Security and Permission in Android

During deployment on an Android device, the Android system will create a unique user and group ID for every Android application. Each application file is private to this generated user, e.g. other applications cannot access these files.

In addition each Android application will be started in its own process. Therefore by means of the underlying Linux operating system, every Android application is isolated from other running applications. A misbehaving application cannot easily harm other Android applications.

If data should be shared the application must do this explicitly.

Android also contains a permission system. Android predefines permissions for certain tasks but every application can also define its own permissions. An application must declare in its configuration file that it requires certain permissions.

Depending on the details of the defined permission, the Android system will during installation automatically grant the permission, reject it or ask the user if he grants these permissions to the application.

If for example the application declares that is requires Internet access then the user need to confirm this during installation.

This is called \"user driven security\". The user decides to grant permission or to deny it. If the user does not want to give all permissions required by the application, this application cannot be installed. The check of the permission is only performed during installation; permissions cannot be denied or granted after the installation.

Typically not all users check the permissions in detail but some users do and if there is something strange with them, they will write bad reviews on the corresponding Android markets.