Complete Guide to App Permissions on KaiOS
There are more than 100 permissions available on KaiOS! Below is the complete list of permissions on KaiOS 2.5 and KaiOS 3.0 defined in PermissionsTable.jsm to help with developing your next application.
Hosted & Privileged Apps
Geolocation
1geolocation: {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: PROMPT_ACTION
5},
6"geolocation-noprompt": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION,
10 substitute: ["geolocation"]
11}
Similar to web apps, KaiOS apps can request access to the user’s Global Positioning System (GPS) coordinates using the
Geolocation API. However, this API is not available unless your app requests the geolocation permission. Calling navigator.geolocation.getCurrentPosition at runtime will trigger a permission request dialog that the user can then accept or reject. For Certified apps there is also a substitute permission, geolocation-noprompt, which as the name implies does not trigger a permission request dialog.
Camera & Video
1camera: {
2 app: DENY_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION
5},
6"video-capture": {
7 app: PROMPT_ACTION,
8 privileged: PROMPT_ACTION,
9 certified: ALLOW_ACTION
10},
Access to the device’s cameras requires the camera permission, which will prompt the user except in Certified apps. Similarly for video recording, the video-capture is required.
Alarms
1alarms: {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
Alarms API requires the alarms permission.
Sockets
1"tcp-socket": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"udp-socket": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10}
Access to the TCP or UDP Socket API requires the tcp-socket or udp-socket permission, respectively.
For more on the
Socket API, see the blog post.
Contacts
1contacts: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write", "create"]
6}
Access to the contact’s list requires the contacts permission.
DeviceStorage
1"device-storage:apps": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read"]
6},
7"device-storage:apps-storage": {
8 app: DENY_ACTION,
9 privileged: DENY_ACTION,
10 certified: ALLOW_ACTION,
11 access: ["read"]
12},
13"device-storage:crashes": {
14 app: DENY_ACTION,
15 privileged: DENY_ACTION,
16 certified: ALLOW_ACTION,
17 access: ["read"]
18},
19"device-storage:pictures": {
20 app: DENY_ACTION,
21 privileged: PROMPT_ACTION,
22 certified: ALLOW_ACTION,
23 access: ["read", "write", "create"]
24},
25"device-storage:videos": {
26 app: DENY_ACTION,
27 privileged: PROMPT_ACTION,
28 certified: ALLOW_ACTION,
29 access: ["read", "write", "create"]
30},
31"device-storage:music": {
32 app: DENY_ACTION,
33 privileged: PROMPT_ACTION,
34 certified: ALLOW_ACTION,
35 access: ["read", "write", "create"]
36},
37"device-storage:sdcard": {
38 app: DENY_ACTION,
39 privileged: PROMPT_ACTION,
40 certified: ALLOW_ACTION,
41 access: ["read", "write", "create"]
42}
Access to the
DeviceStorage API requires a device-storage:* permission corresponding to the requested storage type like sdcard, music, pictures, and videos. Special storage types including apps, apps-storage, and crashes are limited to Certified apps only.
Speech Recognition
1"speech-recognition": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
Web Speech API requires the speech-recognition permission.
Browser
1browser: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"browser:universalxss": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"browser:embedded-system-app": {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15}
Using the browser permission, it’s possible to embed an external website within your app.
Bluetooth
1bluetooth: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The bluetooth permission provides access to the
Bluetooth API, as well as the System Messages below. It’s used to discover and connect to nearby devices over Bluetooth.
bluetooth-pbap-requestbluetooth-map-requestbluetooth-cancelbluetooth-hid-status-changedbluetooth-pairing-requestbluetooth-opp-transfer-completebluetooth-opp-update-progressbluetooth-opp-receiving-file-confirmationbluetooth-opp-transfer-start
Mobile Network
1mobilenetwork: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to specific properties (lastKnownNetwork and lastKnownHomeNetwork) within the Mobile Network API requires the mobilenetwork permission, accessible via navigator.mozMobileConnections.
Push Notifications & ServiceWorker
1push: {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6serviceworker: {
7 app: ALLOW_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"desktop-notification": {
12 app: PROMPT_ACTION,
13 privileged: PROMPT_ACTION,
14 certified: PROMPT_ACTION,
15 defaultPromptAction: ALLOW_ACTION
16},
Unlike on modern web browsers, on KaiOS the
ServiceWorker API isn’t available without requesting the serviceworker permission. Similarly, the
Push API isn’t available without the push permission. Finally, actually displaying notifications using the Notification constructor or a ServiceWorker requires the desktop-notification permission.
FM Radio
1fmradio: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
FM Radio API using navigator.mozFMRadio (navigator.b2g.fmRadio on KaiOS 3.0) requires the fmradio permission.
Window Types
1attention: {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"global-clickthrough-overlay": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"moz-attention": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION,
15 substitute: ["attention"]
16},
When calling window.open, it’s possible to specify optional features. KaiOS supports a few special features including:
dialogcreates launches a Web Activity using theviewname, or launches a popup windowattentioncreates an attention windowglobal-clickthrough-overlaycreates a global clickthrough overlaymozhaidasheetcreates an in-app sheet with a special animation
App Management
1"webapps-manage": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"homescreen-webapps-manage": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10}
In order to get the list of installed apps along with their names & icons, the homescreen-webapps-manage permission is required. This provides limited access to navigator.mozApps.mgmt to retrieve the app list and uninstall apps. For full access, including the ability to install apps, the webapps-manage is needed.
Note: the homescreen-webapps-manage permission is only available to a Privileged application that is set as the current homescreen.
SystemXHR
1"systemXHR": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The systemXHR permission allows apps to make cross-origin resource (CORS) requests using the mozSystem flag without the same-origin policy. Check out
XMLHttpRequest without CORS for more details and examples.
1let xhr = new XMLHttpRequests({ mozSystem: true });
Embedding
1"embed-widgets": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"embed-apps": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10}
Note: the following permissions do not work because the Embed API was never finished.
Storage
1"storage": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 substitute: [
6 "indexedDB-unlimited"
7 ]
8}
Apps can request unlimited IndexedDB storage using the storage permission.
Note: this is dangerous and requires properly managing storage utilization to avoid crashing the device!
Audio Channels
1"audio-channel-normal": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"audio-channel-content": {
7 app: ALLOW_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"audio-channel-notification": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION
15},
16"audio-channel-alarm": {
17 app: DENY_ACTION,
18 privileged: ALLOW_ACTION,
19 certified: ALLOW_ACTION
20},
21"audio-channel-system": {
22 app: DENY_ACTION,
23 privileged: ALLOW_ACTION,
24 certified: ALLOW_ACTION
25},
26"audio-channel-telephony": {
27 app: DENY_ACTION,
28 privileged: DENY_ACTION,
29 certified: ALLOW_ACTION
30},
31"moz-audio-channel-telephony": {
32 app: DENY_ACTION,
33 privileged: ALLOW_ACTION,
34 certified: ALLOW_ACTION,
35 substitute: ["audio-channel-telephony"]
36},
37"audio-channel-ringer": {
38 app: DENY_ACTION,
39 privileged: DENY_ACTION,
40 certified: ALLOW_ACTION
41},
42"moz-audio-channel-ringer": {
43 app: DENY_ACTION,
44 privileged: ALLOW_ACTION,
45 certified: ALLOW_ACTION,
46 substitute: ["audio-channel-ringer"]
47},
48"audio-channel-publicnotification": {
49 app: DENY_ACTION,
50 privileged: DENY_ACTION,
51 certified: ALLOW_ACTION
52}
KaiOS allows apps to specify what audio channel to play sounds on using the
AudioChannels API. Each channel requires a corresponding audio-channel- permission. See the blog post on
Audio and Volume Management for more details.
Note: for simplicity and forward compatibility with KaiOS 3.0, it’s best to avoid the moz- prefixed substitute permissions.
VolumeManager
1"volumemanager": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: ALLOW_ACTION,
5 certified: ALLOW_ACTION
6}
Controlling system volume using navigator.volumeManager requires the volumemanager permission.
Input
1"input": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The input permission gives access to the InputMethod API via navigator.mozInputMethod. The InputMethod API creates a bridge between the web content hosting an input element and the input content (i.e. input app, virtual keyboard app, or IME).
Microphone
1"audio-capture": {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION
5},
6"audio-capture:3gpp": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"audio-capture:3gpp2": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION
15}
Access to the microphone for audio recording requires the audio-capture permission.
Near Field Communication (NFC)
1"nfc": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"nfc-share": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10},
11"nfc-manager": {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15},
16"nfc-hci-events": {
17 app: DENY_ACTION,
18 privileged: ALLOW_ACTION,
19 certified: ALLOW_ACTION
20}
For devices with supporting hardware, Near Field Communication (NFC) can be accessed using the nfc permission.
Note: as of the time of writing (March 2023), no KaiOS device has included NFC except for certain models of the JioPhone for use with JioPay only.
Speaker Control
1"speaker-control": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The
Speaker Control API requires the corresponding speaker-control permission to force audio output over the device’s speakers, even while headphones are connected.
Feature Detection
1"feature-detection": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
To use the Feature Detection API via navigator.getFeature and navigator.hasFeature, the feature-detection is needed. Useful features to detect include:
device.qwertyif the device has a QWERTY keyboard like the JioPhone 2hardware.memoryto distinguish 256mb and 512mb devicesdevice.storage.sizeto get the total storage capacity of the devicedom.apps.developer_modeto check if the user has enabled Developer Modedevice.key.volume,device.key.endcall, anddevice.key.camerato check if hardware Volume, EndCall, and Camera shutter keys are present, respectivelydevice.parental-controlto check if parental controls are enableddevice.flipto check if the device has a flip screendevice.bt,device.wifi, anddevice.gpsto check if the device supports Bluetooth, WiFi, and GPS, respectivelyro.product.brandandro.product.nameto get product details
Mobile ID
1"mobileid": {
2 app: DENY_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: PROMPT_ACTION
5}
Privileged apps can request access to Mobile Identifiers like IMEI numbers using navigator.getMobileIdAssertion requires the mobileid permission, which always prompts the user to accept or reject.
Settings
1"settings:wallpaper.image": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write"],
6 additional: ["settings-api"]
7},
8"settings": {
9 app: DENY_ACTION,
10 privileged: DENY_ACTION,
11 certified: ALLOW_ACTION,
12 access: ["read", "write"],
13 additional: ["indexedDB-chrome-settings", "settings-api"]
14},
15"settings-clear": {
16 app: DENY_ACTION,
17 privileged: DENY_ACTION,
18 certified: DENY_ACTION,
19 additional: ["indexedDB-chrome-settings", "settings-api"]
20},
Only the special settings:wallpaper.image is available to Privileged apps. This permission was removed in KaiOS 3.0 and allows apps to set the wallpaper.image setting, changing the system-wide wallpaper image without prompting the user.
External API
1"external-api": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Despite the generic sounding name, the External API via navigator.externalapi is a very limited API that only provides access to a token used by the
API Daemon. It’s primarily used for KaiOS 3.0 apps that need access to these APIs.
Spatial Navigation
1"spatialnavigation-app-manage": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The spatialnavigation-app-manage permission provides access to the boolean property, navigator.spatialNavigationEnabled, which can be read or written. This toggles on or off the virtual cursor within your app.
Sandboxed Cookies
1"sandboxed-cookies": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
If an app specifically sets the sandboxed-cookies permission in its manifest, this will force reading/writing cookies of this app individually, a.k.a. no SSO service.
Web Components
1"moz-extremely-unstable-and-will-change-webcomponents": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: ALLOW_ACTION,
5 certified: ALLOW_ACTION
6}
Web Components are disabled by default and only available via the moz-extremely-unstable-and-will-change-webcomponents permission. This permission gives access to an unstable version of the Web Components APIs, allowing access to the Shadow DOM and the registration of custom elements, i.e. <x-button>.
KaiOS Accounts
1"kaios-accounts": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: DENY_ACTION,
5 certified: ALLOW_ACTION
6},
7"kaios-accounts:service": {
8 app: DENY_ACTION,
9 trusted: DENY_ACTION,
10 privileged: PROMPT_ACTION,
11 certified: ALLOW_ACTION,
12 substitute: ["kaios-accounts"]
13}
Used for identity management via KaiOS Accounts.
SecureElement
1"secureelement-manage": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The Secure Element API enables access to the Secure Element (SE), a chip that is protected by design from unauthorized access. On KaiOS this is accessible via navigator.seManager with the secureelement-manage permission.
Presentation
1"presentation": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The presentation permission provides access to the
Presentation API via navigator.presentation.
Note: the dom.presentation.enabled preference is disabled by default, and the Presentation API is not usable on KaiOS.
Test Permission
1"test-permission": {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write", "create"]
6}
Per KaiOS Documentation:
This permission doesn’t actually grant access to anything. It exists only to check the correctness of web prompt composed permissions in tests.
China Type Approval (CTA)
1"permissions": {
2 "mobiledata": { },
3 "wifidata": { }
4}
Due to regional regulations, apps that need network access (i.e. KaiAds or Analytics) and intend to be published on the KaiStore in China, the mobiledata and wifidata permissions are required. Additionally, for privileged & certified apps the calllog permission is also required for KaiOS 2.5.2.1 and 2.5.4.1.
Certified
The remaining permissions are only available to Certified apps.
1"mmi-test": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"network-events": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10},
11sms: {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15},
16telephony: {
17 app: DENY_ACTION,
18 privileged: DENY_ACTION,
19 certified: ALLOW_ACTION
20},
21mobileconnection: {
22 app: DENY_ACTION,
23 privileged: DENY_ACTION,
24 certified: ALLOW_ACTION
25},
26power: {
27 app: DENY_ACTION,
28 privileged: DENY_ACTION,
29 certified: ALLOW_ACTION
30},
31softkey: {
32 app: DENY_ACTION,
33 trusted: DENY_ACTION,
34 privileged: DENY_ACTION,
35 certified: ALLOW_ACTION
36},
37permissions: {
38 app: DENY_ACTION,
39 privileged: DENY_ACTION,
40 certified: ALLOW_ACTION
41},
42phonenumberservice: {
43 app: DENY_ACTION,
44 privileged: DENY_ACTION,
45 certified: ALLOW_ACTION
46},
47"backgroundservice": {
48 app: DENY_ACTION,
49 privileged: DENY_ACTION,
50 certified: ALLOW_ACTION
51},
52"networkstats-manage": {
53 app: DENY_ACTION,
54 privileged: DENY_ACTION,
55 certified: ALLOW_ACTION
56},
57"resourcestats-manage": {
58 app: DENY_ACTION,
59 privileged: DENY_ACTION,
60 certified: ALLOW_ACTION
61},
62"wifi-manage": {
63 app: DENY_ACTION,
64 privileged: DENY_ACTION,
65 certified: ALLOW_ACTION
66},
67"voicemail": {
68 app: DENY_ACTION,
69 privileged: DENY_ACTION,
70 certified: ALLOW_ACTION
71},
72"idle": {
73 app: DENY_ACTION,
74 privileged: DENY_ACTION,
75 certified: ALLOW_ACTION
76},
77"time": {
78 app: DENY_ACTION,
79 privileged: DENY_ACTION,
80 certified: ALLOW_ACTION
81},
82"background-sensors": {
83 app: DENY_ACTION,
84 privileged: DENY_ACTION,
85 certified: ALLOW_ACTION
86},
87cellbroadcast: {
88 app: DENY_ACTION,
89 privileged: DENY_ACTION,
90 certified: ALLOW_ACTION
91},
92"open-remote-window": {
93 app: DENY_ACTION,
94 privileged: DENY_ACTION,
95 certified: ALLOW_ACTION
96},
97"input-manage": {
98 app: DENY_ACTION,
99 privileged: DENY_ACTION,
100 certified: ALLOW_ACTION
101},
102"wappush": {
103 app: DENY_ACTION,
104 privileged: DENY_ACTION,
105 certified: ALLOW_ACTION
106},
107"downloads": {
108 app: DENY_ACTION,
109 privileged: DENY_ACTION,
110 certified: ALLOW_ACTION
111},
112"themeable": {
113 app: DENY_ACTION,
114 privileged: DENY_ACTION,
115 certified: ALLOW_ACTION
116},
117"engineering-mode": {
118 app: DENY_ACTION,
119 privileged: DENY_ACTION,
120 certified: ALLOW_ACTION
121},
122"tv": {
123 app: DENY_ACTION,
124 privileged: DENY_ACTION,
125 certified: ALLOW_ACTION
126},
127"before-after-keyboard-event": {
128 app: DENY_ACTION,
129 privileged: DENY_ACTION,
130 certified: ALLOW_ACTION
131},
132"presentation-device-manage": {
133 app: DENY_ACTION,
134 privileged: DENY_ACTION,
135 certified: ALLOW_ACTION
136},
137"requestsync-manager": {
138 app: DENY_ACTION,
139 privileged: DENY_ACTION,
140 certified: ALLOW_ACTION
141},
142"inputport": {
143 app: DENY_ACTION,
144 privileged: DENY_ACTION,
145 certified: ALLOW_ACTION
146},
147"system-update": {
148 app: DENY_ACTION,
149 privileged: DENY_ACTION,
150 certified: ALLOW_ACTION
151},
152"open-hidden-window": {
153 app: DENY_ACTION,
154 privileged: DENY_ACTION,
155 certified: ALLOW_ACTION
156},
157"system-app-only-audio-channels-in-app": {
158 app: DENY_ACTION,
159 privileged: DENY_ACTION,
160 certified: ALLOW_ACTION
161},
162"killswitch": {
163 app: DENY_ACTION,
164 trusted: DENY_ACTION,
165 privileged: DENY_ACTION,
166 certified: ALLOW_ACTION
167},
168flip: {
169 app: DENY_ACTION,
170 trusted: DENY_ACTION,
171 privileged: DENY_ACTION,
172 certified: ALLOW_ACTION
173},
174flashlight: {
175 app: DENY_ACTION,
176 trusted: DENY_ACTION,
177 privileged: DENY_ACTION,
178 certified: ALLOW_ACTION
179},
180"datacall": {
181 app: DENY_ACTION,
182 trusted: DENY_ACTION,
183 privileged: DENY_ACTION,
184 certified: ALLOW_ACTION
185},
186"keyboard-event-generator": {
187 app: DENY_ACTION,
188 trusted: DENY_ACTION,
189 privileged: DENY_ACTION,
190 certified: ALLOW_ACTION
191},
192"customization": {
193 app: DENY_ACTION,
194 privileged: DENY_ACTION,
195 certified: ALLOW_ACTION
196},
197"deviceconfig": {
198 app: DENY_ACTION,
199 privileged: DENY_ACTION,
200 certified: ALLOW_ACTION
201},
202"engmode-extension": {
203 app: DENY_ACTION,
204 privileged: DENY_ACTION,
205 certified: ALLOW_ACTION
206},
207"cloud-authorization": {
208 app: DENY_ACTION,
209 privileged: DENY_ACTION,
210 certified: ALLOW_ACTION
211},
212"fota": {
213 app: DENY_ACTION,
214 privileged: DENY_ACTION,
215 certified: ALLOW_ACTION
216},
217"libsignal": {
218 app: DENY_ACTION,
219 privileged: DENY_ACTION,
220 certified: ALLOW_ACTION
221},
222"wamedia": {
223 app: DENY_ACTION,
224 privileged: DENY_ACTION,
225 certified: ALLOW_ACTION
226}
Most of these permissions are not meant for third-party application use. However, a few can be useful in specific scenarios. For instance:
smsto send & read SMS messages. Useful for improving user experience (UX) when sending One Time Passwords (OTPs) via SMS without the user needing to leave and re-enter your appflashlightfor toggling on & off the flashlight (aka torch)requestsync-managerfor triggering a background script to run on regular internals (i.e. daily) and under specification conditions (i.e. only when WiFi is available)downloadsfor storing and accessing system-wide downloads
KaiOS 2.5.3+ permissions
Some of the permissions below were found on new KaiOS 2.5 devices like the JioPhone Prima 4G (F491H) running KaiOS 2.5.3.2.
Sound Trigger
1"sound-trigger": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.soundTriggerManager API based on [Android’s Sound Trigger])https://source.android.com/docs/core/audio/sound-trigger. Used for AOV (Always-On local Voice) that supports wake words like “Hello Jio.” Located in libsoundtrigger.so and libsoundtriggerservice.so.
1interface SoundTriggerManager {
2 getSupportList: Model[];
3 set(model: Model): void;
4 start(wakeWords: string[]): void;
5 stop(): void;
6 onrecognitionresult: EventHandler;
7 onstatechange: EventHandler;
8}
Teereader
1"teereader-manage": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5}
eMBMs - Multimedia Broadcast Multicast Service (MBMS)
1"embms": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.lteBroadcastManager API.
1interface LteBroadcastManager {
2 coverage;
3 setServiceClassFilter;
4 getService: LteBroadcastService;
5 getSAI; // Service Area Identifier
6}
Dongle Manager
1"donglemanager": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.dongleManager API for the JioPhone Media Cable.
1interface DongleManager {
2 dongleStatus: string;
3 ondonglestatuschange: EventHandler;
4 usbIpAddress: string;
5}
Device Financing (DFC)
1"dfc": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.dfc API for keeping track of device financing.
Device Security Info
1"device-sec-info": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.getDeviceSecInfoManager API for checking if the device is rooted. On the JioPhone, this is used to disable JioPay on rooted devices.
1interface DeviceSecInfoManager {
2 isRooted: boolean;
3 onrootedchange: EventHandler;
4}
Cross Domain Content and Unsafe Content Script
unsafe-content-script are cross-domain-content special permission not defined in PermissionsTable.jsm. cross-domain-content accepts an array of URLs to authorize access to for each content script.
1"cross-domain-content": [ "https://api.kai.jiophone.net/" ],
New to KaiOS 3.0
The following permissions are new to KaiOS 3.0 and were derived from builds extracted from the
Nokia 2780 Flip. Note that in KaiOS 3.0, web apps are now pwa, Privileged apps are now signed and Certified apps are now core.
Account Observer
1"account-manager": {
2 pwa: DENY_ACTION,
3 signed: DENY_ACTION,
4 core: ALLOW_ACTION,
5},
6"account-observer-activesync": {
7 pwa: DENY_ACTION,
8 signed: ALLOW_ACTION,
9},
10"account-observer-google": {
11 pwa: DENY_ACTION,
12 signed: ALLOW_ACTION,
13},
14"account-observer-kaiaccount": {
15 pwa: DENY_ACTION,
16 signed: ALLOW_ACTION,
17}
Allows an application to observe changes to Google, ActiveSync, and KaiAccounts using new WebActivity('account-manager', data) where data is an object specifying a specific action like getAccounts.
Power Supply
1"powersupply": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Provides access to the Power Supply API via navigator.b2g.powerSupplyManager with the following properties:
powerSupplyOnline, abooleanpowerSupplyType, astringlike'USB'specifying the power supply type
As well as the following events:
chargingchangelevelchangestatuschangepowersupplystatuschanged
USB Manager
1usb: {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Provides access to the USB Manager API via navigator.b2g.usbManager with the following properties:
deviceAttached, abooleanproperty indicating if the device is attached is attached via USBonusbstatuschange, a callback triggered when the USB status has changed
Virtual Cursor
1virtualcursor: {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
This permission was renamed from spatialnavigation-app-manage on KaiOS 2.5, but serves the same purpose. Provides access to the Virtual Cursor API via navigator.b2g.virtualCursor, with the following properties:
enabled, abooleanproperty indicating if the virtual cursor is enabledenableanddisable, functions to enable and disable the virtual cursor, respectively
Web View
1 "web-view": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Allows apps to use the special <web-view> element, rendering a website within an app similar to an iframe. The <web-view> element includes special properties:
src, the URL of the page to load.remote, abooleanto decide if that browser should load content in a content process.ignorefocus, abooleanthat when set let the browser get pointer events without focusing it. This is useful for virtual keyboard frames.transparent, abooleanthat, if true, the background of the browser will be transparent instead of white.
Worker Activity
1"worker-activity": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
The worker-activity permission allows triggering a Web Activity from a background Worker or ServiceWorker. For instance, this could allow the user to click on a Notification and trigger a Web Activity.
Certified
KaiOS 3.0 also introduces a number of permissions only for Certified apps, including the following.
1"background-window": {
2 pwa: DENY_ACTION,
3 signed: DENY_ACTION,
4 core: ALLOW_ACTION,
5},
6battery: {
7 pwa: DENY_ACTION,
8 signed: DENY_ACTION,
9 core: ALLOW_ACTION,
10},
11"bluetooth-privileged": {
12 pwa: DENY_ACTION,
13 signed: DENY_ACTION,
14 core: ALLOW_ACTION,
15},
16engmode: {
17 pwa: DENY_ACTION,
18 signed: DENY_ACTION,
19 core: ALLOW_ACTION,
20},
21"ime-connect": {
22 pwa: DENY_ACTION,
23 signed: DENY_ACTION,
24 core: ALLOW_ACTION,
25},
26omacpmsg: {
27 pwa: DENY_ACTION,
28 signed: DENY_ACTION,
29 core: ALLOW_ACTION,
30},
31OmaService: {
32 pwa: DENY_ACTION,
33 signed: DENY_ACTION,
34 core: ALLOW_ACTION,
35},
36"process-manager": {
37 pwa: DENY_ACTION,
38 signed: DENY_ACTION,
39 core: ALLOW_ACTION,
40},
41rsu: {
42 pwa: DENY_ACTION,
43 signed: DENY_ACTION,
44 core: ALLOW_ACTION,
45},
46"system-time": {
47 pwa: DENY_ACTION,
48 signed: DENY_ACTION,
49 core: ALLOW_ACTION,
50 access: ["read", "write"],
51},
52tethering: {
53 pwa: DENY_ACTION,
54 signed: DENY_ACTION,
55 core: ALLOW_ACTION,
56}
Removed in KaiOS 3.0
The following permissions were moved or removed in KaiOS 3.0:
geolocation-noprompt(usegeolocation)mmi-testudp-socket(API removed)network-eventsspeech-recognitionbrowserbrowser:universalxssbrowser:embedded-system-apppush(no longer needed)serviceworker(no longer needed)settings-clearsoftkey(removednavigator.softkeyManager)phonenumberservice(removednavigator.mozPhoneNumberService)global-clickthrough-overlaymoz-attentionhomescreen-webapps-managebackgroundserviceresourcestats-manageidletime(replaced bysystem-time)embed-appsembed-widgetsmoz-audio-channel-telephony(useaudio-channel-telephony)moz-audio-channel-ringer(useaudio-channel-ringer)open-remote-windowinput-manageaudio-capture:3gpp(useaudio-capture)audio-capture:3gpp2(useaudio-capture)nfcnfc-sharenfc-managernfc-hci-eventsmobileidtest-permissionkaios-accounts(replaced byaccount-observer-kaiaccount)kaios-accounts:service(replaced byaccount-observer-kaiaccount)themeablesettings:wallpaper.imageengineering-mode(replaced byengmode)tvbefore-after-keyboard-eventpresentation-device-managerequestsync-manager(API removed)secureelement-manageinputportsystem-updatepresentationopen-hidden-windowmoz-extremely-unstable-and-will-change-webcomponents(no longer needed)system-app-only-audio-channels-in-appkeyboard-event-generatorcustomizationdeviceconfig(replaced bydevice-configuration)external-apiengmode-extensionspatialnavigation-app-manage(replaced byvirtualcursor)sandboxed-cookies(now the default behavior on KaiOS 3.0)libsignal(now requiressystemXHR)wamedia
Conclusion
With over 100 permissions, and major differences between KaiOS 2.5 and 3.0, it can be difficult knowing which APIs and permissions can be used for an optimal user experience. If you need an experienced partner to guide your KaiOS development, contact the author from the About page.