Unused permissions (overprivileged)
Unused permissions (overprivileged)
Description
The application requests permissions, but never uses the resource granted.
Recommendation
Remove unused declared permissions from the application's manifest
If the application for example declares the permission ACCESS_FINE_LOCATION but does not use it, you can remove it from your application manifest:
- Before:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<!-- Other application components -->
</application>
</manifest>
- After:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<!-- Other application components -->
</application>
</manifest>
Links
- Android InSecurity: Understanding Permissions
- Underestimated Privacy Implications of the ACCESS_WIFI_STATE
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_1
- OWASP_MASVS_L2:
- MSTG_PLATFORM_1
- CWE_TOP_25:
- CWE_276
- PCI_STANDARDS:
- REQ_6_2
- REQ_7_3
- OWASP_MASVS_v2_1:
- MASVS_PRIVACY_1