Save the date! Android Dev Summit is coming to Sunnyvale, CA on Oct 23-24, 2019.

Android Q privacy: Changes to permissions

This document describes several changes to the permissions model. These changes serve to enhance user privacy.

Some of these changes affect all apps running on Android Q while other changes affect only apps that target Android Q.

Changes affecting all apps

The following changes affect all apps running on Android Q, even if they target Android 9 (API level 28) or lower.

Restricted access to screen contents

To protect users' screen contents, Android Q prevents silent access to the device's screen contents by changing the scope of the READ_FRAME_BUFFER, CAPTURE_VIDEO_OUTPUT, and CAPTURE_SECURE_VIDEO_OUTPUT permissions so that they're signature-access only.

Apps that need to access the device's screen contents should use the MediaProjection API, which displays a prompt asking the user to provide consent.

User-facing permission check on legacy apps

If your app targets Android 5.1 (API level 22) or lower, users see a permissions screen when running your app on Android Q for the first time, as shown in Figure 1. This screen gives users the opportunity to revoke access to permissions that the system previously granted to your app at install time.

Screen capture of dialog
Figure 1. User-facing dialog that allows review of legacy permissions

Permission groups removed from UI

As of Android Q, apps cannot look up how permissions are grouped in the UI.

Changes affecting apps targeting Android Q

The following change affects apps only if they target Android Q.

Physical activity recognition

Android Q introduces a new ACTIVITY_RECOGNITION runtime permission for apps that need to detect the user's movement, such as walking, biking, or in a vehicle. This is designed to give users visibility of how device sensor data is used in Settings.