Android's permission system controls which device capabilities an app can access. Permissions are declared in the app's manifest and (for sensitive permissions) must be granted by the user at runtime. Requesting permissions you don't need makes users less likely to install your app and can cause rejection during Google Play review.
How Android Permissions Work
Android divides permissions into two categories:
- Normal permissions: Granted automatically at install time. The user is not prompted. These cover low-risk capabilities. Example:
INTERNET(required by all apps that load web content). - Dangerous permissions: Granted at runtime by the user. A system dialog appears asking the user to allow or deny. The user can change their decision at any time in Settings. Examples:
CAMERA,ACCESS_FINE_LOCATION,READ_CONTACTS.
Permissions WebToAppConvert Manages
Always Requested
| Permission | Category | Purpose |
|---|---|---|
INTERNET | Normal | Required to load your website in the WebView |
ACCESS_NETWORK_STATE | Normal | Allows the app to detect connectivity changes (for offline handling) |
Optional: Enabled in Configuration
| Permission | Category | When to Enable |
|---|---|---|
CAMERA | Dangerous | Your website uses camera input (photo upload, video call, QR scanner) |
ACCESS_FINE_LOCATION | Dangerous | Your website requests the user's precise GPS location |
ACCESS_COARSE_LOCATION | Dangerous | Your website requests approximate location |
READ_MEDIA_IMAGES / READ_EXTERNAL_STORAGE | Dangerous | User needs to upload images from the device's gallery (Android 13+ / below) |
READ_MEDIA_VIDEO | Dangerous | User needs to upload video files |
POST_NOTIFICATIONS | Dangerous (Android 13+) | Required for push notifications on Android 13 and above |
WRITE_EXTERNAL_STORAGE | Dangerous | Required on older Android versions for file download support |
RECORD_AUDIO | Dangerous | Your website uses microphone input (voice recording, video calls) |
Principle of Least Privilege
Only enable permissions that your website actually uses. If your website never requests camera access, don't include the CAMERA permission. The reasons are practical:
- Users see the permission list before installing on older Android versions and may decide not to install
- Google Play reviews apps requesting sensitive permissions and may ask for justification
- Permissions you request but don't explain in your Data Safety form can trigger policy violations
- Fewer permissions = smaller attack surface and a cleaner user experience
Runtime Permission Prompts
When your website requests a dangerous permission (e.g., your website calls navigator.geolocation.getCurrentPosition()), the WebView triggers Android's runtime permission system. A dialog appears asking the user to allow or deny the permission.
If the user denies a permission, the website's request fails silently (or with an error, depending on how your website handles it). Your website should handle permission denial gracefully: show a message explaining why the permission is needed and provide a workaround or fallback if possible.
Permission Rationale
For most users, a permission request appears out of context. Telling users why a permission is needed (before the system dialog appears) increases approval rates. This is typically done at the website level: before triggering a geolocation request, display a message like "We need your location to find nearby locations." The same principle applies to camera and microphone access.