Android uses permissions to limit the ability to install applications by enforcing a rights-based security policy on each device to handle security issues. When a permission is bound to an action and a resource object, we must obtain this permission to perform an operation on the object. Since the Android design itself is for the Android developers, all permissions are determined by the user rather than by the handset manufacturer and the platform provider, but this has to be the risk of abuse by the developer, the hacker's ability to do malicious acts through permissions, So as a static analysis of whether an app is the first pass of malware, getting and understanding the meaning of Android permission permissions is significant.
Permission Policy
The Android framework provides a set of default permissions to be stored in the Android.anifest.permission class, while also allowing us to define new permissions ourselves. When we write the application, we declare the permissions, and the installation of the program is introduced into the system. Permission authorization is performed when the application is installed. When an application is installed on a device, the program requests the set of permissions required to complete the task. The requested permission list appears on the device screen for the user to review only after the user agrees to authorize the program will be installed and the application obtains all the requested permissions. So the main security rule that the Android system enforces is that the application has permission to perform operations that could affect the rest of the system.
Each permission is defined as a string that conveys the permission to perform a particular operation. All permissions can be grouped into two categories: the permissions that are requested by the application when the program is executed, and the permissions that are requested by other components when communicating between components of an application. Developers define the rights policies for both categories by writing permission tags in the androidmanifest.xml file.
Permission statement
An application can declare permissions with a <permission> element to restrict access to specific components or applications when the program is installed, this declared permission is added to the system, as follows: Android custom permissions
Permission request
The application lists all the permissions that need to be used to complete the task, identifying those permissions with the <use-permission> element respectively. is requested when the program is installed, the list is displayed on the screen and the user either agrees to install or aborts the installation. Agreeing to install means authorizing all requested permissions.
Get Permissions
Getting permission is the first step in the static analysis of an app, and by knowing the permissions the app has, we can generally basically know what the app might do.
Tools: There are several tools available to statically detect the permissions of Android apps, such as AAPT, Apktool, Androguard, etc.