android.permission.MODIFY_PHONE_STATE

modify phone status

Allows modification of the telephony state - power on, mmi, etc. Does not include placing calls.

1
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>

Turn off 3G/Data programmatically

For Android 2.3 and above:

1
2
3
4
5
6
7
8
9
10
11
12
private void setMobileDataEnabled(Context context, boolean enabled) {
final ConnectivityManager conman = (ConnectivityManager) context.getSystemService(Context.CONNECTIVITY_SERVICE);
final Class conmanClass = Class.forName(conman.getClass().getName());
final Field iConnectivityManagerField = conmanClass.getDeclaredField("mService");
iConnectivityManagerField.setAccessible(true);
final Object iConnectivityManager = iConnectivityManagerField.get(conman);
final Class iConnectivityManagerClass = Class.forName(iConnectivityManager.getClass().getName());
final Method setMobileDataEnabledMethod = iConnectivityManagerClass.getDeclaredMethod("setMobileDataEnabled", Boolean.TYPE);
setMobileDataEnabledMethod.setAccessible(true);
setMobileDataEnabledMethod.invoke(iConnectivityManager, enabled);
}

For Android 2.2 and below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Method dataConnSwitchmethod;
Class telephonyManagerClass;
Object ITelephonyStub;
Class ITelephonyClass;
TelephonyManager telephonyManager = (TelephonyManager) context
.getSystemService(Context.TELEPHONY_SERVICE);
if(telephonyManager.getDataState() == TelephonyManager.DATA_CONNECTED){
isEnabled = true;
}else{
isEnabled = false;
}
telephonyManagerClass = Class.forName(telephonyManager.getClass().getName());
Method getITelephonyMethod = telephonyManagerClass.getDeclaredMethod("getITelephony");
getITelephonyMethod.setAccessible(true);
ITelephonyStub = getITelephonyMethod.invoke(telephonyManager);
ITelephonyClass = Class.forName(ITelephonyStub.getClass().getName());
if (isEnabled) {
dataConnSwitchmethod = ITelephonyClass
.getDeclaredMethod("disableDataConnectivity");
} else {
dataConnSwitchmethod = ITelephonyClass
.getDeclaredMethod("enableDataConnectivity");
}
dataConnSwitchmethod.setAccessible(true);
dataConnSwitchmethod.invoke(ITelephonyStub);

This required the following permission:

1
<uses-permission android:name="android.permission.MODIFY_PHONE_STATE" />

android.permission.CHANGE_WIFI_STATE

change Wi-Fi status

Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.

Sample code:

1
2
WifiManager wifiManager = (WifiManager) getSystemService(WIFI_SERVICE);
wifiManager.setWifiEnabled(isWifiEnabled);

CHANGE_WIFI_STATE permission must be added to AndroidManifest.xml.

1
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />

Source: https://yous.be/2013/12/07/how-to-check-and-toggle-wifi-or-3g-4g-state-in-android/

android.permission.CHANGE_NETWORK_STATE

Allows applications to change network connectivity state.

Protection level: normal

Constant Value: “android.permission.CHANGE_NETWORK_STATE”

Added in API level 1

Sample code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
private void setMobileDataEnabled(Context context, boolean enabled) {
final ConnectivityManager conman =
(ConnectivityManager) context.getSystemService(Context.CONNECTIVITY_SERVICE);
try {
final Class conmanClass = Class.forName(conman.getClass().getName());
final Field iConnectivityManagerField = conmanClass.getDeclaredField("mService");
iConnectivityManagerField.setAccessible(true);
final Object iConnectivityManager = iConnectivityManagerField.get(conman);
final Class iConnectivityManagerClass = Class.forName(
iConnectivityManager.getClass().getName());
final Method setMobileDataEnabledMethod = iConnectivityManagerClass
.getDeclaredMethod("setMobileDataEnabled", Boolean.TYPE);
setMobileDataEnabledMethod.setAccessible(true);
setMobileDataEnabledMethod.invoke(iConnectivityManager, enabled);
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (NoSuchMethodException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (NoSuchFieldException e) {
e.printStackTrace();
}
}

Source: https://yous.be/2013/12/07/how-to-check-and-toggle-wifi-or-3g-4g-state-in-android/

android.permission.READ_HISTORY_BOOKMARKS

read Browser’s history and bookmarks

Allows the application to read all the URLs that the browser has visited and all of the browser’s bookmarks.

Sample usage in the manifest:

1
<uses-permission android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>

Browser Bookmark Changes in API level 23

API level 23 release removes support for global bookmarks. The android.provider.Browser.getAllBookmarks() and android.provider.Browser.saveBookmark() methods are now removed. Likewise, the READ_HISTORY_BOOKMARKS and WRITE_HISTORY_BOOKMARKS permissions are removed. If your app targets Android 6.0 (API level 23) or higher, don’t access bookmarks from the global provider or use the bookmark permissions. Instead, your app should store bookmarks data internally.

Source: https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-bookmark-browser

Sample code snippet:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
String[] proj = new String[] { BookmarkColumns.TITLE,BookmarkColumns.URL };
Uri uriCustom = Uri.parse("content://com.android.chrome.browser/bookmarks");
String sel = BookmarkColumns.BOOKMARK + " = 0"; // 0 = history, 1 = bookmark
Cursor mCur = getContentResolver().query(uriCustom, proj, sel, null, null);
mCur.moveToFirst();
@SuppressWarnings("unused")
String title = "";
@SuppressWarnings("unused")
String url = "";
if (mCur.moveToFirst() && mCur.getCount() > 0) {
boolean cont = true;
while (mCur.isAfterLast() == false && cont) {
title = mCur.getString(mCur.getColumnIndex(BookmarkColumns.TITLE));
url = mCur.getString(mCur.getColumnIndex(BookmarkColumns.URL));
Log.e("title" , title);
Log.e("url" , url);
// Do something with title and url
mCur.moveToNext();
}
}

Source: https://stackoverflow.com/questions/46828417/permission-read-history-bookmarks-is-not-working-on-api-23/46828571

android.permission.KILL_BACKGROUND_PROCESSES

kill background processes

Allows an application to kill background processes of other applications, even if memory is not low.
It allows application to call killBackgroundProcesses(String))

Sample usage:

1
2
ActivityManager am = (ActivityManager)this.getSystemService(Context.ACTIVITY_SERVICE);
am.killBackgroundProcesses(KillPackage);

Following entry needs to be added to the Manifest:

1
<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES" />

You do NOT need that flashlight app

It is not a secret that Android SDK is quite permissive - it provides rich set of APIs to developers. Some of this permissions can turn out to be very dangerous. Play Store is full of apps with very questionable activity. One example is GO Keyboard, which is spying on users.
Sometimes normal looking apps can turn to be malicious. Google can’t possibly catch and prevent such situations, so the responsibility is also on user to stay vigilant.
Installing unnecesary apps can cause a headache. To illustrate the point we can look at flashlight apps. They are pretty good example. In ancient times there was no standard flashlight app. But since Android 5.0 such app exist and there is almost no need for any special app.

So why would you need the app that can spy on you or steal your data?

Or asks for permissions it should’t ask?

Wut? Flashlight wants to read my contacts and call phone numbers?

Or simply is low-quality app infested with annoying ads?

How nice

Simple solution: use built-in app

On most phones build-in app can be accessed from the notification drawer. Just slide it down and find the flashlight icon.
Here it is on Samsung Galaxy S7 Edge:

Samsung Galaxy S7 Edge

Or on Google Pixel:
Google Pixel:

Or find how to do that on any of the countless number of websites: google it

Stay vigilant

Be careful what apps you install on on your phone. Information from the Play Store can’t be fully trusted:

  • Installs can be bought
  • App reviews can be bought
  • Good app itself can be bougnt and turned into malicious
  • Protection tools & systems in Play Store (Static and analysis checks, Play Protect) can miss bad apps.

Android Developers must explain to users how your app is using the 'android.permission.BIND_ACCESSIBILITY_SERVICE'

Google has announced plans to change its policy on use of the Android ‘Accessibility Services’ API.

The company has been contacting developers of apps that rely on the Accessibility Services API for functions like filling in text fields and detecting if other apps are open, to ask them to restrict their usage only for functions that assist users with disabilities. Failure to explain the need for the API in this regard will result in the app being removed from Google Play.

The problem that Google is trying to solve is the potential security risk involved in allowing apps to read data from other apps by using the API.

PlayStore developers who use Accesibility Services received email with following message:

We’re contacting you because your app, BatterySaver System Shortcut, with package name com.floriandraschbacher.batterysaver.free is requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.

Action required: If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE’ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.
[…]
Alternatively, you can choose to unpublish the app.
All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.

If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

Regards,
The Google Play Review Team

Sources: