SAFE for Android app permissions

The table below describes the full list of Android permissions used by F-Secure SAFE for Android. The actually used permissions depend on the software variant and the available features.

Android system permissions in general:

  • An Android app may have many permissions listed by Google Play, but that does not accurately reflect which permissions the app actually utilizes.
  • The permissions are bundled on high-level as Groups. A single group contains various permissions as sub-items.
  • When an app wants to use a single permission from a group, the app may obtain also permissions not actually used by the app.
Android permissions group Permissions obtained from Group by app and usage per app feature(s)
In-app purchases BILLING
Google Play billing service
  • The app may offer purchasable product upgrades as In-app purchases
Device & app history GET_TASKS
retrieve running apps
  • Parental Control retrieves running apps for the ability to block app usage as per the rules set by a parent in Parental Control settings
read your Web bookmarks and history
  • Safe Browsing is observing changes in web history database for safeguarding the user from malicious web addresses
read sensitive log data
  • Parental control access device log data for detecting app uninstall attempts
find accounts on the device, add or remove accounts, read your own contact card
  • Finder retrieves user account information for using GCM (Google Cloud Messaging)
  • Despite being listed, the app does not actually add or remove any accounts on device
No longer used from versions 17.9 and 18.2
get device location while app is in background
  • From Android Q for Finder feature, to get location while application is in background
approximate location (network-based), precise location (GPS and network-based)
  • Finder to enable locating a lost device remotely
No longer used from version 17.6
receive text messages (MMS)
  • Call Blocker for blocking MMS from an unwanted person
No longer used from version 17.6
read your text messages (SMS or MMS)
  • SAFE allows product activation by receiving a subscription key by SMS, and needs access to SMS to read the subscription key
No longer used from version 17.6
receive text messages (SMS)
  • Call Blocker for blocking SMS from an unwanted person
No longer used from version 17.6
send SMS messages
  • Ordering an SAFE auto-login token by SMS
No longer used from version 17.6
edit your text messages (SMS or MMS)
  • Ordering an SAFE auto-login token by SMS
No longer used from version 17.6
directly call phone numbers, reroute outgoing calls
  • Call Blocker needs to be able to reject outgoing and incoming calls on blocked numbers
No longer used from version 17.6
process outgoing calls
  • Call Blocker needs to be able to reject outgoing and incoming calls on blocked numbers
No longer used from version 17.6
read call log
  • Call Blocker allows to add numbers to block list by picking them from address book and call history
read phone status and identity
  • To be able to detect device identity, to limit abuse of application and service subscription.
No longer used from version 17.6
write call log
  • Remove blocked call from call log
erase USB storage, access USB storage filesystem, read the contents of your USB storage, modify or delete the contents of your USB storage, read the contents of your USB storage, modify or delete the contents of your USB storage
  • Antivirus, while scanning for malicious apps, is accessing also mass storage devices attached to device
  • Antivirus, when detecting a malicious app, can remove the malicious app from a mass storage device per user consent
  • Finder Wipe feature needs permission to modify and delete content on a storage device (format)
Wi-Fi connection information ACCESS_WIFI_STATE
view Wi-Fi connections
  • Observing the Wi-Fi networks visited by the device and displays a notification when a previously unvisited Wi-Fi is visited for the first time
Device ID & call information READ_PHONE_STATE
read phone status and identity
  • App and service subscription including as metadata; Android ID on all devices, and IMEI on devices with cellular network capability (SIM card)
access download manager and notifications
  • Antivirus observes notifications for new app downloads, and access Downloads folder to access the downloaded apps for scanning
  • Safe Browser needs to be able to store files to Download folder when user chooses to download a file
view network connections
  • Optimizing network carrier (wifi, mobile, roaming) for client-backend communication
allows app to listen to whether external power has been connected or removed
  • app will be woken for these events
Accessibility service
  • Used for Family Rules feature: Allowing a parent to protect child from unsuitable web content, and allowing a parent to apply device and apps usage restrictions for a child.
Android Device Administrator
  • Used for Finder (remote alarm, wipe and locate), preventing children from removing the application without parental guidance, and for Browsing Protection.
connect to paired bluetooth devices
  • Bluetooth API is used for retrieving the user defined device name, as in Android the name is coupled to the Bluetooth service; Is not actually used for connecting to other devices
connect and disconnect from Wi-Fi
  • Finder disables network connections while executing device Wipe command
Google Play license check
  • Google Play license check used with In-app purchase functionality
disable your screen lock
  • Screen lock disabled by Finder Unlock and Wipe command, on pre-Android N devices
from Android P, this is needed to allow the app to use foreground service.
  • Foreground service is needed to keep the app running and protect the device.
install shortcuts
  • For installing SAFE and Safe browser shortcuts in Launcher
receive data from Internet
  • Network access is required for retrieving app / service subscription status, Antivirus functionality, Finder commands and Safe Browsing
close other apps
  • Parental Control to close blocked applications
modify audio settings
  • AlarmService needs this to change playing alarm from speakers.
control Near Field Communication
  • Safe Browser allows sharing the URL of the current viewed browser page over NFC
toggle sync on and off
  • Safe Browser Sync Adapter for URL autocomplete and suggestions
run at start-up
  • Antivirus engine start-up at device start-up Antivirus performs device boot-time scan, when enabled by user in app settings.
  • Antivirus feature, to be able to execute scan for external drives when device is booted.
  • Safe Browsing feature must be running always to be able to monitor changes in web history database.
  • Parental Control must be running always to be able to block unwanted applications
allows an application to request deleting packages.
  • To uninstall apps in the device
set wallpaper
  • Safe Browser needs to be able to set wallpaper if user wishes to use an image opened in browser as a wallpaper
draw over other apps
Note: This is no longer needed from 17.6 version released after August 2019.
  • Application draws app blocking dialog over other apps, when Parental Control with App Control is enabled.
  • App may draw a toast -like windows on top of other apps, currently used with Banking Protection
control vibration
  • Vibration used as a fall-back method for playing a sound for app notifications when device is set to vibrating mode
prevent device from sleeping
  • Finder feature prevents device sleep while handling remote command (Locate, Lock, Alarm and Wipe) for effective handling of the command
write web bookmarks and history
  • Modifying history (web site titles) to be able detect users navigation (current web page) in web browser application
modify system settings
  • System settings are modified for Parental Control (Accessibility, Device Administrator) per user consent
  • System Settings is accessed by Finder feature, to be able ring alarm sound while device is in silent mode