Xml Declares Dangerous Permissions
Description
Detects dangerous permission declarations in Android applications that could expose sensitive user data or device capabilities. These permissions include access to location, camera, contacts, SMS, call logs, and other privacy-sensitive features that could be misused if the application is compromised.
Detection Strategy
• Search AndroidManifest.xml files for uses-permission elements
• Check if the permission name matches any of 34 known dangerous Android permissions (e.g., ACCESS_FINE_LOCATION, CAMERA, READ_CONTACTS, etc.)
• Verify if the application targets a vulnerable API level where these permissions pose security risks
• Report each instance where a dangerous permission is declared in the manifest file
Vulnerable code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION"/> <!-- Dangerous: Grants broad access to media location data -->
<uses-permission android:name="android.permission.CAMERA"/> <!-- Dangerous: Provides unrestricted camera access -->
</manifest>✅ Secure code example
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
<!-- Only request permissions if absolutely necessary for core functionality -->
<uses-permission android:name="android.permission.CAMERA" android:maxSdkVersion="34"/> <!-- Restrict camera access to specific SDK version -->
<uses-sdk
android:minSdkVersion="23"
android:targetSdkVersion="34" />...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.