.githubusercontent.com/aosp-mirror/platform_frameworks_base/android-9.0.0_r52/core/res/AndroidManifest.xml | grep -E 'protectionLevel=|<permission android:name=' | grep -B1 'protectionLevel=.*dangerous' | awk -F'"' '/permission/ {
print $2
}
'

Or to avoid any wrong results, pre-format .xml (you need to get xmllint or similar tool):

~$ wget -qO- https://raw.githubusercontent.com/aosp-mirror/platform_frameworks_base/android-9.0.0_r52/core/res/AndroidManifest.xml | xmllint --format - | grep 'protectionLevel=.*dangerous' | grep -o 'permission android:name=[^ ]*' | cut -d'"' -f2

In addition to dangerous permissions, it's also possible to grant or deny or ignore some of the special permissions shown under:

Settings → Apps & Notifications → Advanced → Special App Access.

These are not managed directly by package manager, but appops - a secondary permissions control framework. These are signature level permissions which can be granted only to system apps otherwise. On Android 9:

~$ wget -qO- https://raw.githubusercontent.com/aosp-mirror/platform_frameworks_base/android-9.0.0_r52/core/res/AndroidManifest.xml | grep -E 'protectionLevel=|<permission android:name=' | grep -B1 'protectionLevel=.*appop' | awk -F'"' '/permission/ {
print $2
}
'

android.permission.MANAGE_IPSEC_TUNNELS

android.permission.SYSTEM_ALERT_WINDOW

android.permission.WRITE_SETTINGS

android.permission.REQUEST_INSTALL_PACKAGES

android.permission.PACKAGE_USAGE_STATS

android.permission.ACCESS_NOTIFICATIONS

android.permission.INSTANT_APP_FOREGROUND_SERVICE

Their corresponding appops operations have similar names with minor differences. Also some OPs depend on other OPs. To get a complete list of operations you can read or set through command-line:

~$ wget -qO- https://raw.githubusercontent.com/aosp-mirror/platform_frameworks_base/android-9.0.0_r52/core/java/android/app/AppOpsManager.java | awk '/int OP_/ {
print $5
}
'

For details on how to use appops see examples of VIBRATE, REQUEST_INSTALL_PACKAGES, COARSE_LOCATION/FINE_LOCATION and BOOT_COMPLETED/RUN_IN_BACKGROUND.

— Irfan Latif | Sources

Topics