Android 4.3 has a hidden feature! It's called "App Ops" and it lets you selectively disable some permissions for your apps. Is some misbehaving app constantly pinging your location and draining your battery in a few hours? You can fix that now.

Update! Optional permissions at install

I'm working on my full 4.3 teardown, but I just ran across this and had to add it here:

<string name="grant_confirm_question">Do you want to grant the following permissions? It will get access to:</string>

I found this in the Package Installer, so once this is fully launched, it looks like you'll be able to deny some permissions the time of installation, too.

It's not really ready yet, so Google has hidden it. It seems to work though. If you're feeling adventurous, here's what you do to try it out:


Fire up something that can launch an activity (like Nova Launcher), pick settings, and then "App Ops." You now have a shortcut.

Another Update: Someone actually made a handy app that launches the permissions manager. You can download it right here. It will only work if you have Android 4.3.


Tap the icon and you'll see something like this. There's list of all your apps and the permissions they use, categorized into 4 handy tabs. The tabs are broken down into "location," "personal," "messaging," and "device," so it's easy to see what app uses the permissions you're concerned about. On the right is a timestamp for when the app last used a permission.

wm_2013-07-25 13.35.31large

Once you pick an app, you'll get a screen with easy on/off buttons for each permission. Don't want Facebook to know your location? Just hit the "off" switch. The app will still work, it just won't have any idea where you are. This screen also tells you the last time each individual permission was used.

The one problem I see (and hopefully the reason why this isn't a user-facing feature yet) is that there is no explanation for why your location is broken in Facebook. A system notification that says something like "App Ops is currently limiting this application's permission access" would probably stop some tech support nightmares.

wm_2013-07-25 12.51.49wm_2013-07-25 12.51.55wm_2013-07-25 12.52.01

The way this list works is actually highly annoying. Rather than just read the declared permissions in App info (above), App Ops tries to do "detection" for certain permissions.

wm_2013-07-25 12.52.19wm_2013-07-25 13.34.57wm_2013-07-25 13.35.31

For some permissions, the app has to make use of them before they will show up in App Ops. For instance, on the left is my permissions list when I first fired up Facebook; in the middle is the list after I told it to import contacts; on the right is the list after I posted a picture from the camera. You have to go and hunt down all the permissions and make the app use them before you are allowed to disable them. That's a lot of work. Is this list complete? Will it ever be complete? There's really no way of knowing.

wm_2013-07-25 13.29.25

That's about it for App Ops. Just please, take care when you mess with this, and keep in mind it's not ready yet, so you might run into problems. Also, even when it does work, you are messing with settings the app developer never intended for your to have control over. If you happen to horribly break something, don't blame me!

Thanks Vincent de Smet!

Ron Amadeo
Ron loves everything related to technology, design, and Google. He always wants to talk about "the big picture" and what's next for Android, and he's not afraid to get knee-deep in an APK for some details. Expect a good eye for detail, lots of research, and some lamenting about how something isn't designed well enough.
  • hyperbolic

    I think it's about time Google would give us this feature in the stock ROM.
    Instead we need to install 3rd party apps like LBE to handle these permissions.

    • Mkvarner

      That's what they are doing, but it's not ready yet.

  • pepoker1

    permission for a app dont have internet access !

  • Guillaume ‘XpLoDWilD’

    I feel sad for Cyanogen who worked on something exactly similar (CM Privacy Guard).

    • SkullOne

      Privacy Guard is nothing like this. PG just feeds back blank information for items like contacts. It doesn't control permissions at all. This is far more in tune with the permission management that CM7 had.

      I'm interested in knowing how Google is doing this because it can't be something as invasive as the CM7 implementation. Revoking GPS from Facebook would make it Force Close on CM7.

      • Guillaume ‘XpLoDWilD’

        Well iirc the early discussions about it, Privacy Guard feed false information especially because it would make some apps FC, but the final point is the same: preventing apps from accessing data/features you don't want them to.
        If Google managed to revoke permissions without FC, it's just as good.

        So from the end-user point of view, it's the same.

      • mgamerz

        I think the difference is that its not denying access to the permission. It's just feeding it garbage/blank data. It's why LBE Privacy guard worked so well.

      • TomsDisqusted

        Yes, this 'app ops' feature is quite badly designed - surely it will change a lot before it is finally released. For one thing, I'm interested in blocking access to my contacts before they are read or changed, not after.

        The Privacy Guard feature of CM is much better.

    • Björn Lundén

      Is the implementation really similar though? I haven't looked at the source yet.

    • Justin

      me too. but at least this one is a lot less buggy.

    • Wyatt Neal

      I don't feel sad for the CM person who made this ... you have to think that they got some attention from Google when everyone started clamoring for it and that at the end of the day, they are happy the feature got in, not how it got there.

      • https://steamcommunity.com/id/m-p-3 m-p{3}

        If that developer pushed Google to act on this, then he achieved something even better!

      • http://www.totallydubbed.net/ TotallydubbedHD

        I see it this way: If it was Apple, they would claim it as revolutionary and sue the developer after stealing his idea....

        • Vardan Nazaretyan

          But it's Google, and I'm sure, this won't happen. :)

        • nawa

          Well, Apple already has this in iOS, by the way. Permissions are given on request. This is the way I want it in Android.

          • Wyatt Neal

            I don't know. I feel like I like this better. It's been a while since I've had an iPhone, but doesn't it only ask you on the first access and not subsequent ones? It seems like that would prevent you from saying "Nah, I feel like this app has gotten shadier recently, I'd like to revoke that"

          • icyrock1

            Yeah. However, this seam like it's the same thing. for example; It asks you if you want to give it access one time, then depending on if you say yes or no, it's either given that permission or not. All you have to do to change the permissions is go to Settings > Privacy and you have the freedom to give and take permissions has you want.

            TBH, this is one of the two things I miss from iOS after coming to android (I miss this, and notifications. In android, I have to go settings > apps > all apps and change them all independently [meaning I have to click the app, then check the box, then press back] if I want to take away their rights to notifications. In iOS all I have to do is Settings > Notifications and I get a list of all my apps to give or take their notification rights which, IMO, is a faster way to do it).

          • squiddy20

            If you have a device with Android 4.0 or higher, and if a notification pops up from an app you don't want to receive any more notifications from, just long press on the notification and an "app info" shortcut should appear.

          • https://play.google.com/store/apps/developer?id=Piotr+Zientarski Piotr Zientarski


          • Cerberus_tm

            You can do exactly that with 'Notifications Off" if you're rooted: https://play.google.com/store/apps/details?id=com.aboutmycode.NotificationsOff
            It even has profiles, so you can, e.g., turn off Facebook notifications in your "work" profile etc.

          • ACE

            Nope. You can go back in and change anytime you want.

          • Stacey Liu

            But, unless I'm missing something, once you allow an app to do something, you can't take away that permission without reinstalling the app.

          • a guest

            It is. They request it right when you click install. A big list of permissions is shown. Don't like them? Don't install it!

          • icyrock1

            Yep. It's one of the few features I miss from iOS after coming to Android.

          • Jon Willis

            Do you though? I find permission nagging to be very disruptive and not that useful. It just makes you make a decision the first time an app needs a permission.

          • nawa

            Mostly, I don't care about permissions. But in a rare case, they need to be disabled. So this can be just a setting and by default everything is permitted.

          • tgkokk

            Not exactly. I think that you can only limit location data and access to address book.

          • anywherehome

            With ios it's limited..... This is complete so better
            But they will improve it for sure.

          • Cerberus_tm

            Really? All permissions? Including things like "access user's photo's", "access 3G Internet", "access Wifi internet", "access Wifi location", etc.? It's good to see Apple already has thus.

            Of course many people now use Xprivacy on rooted Android phones, which probably has a lot more options. It can block applications from accessing your location through the Google Services Framework, for example; otherwise, you can't stop Facebook from accessing your location, because it doesn't use Android's location. It can also allow an application to see only certain accounts and only certain applications.

          • Misti curia

            Doesn't really work that well, to access gallery it asks to access location? And apps can still read contacts and such without people knowing.

          • paul.c

            since when? i have never been asked for any permission on my work iphone 4.

    • Sietai

      When I tested the CM Privacy Gaurd, the app in question was still able to read my contacts and phone number. Maybe it's PA's fault (perhaps they didn't port it over completely, I was using a nightly anyhow).

      I've found XPrivacy to be very helpful. It requires you to install the Xposed framework, but it has restricted permissions without a hassle.

      It basically spoofs your information. An app tries to read your contacts? rather than refusing to give them access, it makes it look like you have an empty address book. An app tries to read your phone number? It gives the app some random digits.

      • http://kennydude.me/ Joe Simpson

        I have had this issue, but it was fixed in later nightlies

      • Cerberus_tm

        I agree: Xprivacy is really the best!

    • http://www.totallydubbed.net/ TotallydubbedHD

      Do remember head of CM got employed at Samsung - at least from what I remember :)

      • s_bomb

        And he left after 19 months ;)

    • anzensepp1987

      I do not feel sad. I don't use CM anyway... With this addition to the AOSP many more users can profit!

    • Potato

      Completely two different features. One feeds blank information, the other controls permissions.

    • KingRando

      CM doesn't have nearly as many options. With CM it's either fully enabled or fully disabled

  • Erstam

    Epic. Been doing this on AOKP for a while. Glad to see it making its way to stock.

  • Sean Lumly

    This is hands down the most exciting user-facing feature for stock Android 4.3 (even if it's currently hidden). There are so many apps that I would actively restrict in some way, and many that I have avoided simply due to strange permissions; even from legitimate sources.

    • Ryan Stewart

      Same here. I pick similar apps based on which one uses the permissions I think it should be using.

      Here is the billion $ question, can you disable access to the network this way? If so it would be a built-in adblock.

      • Sean Lumly

        That is a really good question. The article states that certain permission controls appear only when used by the app (which is very weird considering that the apps permissions are known even before the app is run), and it seems that the facebook app does not have a network permission despite that permission undeniably being present in the app on every use.

        So it would seem that the permission control sadly does not extend to *some* permissions, one of which looks to be network access..

        This is a bit of a bummer, but on the bright side, some control is better than none at all! :

        • Ryan Stewart

          I just tested by downloading an add supported AB and it definitely didn't show any network permissions being configurable. I suspect Google anticipated this and didn't want to make it easy to essentially implement your own "ad block."

          • Sean Lumly

            Good sleuthing! I suspect this as well..

          • vivek

            if we could block network access, we could stop premium apps like battery reborn widget pro, or widget locker from accessing the network and verifying the licence from the play store making their use instantly free for the life time..right?

        • Henry

          Im having trouble getting facebooks audio and camera functions disabled do you have any suggestions?

          • Sean Lumly

            Sorry, I don't know how to accomplish this. You may want to look into a custom ROM which may offer that functionality if such a ROM exists.

    • Chris

      some of those "strange permissions" are vital to certin apps features. Even something as small as a link to "contact us" via phone needs access to the dialer.

      • Sean Lumly

        Indeed. Of course, sometimes, there is little want or need for these features (eg. location or dialer).

        • David

          Actually, coarse location is one of the best used permissions, imho. It's not precise as GPS location, but will be enough for most apps, and the privacy breach is minimal. When you think about it, most apps could benefit from having location features. My app uses it to automatically select data for the user. As a user, I even prefer ads to be geographically filtered for me (but in my app it's opt-IN). I'm more likely to be interested, and at the same time it lowers the price of "free" apps and "free" technology.

          However, there are indeed permissions that should fire all sirens: dialer, like you mentioned. Private information, account removal, all things that you normally don't expect, much less in a free wallpapers app. :)

          • Sean Lumly

            Hahaha... Exactly!

      • https://play.google.com/store/apps/developer?id=Piotr+Zientarski Piotr Zientarski

        No it doesn't.
        If you want to dial a number directly then you need a permission, but you can and should just send an intent with number to dial and system will use your default dialer to show number then you can confirm call. That doesn't require any special permission. It is the same for SMS, email or links to website.

    • Kaitensatsuma

      I like this a lot, there at just some apps that ask for completely irrelevant things that I feel uneasy granting

  • Amer Khaznadar

    If Google keeps going in the same direction they are now then by Android 5.0 there won't be much reason to go with custom ROMs.

    • CuriousCursor

      There will always be more experimental features.

    • http://jordanhotmann.com/ Jordan Hotmann

      Must. Have. Pie....

  • Jeffrey Smith

    Maybe I'm stating the obvious here, but surely this ties into the same framework that enables Restricted/Limited profile.

  • roberto.elena

    What I really need is to configure what type of location each app can use. For some of them I want to use the best possible (GPS, Wi-Fi or 3G) but for others I don't want to use GPS, because they drain the battery if they ping too often.

    As I see it, this doesn't solve my problem. Sad.

    • CuriousCursor

      One step at a time

    • Mike Harris

      I wish there was a way to tell the Amazon Appstore that I'm on wi-fi even though I'm not. There's no reason my 4G can't handle a download just because it's over 50MB. What a stupid, artificial restriction.

  • Mike Harris

    I love this idea, but I'm kind of surprised Google would add something like this when it allows the end-user to have so much control over how an app runs, despite how the app was created by its developer. I mean, you can theoretically take an app and make it work much differently than how it's intended to work.

    The first thing that comes to mind is network access. Turn that off for an ad-supported game and voila! No more ads for that game.

    • Zhelyazko Atanasov

      As a developer this new feature is not so good. I guess that it is not released yet because there is no developer-related APIs/ways to detect if a permission is granted to your app or not. Removing a certain permission may terribly crash an app right now. We need a way to check if we have a permission to do something.

      The other thing that bothers me is the point you've mentioned - ad supported apps/games which otherwise don't need an active connection are doomed. Still a lot of developers are unable to sell their apps or use in-app billing and ads are the only way for them to make a profit (sadly my country is in that list).

      But I'm pretty sure that Google will clear everything before releasing this to the public. After all, their major business is selling Ads and the most used mobile ad provider - AdMob is owned by them. I doubt they will reduce their profit.

      • Kurt

        I always thought apps were supposed to gracefully handle not having a permission to begin with? Like no errors displayed or crashing.

        • Zhelyazko Atanasov

          Well, you have to be sure your code works in any conditions but not all apps are written like that and sometimes for small functionalities you may miss a null-check and your app could crash. Moreover, it is better to be aware of a lack of permission so that you could tell the user "Hey I don't have permission to read your contacts" instead of "0 contacts found" or something similar =)

      • TomsDisqusted

        > there is no developer-related APIs/ways to detect if a permission is granted to your app or not.

        boolean hasPermission = PackageManager.PERMISSION_GRANTED == pm.checkPermission( Manifest.permission.ACCESS_COARSE_LOCATION, packageName);

        Or just handle securityexceptions when you make calls that can throw them.

        • Zhelyazko Atanasov

          Oh...yes yes! I've used it and forgot about it. Thank you for the reminder ;)

    • brakar

      Some games place placeholders on ad spaces when you are offline, but that isn't really an elegant solution. I think if this feature is going to be "official", developers will be given a way to check permissions and allow the app to run/not run accordingly.

    • https://play.google.com/store/apps/developer?id=iWizard Bikram Agarwal

      Read similar thing in two threads and am curious. How to turn off network access for any particular app?

    • Alex

      Why not test to see if you have permission to access the internet, and if not, show a message informing the user that they must enable internet access and prevent the game from starting until they enable it.

      In fact, I can see developers using this idea to force users to enable all permissions for the app, otherwise it won't start.

    • Chris

      I don't really know why there is a need for "permissions" anyway. It worked well enough with out them for Apple and their app store. As I said in my comment above, many people don't know why some permissions are needed.

  • urandom

    you can use the 'am' command from an adb shell.

    something along the lines of 'am start -m "org.package/org.package.Activity" -a android.intent.action.MAIN -a android.intent.action.LAUNCHER

  • D4niel

    You can also do this with the stock launcher by using an app like this to create a shortcut (tested, it works):


    • RockAndRock

      Yay thank youuuuu ! :))

    • http://www.twitter.com/andrewpalozzo Andrew Palozzo

      Love it! Saved me having to install a 3rd party launcher!! Also easier to find as well. Just typed in App ops and wham there it was :)

  • james kendall

    about time. now if only my devices get the push to 4.3 as they have not even gotten 4.2 yet. but hay at least I have 4.1.2

  • Torey

    Must be a UI for SELiunx that 4.3 introduced. Thought it was only in permissive mode though.

  • saeba

    Good feature! Do you know if it's possible to disable the autostart for an application ?

    • Sietai

      Rom Toolbox and a couple other apps can all do this, but only with root.

  • HellG

    Do you guys think Custom ROM builders can edit this feature to add the ability to stop the apps from reaching the internet as well? this is the only reason i'm using Avast because of it's firewall!

    • CoreRooted

      Doesn't need to. Revoke the network permissions and it will be denied from connecting. There is nothing that the ROM developers would need to do.

      • Jake

        But network permissions don't seem to be listed yet.

        • CoreRooted

          Judging from the screenshots, it's the "Post Notification" permission and "Location" permission. I'm sure they will probably refine it so that it uses the actual permissions.

          • Jake

            The Network permission has a whole subset of permissions. Take a look at middle one in the 4th set of (app info) screenshots in the article. It lists 'download files without notification' among the Network permissions.

          • Justin Foster

            If you're rooted, Xposed Framework is the perfect solution. U just need the "App Settings" module.

          • CoreRooted

            Yeah, I know (app dev). That's why I am hoping that they revamp it to support the full permission sets.

  • Sorian

    I am guessing this is going to use the same sting from restricted profile.

    To make your app's restriction settings appear to the user, you must declare the restrictions your app provides by creating aBroadcastReceiver that receives the ACTION_GET_RESTRICTION_ENTRIES intent.

  • mike

    So both iOS and Android are copying a 10 year old BlackBerry feature?

    • MacMan156

      There's no shame in admitting that your system isn't perfect and someone else did it better

    • Chris

      Expect No one uses blackberry now unless its in a cobbler

  • https://steamcommunity.com/id/m-p-3 m-p{3}

    Finally, no more GPS access for Facebook on my device :D

    • Chris

      You do know why GPS is needed? For check ins.

      • https://steamcommunity.com/id/m-p-3 m-p{3}

        Not necessary, I can search for it by hand.

        And I rarely check-in.

  • hackbod

    Fyi, these are not controlling permissions, they are not related to application restrictions, they are a different mechanism.

  • Rower

    can someone write simple app to open this? i don;t want to use custom launcher only for that.

  • Elias


    (Now if only the developers would treat exceptions on their app to avoid them crashing... Or else people will continue faking permissions.)

  • Dave

    Awesome! I cannot wait to get this feature. I am now using Xprivacy which is doing the same but i would love to have this too!

  • Gaurav Chandiramani

    holy fuck! this is brilliant.

  • Brunobliss

    FINALLY! I swear i was about to change religion if android didn't fix this

  • Humberto Hernandez

    First thing to do: Remove all facebook permissions. LOL

  • ACE

    Gee. Isn't this a direct copy of Apple. I thought only Apple copied Android ?

  • http://www.mobileosworld.com/ Xen Lee

    Really an awesome feature But do developers have to redesign their apps to make permissions accessible by user or it is already available in apps code and it would just show up in Android 4.3 http://www.mobileosworld.com/2013/07/nokia-lumia-1020-low-light-photos.html

  • Marko

    Fun fact: Google Play doesn't know 4.3 is out yet - go to Permission Manager's details page and you'll note "Requires Android [empty space] and up" under "Additional information" :)

  • Chris

    The real problem is people freak out about permissions without really fully knowing why they are needed. For example my credit union's app requires access to the phonebook. I assume somewhere the phonebook and the dialer are connected and there is a link to "contact us" in the app. or there is an app that requires access to the camera when the app has a option to upload your own photo (access to gallery) or take a photo (access to camera) and people throw a fit. Hell I've seen people freak out over Chase's app requiring access to the camera. Well it needs that permission so you can use the "snap a photo of your check to deposit the funds" feature.

    The way look at it. unless you are downloading a vague app from a vague developer theres no need to freak out. Especially if its a well known app (ie; foursquare, Yelp. any google app etc) Now if you download some app from china or some app thats not well known then yeah. I'd question it.

  • http://jamieellis.co.cc/ Jamie Ellis

    "you are messing with settings the app developer never intended for your to have control over. If you happen to horribly break something, don't blame me!"

    The person should blame the developer and/or themselves tho I expect the first thing they do if an application goes nuclear is to turn that apps permissions back onto "on"

    It is probably time for Application Developers to put in redundancy.
    I.e. Facebook requiring location for its location features:
    (if it off) include a justification reason why the app needs it on.

    The developer will need to consider and factor in that the app still needs to work if you choose in the interests of privacy to restrict the app more than the app or developer wants!

    • Chris

      I say blame the user with not understanding why some permissions are needed. Apple has no issue with this and it worked well enough for them the first few years the app store has been around.

      • http://jamieellis.co.cc/ Jamie Ellis

        Yes a problem for Android is not understanding by the user of the permissions and to some panic of what the application wants to know

        Equally plenty of Applications Developers is not helpful enough for why they need set permissions. There is some developers who do try to explain in the application description assuming the end user reads the description in full why they need such as to "access to the camera" for scanning barcodes and "location" to find the closest local supermarket!

  • faceofboe69

    Thanks. I posted an excerpt of this on http://000destruct0.blogspot.com/ with a link back to you.

  • Maher Salti

    all in all, google listens and isn't ignorant compared to apple, each android os keeps getting quicker while apple's IOS keeps getting more hungry for resources.

    Love this feature and installed it as soon as I got the chance, when google enables this themselves we'll see what it is truly capable of. :)

  • greenman18523

    This looks very exciting. At first I thought it was like in older versions of CM, just removing permissions. But after a small test it looks like it is an "Incognito Mode", so apps will not crash, it will be like you had no contacts or gps whouldn't get a position fix etc, etc...

    So it looks like they are making, what CM is making now, official, probably in the next version.

  • Bill

    some of listed apps show permissions like read contacts but cant OFF it . why ? some of it can.

  • openviewmobile

    also can try this app ops launcher, it just only 7kb: https://play.google.com/store/apps/details?id=com.ovmobile.appopslauncher

  • http://web.aeyoun.priv.no/ Daniel Aleksandersen

    Excellent. I’ve really wanted more granular control over permissions. Thanks for the heads-up on the third-party app to access it early.

  • NullPointer

    That's the easiest way to get access to the hidden permission manager: https://play.google.com/store/apps/details?id=com.schurich.android.tools.appopsstarter

    It does not need any permissions, no ads, no root and it's free.

  • sachin goral

    So very useful. Love AP

  • Joshua

    The referenced app is full of ads now.. ad free alternative is here: https://play.google.com/store/apps/details?id=me.boogoo.permissionmanager.app.ops.launcher&hl=de

  • JackT

    The appholcs permission maanger that everyone downloaded at first requires you to pay now :(
    This permission manager (launches app ops) is FREE: https://play.google.com/store/apps/details?id=mobi.facelock.permissionmanager
    and does the same thing

  • http://dennisbareis.com/ Dennis Bareis

    This is how it should have been in the first place (at least after Google finish twaking things), apps just need to be written to fail gracefully when they haven't got the access to something.

  • Tobert Rowmaker

    I think one reason this feature is hidden at first is I imagine many apps will actually crash when they are denied what they want -- you have to code your app to handle the error and give a sensible error message.

    The first step is to make this available as a dangerous, feature -- app vendors will get the hint and slowly start to accept that they can't get what they demand, and improve the apps to elegantly handle these cases. Then, later, when the apps themselves are ready, it can become user-facing (and indeed, transition to a opt-in rather than opt-out model) and we'll have the permissions model of iOS, which is the one thing that iOS seemed to get right (with the benefit of hindsight).

  • พรอรุณ พุ่มแย้ม

    Thank you

  • 4.3 user

    Is this feature available in KitKat?

    • Hotspaghetti


  • Donovan

    Love this app, just wondering if you had a plan to update for 4.4. It was the first thing I installed on my Nexus 5 but it says activity not found when I try to launch it.....

  • Phil Blank

    Its been yanked by Google, just read the news about it.

  • http://dennisbareis.com/ Dennis Bareis

    I am looking to Google to remove my reasons for having a rooted phone not add another reason to the list!

  • The_El_Conquistador

    Looks like Kitkat has omitted this as an option.

  • stacey

    help am running android 4.2.2 on my kids tablets need the content blocker as my antivirus hasn't an option to do it on a tablet, kids were searching wallpapers the other day and got live chat sites and pictures of asian slut wallpapers etc does 4.3 have this function or is there an app i can download to block such content?