Android Permissions Required by the Customer Client App

The Android customer client for BeyondTrust requests a series of permissions during installation. The client prompts for certain permissions upon installing, but others are requested only when needed. Google Play lists the permissions used by apps, including the BeyondTrust Android customer client, but this list of permissions may not provide a satisfactory level of detail for all users. The following table offers a list of all permissions, as well as an explanation for each one.

API Permission Name Permission Definition Permission Explanation
android.permission. ACCESS_SURFACE_FLINGER Allows an application to use SurfaceFlinger’s (involved with the display frame processor) low level features. The representative may request screen sharing of the device's screen in order to provide more efficient support. This permission is necessary for the app to share the device's screen to the representative console.
android.permission.KILL_BACKGROUND_PROCESSES Allows an application to call killBackgroundProcesses(String). A representative that is viewing the device's screen, may wish to perform actions on behalf of the user, such as keystrokes or touch events, in order to provide more efficient support. This permission is necessary for that functionality to work.
android.permission.GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service. The app uses this permission in an effort to find the device user's name when the support session is presented to a representative. Previous versions of the app used the phone number, but that is not as user-friendly or as personal. Given that the user name could be stored in multiple locations, the app first attempts to locate it in the You contact; if unsuccessful it looks for a Google account on the device. If finding the user’s name is not possible, the app will look at the SIM card and attempt to gather some generic information about the device (this happens only when dealing with non-consumer devices).
android.permission.READ_CONTACTS Allows an application to read the user’s contacts data. The app uses this permission in an effort to find the device user's name when the support session is presented to a representative. Previous versions of the app used the phone number, but that is not as user-friendly or as personal. Given that the user name could be stored in multiple locations, the app first attempts to locate it in the You contact; if unsuccessful it looks for a Google account on the device. If finding the user’s name is not possible, the app will look at the SIM card and attempt to gather some generic information about the device (this happens only when dealing with non-consumer devices).
android.permission.INTERNET Allows applications to open network sockets. The app connects to a Secure Remote Access Appliance in order to receive all requests from the technical representative and to send data such as chat messages, screen sharing updates, file transfers, and system information.
android.permission.WRITE_EXTERNAL_STORAGE Allows an application to write to external storage. The representative can request the app to write data to the user's SD card as a way of sharing data files and applications that the user may need.
android.permission.INJECT_EVENTS Allows the app to deliver its own input events (key presses, etc.) to other apps. A representative that is viewing the device's screen may wish to perform actions on behalf of the user, such as keystrokes or touch events, in order to provide more efficient support. This permission is necessary for that functionality to work.
android.permission.WAKE_LOCK Allows using PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming. Since the app keeps a constant connection to the appliance during a session and the user may be requested to respond to a chat message from the representative, the app requests a wake lock during the session to keep the device from going to sleep.
android.permission.READ_FRAME_BUFFER Allows an application to take screen shots and more generally get access to the frame buffer data. The representative may request screen sharing of the device's screen in order to provide more efficient support. This permission is necessary for the app to share the device's screen to the representative console.
android.permission.READ_PHONE_STATE Allows read only access to phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. The app, upon the representative requesting it, will gather some system information including the phone state and transfer the data to the representative console so that the representative can better access the issue of the customer.
android.permission.READ_EXTERNAL_STORAGE Allows an application to read from external storage. The app, upon the representative requesting it, can read data from the user's SD card as a way of capturing device and application data and logs that may be needed to diagnose issues.
android.permission.READ_PROFILE Allows an application to access the device user’s personally-identifying data. The app uses this permission in an effort to find the device user's name when the support session is presented to a representative. Previous versions of the app used the phone number, but that is not as user-friendly or as personal. Given that the user name could be stored in multiple locations, the app first attempts to locate it in the You contact; if unsuccessful it looks for a Google account on the device. If finding the user’s name is not possible, the app will look at the SIM card and attempt to gather some generic information about the device (this happens only when dealing with non-consumer devices).
android.permission.CAMERA Required to be able to access the device's camera. The representative may request remote camera sharing and video annotations using BeyondTrust InSight. This permission is required to perform this functionality.
android.permission.ACCESS_NETWORK_STATE Allows applications to access information about networks. The app shows a specific error message if the user attempts to connect to a Secure Remote Access Appliance and the Wi-Fi and mobile data connectivity are disabled. This permission is required to perform this functionality.
android.permission.FOREGROUND_SERVICE Starting with Android 9.0, this permission gives the application a higher priority for system resources and enforces that the app creates a notification while the service is in use. The app uses this permission while it is connected to an SRA appliance to ensure that the connection is consistently maintained by the host operating system. Without this permission, the app could be ended at any time by the host operating system, leading to service interruptions.
android.permission.CAPTURE_VIDEO_OUTPUT This permission is used to capture the screen on older versions of Android. It requires special levels of access and is usually only allowed on 3rd party devices such as Samsung and Zebra devices. The app uses this permission on certain devices to allow it to capture the screen for use in remote support sessions. Without it, the representative would be unable to see the remote device.
android.permission.CLEAR_APP_USER_DATA This permission allows the app to clear the user-specific data from another app on the device. This permission in only granted on certain devices. The app uses this permission in a remote support session as part of the system information tool. The representative can use that tool to view the installed apps on the remote device and clear the user data from the app, resetting it to its default state. This can be useful as a method for fixing an app that is misbehaving.
android.permission.REAL_GET_TASKS This permission allows the app to obtain information about other processes running on the device. This permission in only granted on certain devices. The app uses this permission in a remote support session as part of the system information tool. The representative can use that tool to view the running processes on the remote device and end those processes as needed. This can be useful as a method for fixing an app that is misbehaving.
com.samsung.android.knox.permission.KNOX_REMOTE_CONTROL This permission, which is specific to Samsung devices, allows screen capture and input injection. The app uses this permission in support sessions running on Samsung devices to allow the representative to remotely control the device by seeing their display injecting input from their console to solve the user’s issue.