Permissions clarification

polymer_wildcat

If you deny this permissions, basic feature of your device may no longer function as intended

That phrase wasn't clear enough and made me think, there's something i don't know or miss about permissions.
Can someone, preferably devs, please clarify exactly what will stop working in app or system-wide, if specific permissions listed below are disabled?

Messaging

Camera
Microphone
Network
Music and audio
Photos and video

Phone

Camera
Nearby devices
Network

Contacts

Network

For instance, in case of messaging, i assume all it does inside app itself is cut off user form accessing MMS functionality (which is intended case for me, while following least privilege), but i'm not sure if it breaks something else system-wide.

Thanks in advance!

W1zardK1ng

polymer_wildcat even if you revoke most cases its not gonna break anything system wide but only the apps, but in future if it breaks something it will be hard to pin point the cause.
These apps are part of aosp with bit improvements from gos team. So you gain nothing by revoking the permissions. There are many other systems apps with multiple permissions. Just dont touch the system apps. Keep it simple.

de0u

polymer_wildcat Can someone, preferably devs, please clarify exactly what will stop working in app or system-wide, if specific permissions listed below are disabled?

I wouldn't say "exactly", but:

The Messaging app contains code to capture and send pictures, to capture and send audio clips, and to send various attachments. I'm not sure what it might use the Network permission for.
I think maybe the Dialer app can take a picture to attach to a contact; I think it has some code to manage Bluetooth devices for the purpose of placing and receiving calls; and I think it uses network operations to implement "visual voicemail".
I don't know why the Contacts app has the Network permission (I haven't looked).

Delaney

polymer_wildcat

If you deny this permissions, basic feature of your device may no longer function as intended

This is just a generic message from Android that appears if a permission was granted by default for apps (usually pre-installed) and you try to turn it off. It doesn't necessarily mean anything. In practice, all it does is scare off users that don't know what they're doing.

Onlyfun

polymer_wildcat exactly what will stop working in app or system-wide, if specific permissions listed below are disabled?

Messaging
Camera
Microphone
Network
Music and audio
Photos and video

Phone
Camera
Nearby devices
Network

Contacts
Network

For phone nothing will, other 2 not sure.

Permissions that are needed for basic features are not user revokable in stock ui (dimmed font and toggles won't respond to taps) or not shown to user at all.

polymer_wildcat

W1zardK1ng
Thanks for the feedback, i appreciate it!

in future if it breaks something it will be hard to pin point the cause.

Personally, i'd rather risk that, than give my system Contacts app a network permission...as long as i know exactly what those permissions are doing. Least privilege OPSEC paradigm exists for a reason.

Unfortunately i can't read code, hence asking devs, since GrapgeneOS team working on improving / hardening those apps must know for sure.

de0u

polymer_wildcat Personally, i'd rather risk [breaking something], than give my system Contacts app a network permission...as long as i know exactly what those permissions are doing. Least privilege OPSEC paradigm exists for a reason.

Unfortunately i can't read code, hence asking devs, since GrapgeneOS team working on improving / hardening those apps must know for sure.

The GrapheneOS developers have shipped these apps with these permissions, based on their evaluation process. To my eyes this request contains a bit of a contradiction. On the one hand, anybody can choose where to place trust, so one might not choose to trust those apps merely because the GrapheneOS team does. But on the other hand, if one's application of "opsec" doesn't allow trusting those apps based on the GrapheneOS team's trust... does it make sense to ask the GrapheneOS team for further assurances? Note that the team ships large amounts of privileged kernel code, library code, system services, etc., that is not limited by app permissions.

One option might be learning to read some code to some extent. Another option might be hiring somebody who already knows how to read Android app code to report what sort of risk might be posed by those apps having those permissions -- or to look into possible vulnerabilities in other parts of the system, which might be more dangerous.

polymer_wildcat

@GrapheneOS
Can you please answer OP question?

de0u

Delaney Unfortunately there are plenty of requests for help from users who thought they knew what they were doing, removed a permission from a system app, and then, perhaps weeks or months later, are confused about why some feature of the app is "broken".

Some users have a habit, based on running various stock versions of Android, of "debloating" a device right after acquiring it. But GrapheneOS is already "debloated", and disabling system apps or removing permissions from them really does cause trouble for GrapheneOS users. It is genuinely not recommended.

Delaney

de0u I agree. It only complicates things, and if you trust GrapheneOS, there's no reason to change the system app permissions in the first place.