SAFE for Android app permissions

The table below describes the full list of Android permissions used by F-Secure SAFE for Android. The actually used permissions depend on the software variant and the available features.

Android system permissions in general:

  • An Android app may have many permissions listed by Google Play, but that does not accurately reflect which permissions the app actually utilizes.
  • The permissions are bundled on high-level as Groups. A single group contains various permissions as sub-items.
  • When an app wants to use a single permission from a group, the app may obtain also permissions not actually used by the app.
Android permissions group Permissions obtained from Group by app and usage per app feature(s)
In-app purchases BILLING
Google Play billing service
  • The app may offer purchasable product upgrades as In-app purchases
Device & app history GET_TASKS
retrieve running apps
  • Parental Control retrieves running apps for the ability to block app usage as per the rules set by a parent in Parental Control settings
READ_LOGS
read sensitive log data
  • Parental control access device log data for detecting app uninstall attempts
READ_HISTORY_BOOKMARKS
read your Web bookmarks and history
  • Safe Browsing is observing changes in web history database for safeguarding the user from malicious web addresses
Identity GET_ACCOUNTS
find accounts on the device, add or remove accounts, read your own contact card
  • Finder retrieves user account information for using GCM (Google Cloud Messaging)
  • Despite being listed, the app does not actually add or remove any accounts on device
Contacts GET_ACCOUNTS
find accounts on the device, read your contacts, modify your contacts
  • Accounts usage as previously listed regarding the group Identity
  • Call Blocker allows to block calls from undesired numbers by picking them from address book and call history
  • Call Blocker removes a blocked call from call log, and specifically for API level 15 and earlier the Call Blocker needs permission for modifying contacts for the ability to remove a blocked call from call log
Location ACCESS_FINE_LOCATION
approximate location (network-based), precise location (GPS and network-based)
  • Finder to enable locating a lost device remotely
SMS READ_SMS
No longer used from version 17.6
read your text messages (SMS or MMS)
  • SAFE allows product activation by receiving a subscription key by SMS, and needs access to SMS to read the subscription key
RECEIVE_MMS
No longer used from version 17.6
receive text messages (MMS)
  • Call Blocker for blocking MMS from an unwanted person
RECEIVE_SMS
No longer used from version 17.6
receive text messages (SMS)
  • Call Blocker for blocking SMS from an unwanted person
SEND_SMS
No longer used from version 17.6
send SMS messages
  • Ordering an SAFE auto-login token by SMS
WRITE_SMS
No longer used from version 17.6
edit your text messages (SMS or MMS)
  • Ordering an SAFE auto-login token by SMS
Phone READ_PHONE_STATE
read phone status and identity
  • To be able to detect device identity, to limit abuse of application and service subscription.
CALL_PHONE
No longer used from version 17.6
directly call phone numbers, reroute outgoing calls
  • Call Blocker needs to be able to reject outgoing and incoming calls on blocked numbers
PROCESS_OUTGOING_CALLS
No longer used from version 17.6
process outgoing calls
  • Call Blocker needs to be able to reject outgoing and incoming calls on blocked numbers
READ_CALL_LOG
No longer used from version 17.6
read call log
  • Call Blocker allows to add numbers to block list by picking them from address book and call history
WRITE_CALL_LOG
No longer used from version 17.6
write call log
  • Remove blocked call from call log
Photos/​Media/​Files WRITE_EXTERNAL_STORAGE
erase USB storage, access USB storage filesystem, read the contents of your USB storage, modify or delete the contents of your USB storage, read the contents of your USB storage, modify or delete the contents of your USB storage
  • Antivirus, while scanning for malicious apps, is accessing also mass storage devices attached to device
  • Antivirus, when detecting a malicious app, can remove the malicious app from a mass storage device per user consent
  • Finder Wipe feature needs permission to modify and delete content on a storage device (format)
Wi-Fi connection information ACCESS_WIFI_STATE
view Wi-Fi connections
  • Observing the Wi-Fi networks visited by the device and displays a notification when a previously unvisited Wi-Fi is visited for the first time
Device ID & call information READ_PHONE_STATE
read phone status and identity
  • App and service subscription including as metadata; Android ID on all devices, and IMEI on devices with cellular network capability (SIM card)
Other ACCESS_DOWN­LOAD_MANAGER, ACCESS_ALL_DOWN­LOADS, ACCESS_DOWN­LOAD_MANAGER_ADVANCED
access download manager and notifications
  • Antivirus observes notifications for new app downloads, and access Downloads folder to access the downloaded apps for scanning
  • Safe Browser needs to be able to store files to Download folder when user chooses to download a file
INTERNET
receive data from Internet
  • Network access is required for retrieving app / service subscription status, Antivirus functionality, Finder commands and Safe Browsing
ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE
view network connections
  • Optimizing network carrier (wifi, mobile, roaming) for client-backend communication
CHANGE_WIFI_STATE
connect and disconnect from Wi-Fi
  • Finder disables network connections while executing device Wipe command
BLUETOOTH
connect to paired bluetooth devices
  • Bluetooth API is used for retrieving the user defined device name, as in Android the name is coupled to the Bluetooth service; Is not actually used for connecting to other devices
DISABLE_KEYGUARD
disable your screen lock
  • Screen lock disabled by Finder Unlock and Wipe command, on pre-Android N devices
KILL_BACK­GROUND_PROCESSES
close other apps
  • Parental Control to close blocked applications
NFC
control Near Field Communication
  • Safe Browser allows sharing the URL of the current viewed browser page over NFC
RECEIVE_BOOT_COMPLETED
run at start-up
  • Antivirus engine start-up at device start-up Antivirus performs device boot-time scan, when enabled by user in app settings.
  • Antivirus feature, to be able to execute scan for external drives when device is booted.
  • Safe Browsing feature must be running always to be able to monitor changes in web history database.
  • Parental Control must be running always to be able to block unwanted applications
SET_WALLPAPER
set wallpaper
  • Safe Browser needs to be able to set wallpaper if user wishes to use an image opened in browser as a wallpaper
SYSTEM_ALERT_WINDOW
draw over other apps
  • Application draws app blocking dialog over other apps, when Parental Control with App Control is enabled.
  • App may draw a toast -like windows on top of other apps, currently used with Banking Protection
VIBRATE
control vibration
  • Vibration used as a fall-back method for playing a sound for app notifications when device is set to vibrating mode
WAKE_LOCK
prevent device from sleeping
  • Finder feature prevents device sleep while handling remote command (Locate, Lock, Alarm and Wipe) for effective handling of the command
WRITE_SETTINGS
modify system settings
  • System settings are modified for Parental Control (Accessibility, Device Administrator) per user consent
  • System Settings is accessed by Finder feature, to be able ring alarm sound while device is in silent mode
READ_SYNC_SETTINGS
toggle sync on and off
  • Safe Browser Sync Adapter for URL autocomplete and suggestions
WRITE_HISTORY_BOOKMARKS
write web bookmarks and history
  • Modifying history (web site titles) to be able detect users navigation (current web page) in web browser application
INSTALL_SHORTCUT
install shortcuts
  • For installing SAFE and Safe browser shortcuts in Launcher
CHECK_LICENSE
Google Play license check
  • Google Play license check used with In-app purchase functionality
BIND_DEVICE_ADMIN
Android Device Administrator
  • Used for Finder (remote alarm, wipe and locate), preventing children from removing the application without parental guidance, and for Browsing Protection.
BIND_ACCESSIBILITY_SERVICE
Accessibility service
  • Used for Family Rules feature: Allowing a parent to protect child from unsuitable web content, and allowing a parent to apply device and apps usage restrictions for a child.
MODIFY_AUDIO_SETTINGS
modify audio settings
  • AlarmService needs this to change playing alarm from speakers.