Whenever you're doing something in an app, whenever you're building an application that's going to interact with a system, it's going to use different resources available on it. Inevitably, you're going to be using some number of privileges. So, you're going to be requesting access to different capabilities of that system that are protected. On Android, you can think about these as the user's permissions that you're building into your app. You're asking for access to find location. Or you're asking for access to the contacts on the app. Or maybe you're asking for some other capability, like access to the camera or Internet. All of these things are privileges that your app is being given. And it's absolutely critical that we protect the privileges that we're given. Now this may seem like a very obvious statement, but there's one really important and simple way that we can protect the privileges that we are given. And that is, and also just the privileges of the system in general is by asking for the least privileges, Possible for our app. If we don't need it, don't ask for it. If your app absolutely doesn't need a particular privilege, don't request it. Sometimes, as developers, we may feel lazy, and we may think, well, I think I'm going to end up using these ten user's permissions. I don't yet, but I know on the road map for my app, I'm going to need these other things, too, so I'm just going to go ahead and toss them into my Android manifest. This uses permission, I'm going to go ahead and ask for find location, even though I only need course location today. Now why is this important not to do this, and why do we care about asking for the least privileges possible? Well the moment that you go and take a privilege on. You become the gatekeeper for that privilege. And you can think about an Android phone, it has all of these different privileges that are available in the phone. And the moment that you take one of these privileges and you get access to it, your app now essentially has that privilege as well. So if an attacker comes along and they say, you know what I'm going to try to attack Android and get access to that privilege. And maybe Android has been really well designed so that there is no way they can easily get access to that privilege. But on the other hand they discover well, there's this flaw, there's this little bug, and your app over here, and they can then get access to that privilege, you just broke an Android security. So every time you take a privilege on, you're creating the risk that your code through some flaw will end up weakening the protection of those privileges, on Android itself or any system that you build. So anytime you take a privilege on, one, you then become a potential gateway to get access to that privilege and therefore, you have to very, very carefully protect it. And you don't want to go and take on privileges and become responsible for protecting them when you don't need to. Particularly when there's so much time and effort that's gone into Android in protecting these things. You don't want to go and take away from what those developer's done by taking a privilege and then not protecting it properly. And so the more apps that get installed, and the more privileges they take, the more potential there is that those privileges can accidentally be leaked to somebody else. So, once you take a privilege you then become responsible for its protection. But the other important thing to realize is, is that let's say that your app was compromised. And you do have a security vulnerability in your app and you have taken no privileges from Android. There's no permissions that you've asked for from Android. Well what this means is, is that the attacker has gained nothing in terms of the overall Android system. However, if you've taken ten privileges, regardless of whether or not you use them, you've, by allowing the attacker to get access to your app, now they've gotten ten privileges. So, wherever possible we don't want to add risk to the overall system and this is a simple way that we can try to reduce the risk that we're adding through our app, is by not taking privileges that we don't need. And whenever we do something, we should try to do it in the least privileged way possible. How can we get the job done with fewer privileges. And if there's a way to design our app so that we can accomplish the same thing, but with fewer privileges we should do it because by taking fewer privileges we are adding less risk to the system when our app gets installed. Now, as a Android user you should also think about this. This means every time you install somebody's app, you're in some ways potentially weakening the security on Android because any privileges that that app takes, and it doesn't properly protect, it could end up causing those things to be leaked. So what would a leak look like? Well, for example an app that doesn't have a user's permission for a particular capability on Android getting access to it through your app. Things like that are what we're trying to eliminate and that's why least privilege is so important. We don't want to take on something that we don't need because we become responsible for protecting it. In the long term in terms of sustainability, the less we have to protect the easier it is for us, and the less work we have to do in order to evolve our app and make sure that we haven't accidentally leaked one of the privileges that we've been given or something else. So from a sustainability point of view it's also important because the less we take on, the less burden we have going forward. And that's part of why we want to always look for, how can we do this with the least privileges possible?
