Complete Guide to App Permissions on KaiOS
There are more than 100 permissions available on KaiOS! Below is the complete list of permissions on KaiOS 2.5 and KaiOS 3.0 defined in PermissionsTable.jsm to help with developing your next application.
Hosted & Privileged Apps
Geolocation
1geolocation: {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: PROMPT_ACTION
5},
6"geolocation-noprompt": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION,
10 substitute: ["geolocation"]
11}
Similar to web apps, KaiOS apps can request access to the user’s Global Positioning System (GPS) coordinates using the
Geolocation API. However, this API is not available unless your app requests the geolocation
permission. Calling navigator.geolocation.getCurrentPosition
at runtime will trigger a permission request dialog that the user can then accept or reject. For Certified apps there is also a substitute permission, geolocation-noprompt
, which as the name implies does not trigger a permission request dialog.
Camera & Video
1camera: {
2 app: DENY_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION
5},
6"video-capture": {
7 app: PROMPT_ACTION,
8 privileged: PROMPT_ACTION,
9 certified: ALLOW_ACTION
10},
Access to the device’s cameras requires the camera
permission, which will prompt the user except in Certified apps. Similarly for video recording, the video-capture
is required.
Alarms
1alarms: {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
Alarms API requires the alarms
permission.
Sockets
1"tcp-socket": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"udp-socket": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10}
Access to the TCP or UDP Socket API requires the tcp-socket
or udp-socket
permission, respectively.
For more on the
Socket API, see the blog post.
Contacts
1contacts: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write", "create"]
6}
Access to the contact’s list requires the contacts
permission.
DeviceStorage
1"device-storage:apps": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read"]
6},
7"device-storage:apps-storage": {
8 app: DENY_ACTION,
9 privileged: DENY_ACTION,
10 certified: ALLOW_ACTION,
11 access: ["read"]
12},
13"device-storage:crashes": {
14 app: DENY_ACTION,
15 privileged: DENY_ACTION,
16 certified: ALLOW_ACTION,
17 access: ["read"]
18},
19"device-storage:pictures": {
20 app: DENY_ACTION,
21 privileged: PROMPT_ACTION,
22 certified: ALLOW_ACTION,
23 access: ["read", "write", "create"]
24},
25"device-storage:videos": {
26 app: DENY_ACTION,
27 privileged: PROMPT_ACTION,
28 certified: ALLOW_ACTION,
29 access: ["read", "write", "create"]
30},
31"device-storage:music": {
32 app: DENY_ACTION,
33 privileged: PROMPT_ACTION,
34 certified: ALLOW_ACTION,
35 access: ["read", "write", "create"]
36},
37"device-storage:sdcard": {
38 app: DENY_ACTION,
39 privileged: PROMPT_ACTION,
40 certified: ALLOW_ACTION,
41 access: ["read", "write", "create"]
42}
Access to the
DeviceStorage API requires a device-storage:*
permission corresponding to the requested storage type like sdcard
, music
, pictures
, and videos
. Special storage types including apps
, apps-storage
, and crashes
are limited to Certified apps only.
Speech Recognition
1"speech-recognition": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
Web Speech API requires the speech-recognition
permission.
Browser
1browser: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"browser:universalxss": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"browser:embedded-system-app": {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15}
Using the browser
permission, it’s possible to embed an external website within your app.
Bluetooth
1bluetooth: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The bluetooth
permission provides access to the
Bluetooth API, as well as the System Messages below. It’s used to discover and connect to nearby devices over Bluetooth.
bluetooth-pbap-request
bluetooth-map-request
bluetooth-cancel
bluetooth-hid-status-changed
bluetooth-pairing-request
bluetooth-opp-transfer-complete
bluetooth-opp-update-progress
bluetooth-opp-receiving-file-confirmation
bluetooth-opp-transfer-start
Mobile Network
1mobilenetwork: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to specific properties (lastKnownNetwork
and lastKnownHomeNetwork
) within the Mobile Network API requires the mobilenetwork
permission, accessible via navigator.mozMobileConnections
.
Push Notifications & ServiceWorker
1push: {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6serviceworker: {
7 app: ALLOW_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"desktop-notification": {
12 app: PROMPT_ACTION,
13 privileged: PROMPT_ACTION,
14 certified: PROMPT_ACTION,
15 defaultPromptAction: ALLOW_ACTION
16},
Unlike on modern web browsers, on KaiOS the
ServiceWorker API isn’t available without requesting the serviceworker
permission. Similarly, the
Push API isn’t available without the push
permission. Finally, actually displaying notifications using the Notification
constructor or a ServiceWorker requires the desktop-notification
permission.
FM Radio
1fmradio: {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Access to the
FM Radio API using navigator.mozFMRadio
(navigator.b2g.fmRadio
on KaiOS 3.0) requires the fmradio
permission.
Window Types
1attention: {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"global-clickthrough-overlay": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"moz-attention": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION,
15 substitute: ["attention"]
16},
When calling window.open
, it’s possible to specify optional features. KaiOS supports a few special features including:
dialog
creates launches a Web Activity using theview
name, or launches a popup windowattention
creates an attention windowglobal-clickthrough-overlay
creates a global clickthrough overlaymozhaidasheet
creates an in-app sheet with a special animation
App Management
1"webapps-manage": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"homescreen-webapps-manage": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10}
In order to get the list of installed apps along with their names & icons, the homescreen-webapps-manage
permission is required. This provides limited access to navigator.mozApps.mgmt
to retrieve the app list and uninstall apps. For full access, including the ability to install apps, the webapps-manage
is needed.
Note: the homescreen-webapps-manage
permission is only available to a Privileged application that is set as the current homescreen.
SystemXHR
1"systemXHR": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The systemXHR
permission allows apps to make cross-origin resource (CORS) requests using the mozSystem
flag without the same-origin policy. Check out
XMLHttpRequest without CORS for more details and examples.
1let xhr = new XMLHttpRequests({ mozSystem: true });
Embedding
1"embed-widgets": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"embed-apps": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10}
Note: the following permissions do not work because the Embed API was never finished.
Storage
1"storage": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 substitute: [
6 "indexedDB-unlimited"
7 ]
8}
Apps can request unlimited IndexedDB storage using the storage
permission.
Note: this is dangerous and requires properly managing storage utilization to avoid crashing the device!
Audio Channels
1"audio-channel-normal": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"audio-channel-content": {
7 app: ALLOW_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"audio-channel-notification": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION
15},
16"audio-channel-alarm": {
17 app: DENY_ACTION,
18 privileged: ALLOW_ACTION,
19 certified: ALLOW_ACTION
20},
21"audio-channel-system": {
22 app: DENY_ACTION,
23 privileged: ALLOW_ACTION,
24 certified: ALLOW_ACTION
25},
26"audio-channel-telephony": {
27 app: DENY_ACTION,
28 privileged: DENY_ACTION,
29 certified: ALLOW_ACTION
30},
31"moz-audio-channel-telephony": {
32 app: DENY_ACTION,
33 privileged: ALLOW_ACTION,
34 certified: ALLOW_ACTION,
35 substitute: ["audio-channel-telephony"]
36},
37"audio-channel-ringer": {
38 app: DENY_ACTION,
39 privileged: DENY_ACTION,
40 certified: ALLOW_ACTION
41},
42"moz-audio-channel-ringer": {
43 app: DENY_ACTION,
44 privileged: ALLOW_ACTION,
45 certified: ALLOW_ACTION,
46 substitute: ["audio-channel-ringer"]
47},
48"audio-channel-publicnotification": {
49 app: DENY_ACTION,
50 privileged: DENY_ACTION,
51 certified: ALLOW_ACTION
52}
KaiOS allows apps to specify what audio channel to play sounds on using the
AudioChannels API. Each channel requires a corresponding audio-channel-
permission. See the blog post on
Audio and Volume Management for more details.
Note: for simplicity and forward compatibility with KaiOS 3.0, it’s best to avoid the moz-
prefixed substitute permissions.
VolumeManager
1"volumemanager": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: ALLOW_ACTION,
5 certified: ALLOW_ACTION
6}
Controlling system volume using navigator.volumeManager
requires the volumemanager
permission.
Input
1"input": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The input
permission gives access to the InputMethod API via navigator.mozInputMethod
. The InputMethod API creates a bridge between the web content hosting an input element and the input content (i.e. input app, virtual keyboard app, or IME).
Microphone
1"audio-capture": {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION
5},
6"audio-capture:3gpp": {
7 app: DENY_ACTION,
8 privileged: ALLOW_ACTION,
9 certified: ALLOW_ACTION
10},
11"audio-capture:3gpp2": {
12 app: DENY_ACTION,
13 privileged: ALLOW_ACTION,
14 certified: ALLOW_ACTION
15}
Access to the microphone for audio recording requires the audio-capture
permission.
Near Field Communication (NFC)
1"nfc": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5},
6"nfc-share": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10},
11"nfc-manager": {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15},
16"nfc-hci-events": {
17 app: DENY_ACTION,
18 privileged: ALLOW_ACTION,
19 certified: ALLOW_ACTION
20}
For devices with supporting hardware, Near Field Communication (NFC) can be accessed using the nfc
permission.
Note: as of the time of writing (March 2023), no KaiOS device has included NFC except for certain models of the JioPhone for use with JioPay only.
Speaker Control
1"speaker-control": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The
Speaker Control API requires the corresponding speaker-control
permission to force audio output over the device’s speakers, even while headphones are connected.
Feature Detection
1"feature-detection": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
To use the Feature Detection API via navigator.getFeature
and navigator.hasFeature
, the feature-detection
is needed. Useful features to detect include:
device.qwerty
if the device has a QWERTY keyboard like the JioPhone 2hardware.memory
to distinguish 256mb and 512mb devicesdevice.storage.size
to get the total storage capacity of the devicedom.apps.developer_mode
to check if the user has enabled Developer Modedevice.key.volume
,device.key.endcall
, anddevice.key.camera
to check if hardware Volume, EndCall, and Camera shutter keys are present, respectivelydevice.parental-control
to check if parental controls are enableddevice.flip
to check if the device has a flip screendevice.bt
,device.wifi
, anddevice.gps
to check if the device supports Bluetooth, WiFi, and GPS, respectivelyro.product.brand
andro.product.name
to get product details
Mobile ID
1"mobileid": {
2 app: DENY_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: PROMPT_ACTION
5}
Privileged apps can request access to Mobile Identifiers like IMEI numbers using navigator.getMobileIdAssertion
requires the mobileid
permission, which always prompts the user to accept or reject.
Settings
1"settings:wallpaper.image": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write"],
6 additional: ["settings-api"]
7},
8"settings": {
9 app: DENY_ACTION,
10 privileged: DENY_ACTION,
11 certified: ALLOW_ACTION,
12 access: ["read", "write"],
13 additional: ["indexedDB-chrome-settings", "settings-api"]
14},
15"settings-clear": {
16 app: DENY_ACTION,
17 privileged: DENY_ACTION,
18 certified: DENY_ACTION,
19 additional: ["indexedDB-chrome-settings", "settings-api"]
20},
Only the special settings:wallpaper.image
is available to Privileged apps. This permission was removed in KaiOS 3.0 and allows apps to set the wallpaper.image
setting, changing the system-wide wallpaper image without prompting the user.
External API
1"external-api": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Despite the generic sounding name, the External API via navigator.externalapi
is a very limited API that only provides access to a token used by the
API Daemon. It’s primarily used for KaiOS 3.0 apps that need access to these APIs.
Spatial Navigation
1"spatialnavigation-app-manage": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The spatialnavigation-app-manage
permission provides access to the boolean property, navigator.spatialNavigationEnabled
, which can be read or written. This toggles on or off the virtual cursor within your app.
Sandboxed Cookies
1"sandboxed-cookies": {
2 app: ALLOW_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
If an app specifically sets the sandboxed-cookies
permission in its manifest, this will force reading/writing cookies of this app individually, a.k.a. no SSO service.
Web Components
1"moz-extremely-unstable-and-will-change-webcomponents": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: ALLOW_ACTION,
5 certified: ALLOW_ACTION
6}
Web Components are disabled by default and only available via the moz-extremely-unstable-and-will-change-webcomponents
permission. This permission gives access to an unstable version of the Web Components APIs, allowing access to the Shadow DOM and the registration of custom elements, i.e. <x-button>
.
KaiOS Accounts
1"kaios-accounts": {
2 app: DENY_ACTION,
3 trusted: DENY_ACTION,
4 privileged: DENY_ACTION,
5 certified: ALLOW_ACTION
6},
7"kaios-accounts:service": {
8 app: DENY_ACTION,
9 trusted: DENY_ACTION,
10 privileged: PROMPT_ACTION,
11 certified: ALLOW_ACTION,
12 substitute: ["kaios-accounts"]
13}
Used for identity management via KaiOS Accounts.
SecureElement
1"secureelement-manage": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The Secure Element API enables access to the Secure Element (SE), a chip that is protected by design from unauthorized access. On KaiOS this is accessible via navigator.seManager
with the secureelement-manage
permission.
Presentation
1"presentation": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
The presentation
permission provides access to the
Presentation API via navigator.presentation
.
Note: the dom.presentation.enabled
preference is disabled by default, and the Presentation API is not usable on KaiOS.
Test Permission
1"test-permission": {
2 app: PROMPT_ACTION,
3 privileged: PROMPT_ACTION,
4 certified: ALLOW_ACTION,
5 access: ["read", "write", "create"]
6}
Per KaiOS Documentation:
This permission doesn’t actually grant access to anything. It exists only to check the correctness of web prompt composed permissions in tests.
China Type Approval (CTA)
1"permissions": {
2 "mobiledata": { },
3 "wifidata": { }
4}
Due to regional regulations, apps that need network access (i.e. KaiAds or Analytics) and intend to be published on the KaiStore in China, the mobiledata
and wifidata
permissions are required. Additionally, for privileged & certified apps the calllog
permission is also required for KaiOS 2.5.2.1 and 2.5.4.1.
Certified
The remaining permissions are only available to Certified apps.
1"mmi-test": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5},
6"network-events": {
7 app: DENY_ACTION,
8 privileged: DENY_ACTION,
9 certified: ALLOW_ACTION
10},
11sms: {
12 app: DENY_ACTION,
13 privileged: DENY_ACTION,
14 certified: ALLOW_ACTION
15},
16telephony: {
17 app: DENY_ACTION,
18 privileged: DENY_ACTION,
19 certified: ALLOW_ACTION
20},
21mobileconnection: {
22 app: DENY_ACTION,
23 privileged: DENY_ACTION,
24 certified: ALLOW_ACTION
25},
26power: {
27 app: DENY_ACTION,
28 privileged: DENY_ACTION,
29 certified: ALLOW_ACTION
30},
31softkey: {
32 app: DENY_ACTION,
33 trusted: DENY_ACTION,
34 privileged: DENY_ACTION,
35 certified: ALLOW_ACTION
36},
37permissions: {
38 app: DENY_ACTION,
39 privileged: DENY_ACTION,
40 certified: ALLOW_ACTION
41},
42phonenumberservice: {
43 app: DENY_ACTION,
44 privileged: DENY_ACTION,
45 certified: ALLOW_ACTION
46},
47"backgroundservice": {
48 app: DENY_ACTION,
49 privileged: DENY_ACTION,
50 certified: ALLOW_ACTION
51},
52"networkstats-manage": {
53 app: DENY_ACTION,
54 privileged: DENY_ACTION,
55 certified: ALLOW_ACTION
56},
57"resourcestats-manage": {
58 app: DENY_ACTION,
59 privileged: DENY_ACTION,
60 certified: ALLOW_ACTION
61},
62"wifi-manage": {
63 app: DENY_ACTION,
64 privileged: DENY_ACTION,
65 certified: ALLOW_ACTION
66},
67"voicemail": {
68 app: DENY_ACTION,
69 privileged: DENY_ACTION,
70 certified: ALLOW_ACTION
71},
72"idle": {
73 app: DENY_ACTION,
74 privileged: DENY_ACTION,
75 certified: ALLOW_ACTION
76},
77"time": {
78 app: DENY_ACTION,
79 privileged: DENY_ACTION,
80 certified: ALLOW_ACTION
81},
82"background-sensors": {
83 app: DENY_ACTION,
84 privileged: DENY_ACTION,
85 certified: ALLOW_ACTION
86},
87cellbroadcast: {
88 app: DENY_ACTION,
89 privileged: DENY_ACTION,
90 certified: ALLOW_ACTION
91},
92"open-remote-window": {
93 app: DENY_ACTION,
94 privileged: DENY_ACTION,
95 certified: ALLOW_ACTION
96},
97"input-manage": {
98 app: DENY_ACTION,
99 privileged: DENY_ACTION,
100 certified: ALLOW_ACTION
101},
102"wappush": {
103 app: DENY_ACTION,
104 privileged: DENY_ACTION,
105 certified: ALLOW_ACTION
106},
107"downloads": {
108 app: DENY_ACTION,
109 privileged: DENY_ACTION,
110 certified: ALLOW_ACTION
111},
112"themeable": {
113 app: DENY_ACTION,
114 privileged: DENY_ACTION,
115 certified: ALLOW_ACTION
116},
117"engineering-mode": {
118 app: DENY_ACTION,
119 privileged: DENY_ACTION,
120 certified: ALLOW_ACTION
121},
122"tv": {
123 app: DENY_ACTION,
124 privileged: DENY_ACTION,
125 certified: ALLOW_ACTION
126},
127"before-after-keyboard-event": {
128 app: DENY_ACTION,
129 privileged: DENY_ACTION,
130 certified: ALLOW_ACTION
131},
132"presentation-device-manage": {
133 app: DENY_ACTION,
134 privileged: DENY_ACTION,
135 certified: ALLOW_ACTION
136},
137"requestsync-manager": {
138 app: DENY_ACTION,
139 privileged: DENY_ACTION,
140 certified: ALLOW_ACTION
141},
142"inputport": {
143 app: DENY_ACTION,
144 privileged: DENY_ACTION,
145 certified: ALLOW_ACTION
146},
147"system-update": {
148 app: DENY_ACTION,
149 privileged: DENY_ACTION,
150 certified: ALLOW_ACTION
151},
152"open-hidden-window": {
153 app: DENY_ACTION,
154 privileged: DENY_ACTION,
155 certified: ALLOW_ACTION
156},
157"system-app-only-audio-channels-in-app": {
158 app: DENY_ACTION,
159 privileged: DENY_ACTION,
160 certified: ALLOW_ACTION
161},
162"killswitch": {
163 app: DENY_ACTION,
164 trusted: DENY_ACTION,
165 privileged: DENY_ACTION,
166 certified: ALLOW_ACTION
167},
168flip: {
169 app: DENY_ACTION,
170 trusted: DENY_ACTION,
171 privileged: DENY_ACTION,
172 certified: ALLOW_ACTION
173},
174flashlight: {
175 app: DENY_ACTION,
176 trusted: DENY_ACTION,
177 privileged: DENY_ACTION,
178 certified: ALLOW_ACTION
179},
180"datacall": {
181 app: DENY_ACTION,
182 trusted: DENY_ACTION,
183 privileged: DENY_ACTION,
184 certified: ALLOW_ACTION
185},
186"keyboard-event-generator": {
187 app: DENY_ACTION,
188 trusted: DENY_ACTION,
189 privileged: DENY_ACTION,
190 certified: ALLOW_ACTION
191},
192"customization": {
193 app: DENY_ACTION,
194 privileged: DENY_ACTION,
195 certified: ALLOW_ACTION
196},
197"deviceconfig": {
198 app: DENY_ACTION,
199 privileged: DENY_ACTION,
200 certified: ALLOW_ACTION
201},
202"engmode-extension": {
203 app: DENY_ACTION,
204 privileged: DENY_ACTION,
205 certified: ALLOW_ACTION
206},
207"cloud-authorization": {
208 app: DENY_ACTION,
209 privileged: DENY_ACTION,
210 certified: ALLOW_ACTION
211},
212"fota": {
213 app: DENY_ACTION,
214 privileged: DENY_ACTION,
215 certified: ALLOW_ACTION
216},
217"libsignal": {
218 app: DENY_ACTION,
219 privileged: DENY_ACTION,
220 certified: ALLOW_ACTION
221},
222"wamedia": {
223 app: DENY_ACTION,
224 privileged: DENY_ACTION,
225 certified: ALLOW_ACTION
226}
Most of these permissions are not meant for third-party application use. However, a few can be useful in specific scenarios. For instance:
sms
to send & read SMS messages. Useful for improving user experience (UX) when sending One Time Passwords (OTPs) via SMS without the user needing to leave and re-enter your appflashlight
for toggling on & off the flashlight (aka torch)requestsync-manager
for triggering a background script to run on regular internals (i.e. daily) and under specification conditions (i.e. only when WiFi is available)downloads
for storing and accessing system-wide downloads
KaiOS 2.5.3+ permissions
Some of the permissions below were found on new KaiOS 2.5 devices like the JioPhone Prima 4G (F491H) running KaiOS 2.5.3.2.
Sound Trigger
1"sound-trigger": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.soundTriggerManager
API based on [Android’s Sound Trigger])https://source.android.com/docs/core/audio/sound-trigger. Used for AOV (Always-On local Voice) that supports wake words like “Hello Jio.” Located in libsoundtrigger.so
and libsoundtriggerservice.so
.
1interface SoundTriggerManager {
2 getSupportList: Model[];
3 set(model: Model): void;
4 start(wakeWords: string[]): void;
5 stop(): void;
6 onrecognitionresult: EventHandler;
7 onstatechange: EventHandler;
8}
Teereader
1"teereader-manage": {
2 app: DENY_ACTION,
3 privileged: DENY_ACTION,
4 certified: ALLOW_ACTION
5}
eMBMs - Multimedia Broadcast Multicast Service (MBMS)
1"embms": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.lteBroadcastManager
API.
1interface LteBroadcastManager {
2 coverage;
3 setServiceClassFilter;
4 getService: LteBroadcastService;
5 getSAI; // Service Area Identifier
6}
Dongle Manager
1"donglemanager": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.dongleManager
API for the JioPhone Media Cable.
1interface DongleManager {
2 dongleStatus: string;
3 ondonglestatuschange: EventHandler;
4 usbIpAddress: string;
5}
Device Financing (DFC)
1"dfc": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.dfc
API for keeping track of device financing.
Device Security Info
1"device-sec-info": {
2 app: DENY_ACTION,
3 privileged: ALLOW_ACTION,
4 certified: ALLOW_ACTION
5}
Exposes the navigator.getDeviceSecInfoManager
API for checking if the device is rooted. On the JioPhone, this is used to disable JioPay on rooted devices.
1interface DeviceSecInfoManager {
2 isRooted: boolean;
3 onrootedchange: EventHandler;
4}
Cross Domain Content and Unsafe Content Script
unsafe-content-script
are cross-domain-content
special permission not defined in PermissionsTable.jsm. cross-domain-content
accepts an array of URLs to authorize access to for each content script.
1"cross-domain-content": [ "https://api.kai.jiophone.net/" ],
New to KaiOS 3.0
The following permissions are new to KaiOS 3.0 and were derived from builds extracted from the
Nokia 2780 Flip. Note that in KaiOS 3.0, web
apps are now pwa
, Privileged apps are now signed
and Certified apps are now core
.
Account Observer
1"account-manager": {
2 pwa: DENY_ACTION,
3 signed: DENY_ACTION,
4 core: ALLOW_ACTION,
5},
6"account-observer-activesync": {
7 pwa: DENY_ACTION,
8 signed: ALLOW_ACTION,
9},
10"account-observer-google": {
11 pwa: DENY_ACTION,
12 signed: ALLOW_ACTION,
13},
14"account-observer-kaiaccount": {
15 pwa: DENY_ACTION,
16 signed: ALLOW_ACTION,
17}
Allows an application to observe changes to Google, ActiveSync, and KaiAccounts using new WebActivity('account-manager', data)
where data
is an object specifying a specific action
like getAccounts
.
Power Supply
1"powersupply": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Provides access to the Power Supply API via navigator.b2g.powerSupplyManager
with the following properties:
powerSupplyOnline
, aboolean
powerSupplyType
, astring
like'USB'
specifying the power supply type
As well as the following events:
chargingchange
levelchange
statuschange
powersupplystatuschanged
USB Manager
1usb: {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Provides access to the USB Manager API via navigator.b2g.usbManager
with the following properties:
deviceAttached
, aboolean
property indicating if the device is attached is attached via USBonusbstatuschange
, a callback triggered when the USB status has changed
Virtual Cursor
1virtualcursor: {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
This permission was renamed from spatialnavigation-app-manage
on KaiOS 2.5, but serves the same purpose. Provides access to the Virtual Cursor API via navigator.b2g.virtualCursor
, with the following properties:
enabled
, aboolean
property indicating if the virtual cursor is enabledenable
anddisable
, functions to enable and disable the virtual cursor, respectively
Web View
1 "web-view": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
Allows apps to use the special <web-view>
element, rendering a website within an app similar to an iframe
. The <web-view>
element includes special properties:
src
, the URL of the page to load.remote
, aboolean
to decide if that browser should load content in a content process.ignorefocus
, aboolean
that when set let the browser get pointer events without focusing it. This is useful for virtual keyboard frames.transparent
, aboolean
that, if true, the background of the browser will be transparent instead of white.
Worker Activity
1"worker-activity": {
2 pwa: DENY_ACTION,
3 signed: ALLOW_ACTION,
4 core: ALLOW_ACTION,
5}
The worker-activity
permission allows triggering a Web Activity from a background Worker or ServiceWorker. For instance, this could allow the user to click on a Notification and trigger a Web Activity.
Certified
KaiOS 3.0 also introduces a number of permissions only for Certified apps, including the following.
1"background-window": {
2 pwa: DENY_ACTION,
3 signed: DENY_ACTION,
4 core: ALLOW_ACTION,
5},
6battery: {
7 pwa: DENY_ACTION,
8 signed: DENY_ACTION,
9 core: ALLOW_ACTION,
10},
11"bluetooth-privileged": {
12 pwa: DENY_ACTION,
13 signed: DENY_ACTION,
14 core: ALLOW_ACTION,
15},
16engmode: {
17 pwa: DENY_ACTION,
18 signed: DENY_ACTION,
19 core: ALLOW_ACTION,
20},
21"ime-connect": {
22 pwa: DENY_ACTION,
23 signed: DENY_ACTION,
24 core: ALLOW_ACTION,
25},
26omacpmsg: {
27 pwa: DENY_ACTION,
28 signed: DENY_ACTION,
29 core: ALLOW_ACTION,
30},
31OmaService: {
32 pwa: DENY_ACTION,
33 signed: DENY_ACTION,
34 core: ALLOW_ACTION,
35},
36"process-manager": {
37 pwa: DENY_ACTION,
38 signed: DENY_ACTION,
39 core: ALLOW_ACTION,
40},
41rsu: {
42 pwa: DENY_ACTION,
43 signed: DENY_ACTION,
44 core: ALLOW_ACTION,
45},
46"system-time": {
47 pwa: DENY_ACTION,
48 signed: DENY_ACTION,
49 core: ALLOW_ACTION,
50 access: ["read", "write"],
51},
52tethering: {
53 pwa: DENY_ACTION,
54 signed: DENY_ACTION,
55 core: ALLOW_ACTION,
56}
Removed in KaiOS 3.0
The following permissions were moved or removed in KaiOS 3.0:
geolocation-noprompt
(usegeolocation
)mmi-test
udp-socket
(API removed)network-events
speech-recognition
browser
browser:universalxss
browser:embedded-system-app
push
(no longer needed)serviceworker
(no longer needed)settings-clear
softkey
(removednavigator.softkeyManager
)phonenumberservice
(removednavigator.mozPhoneNumberService
)global-clickthrough-overlay
moz-attention
homescreen-webapps-manage
backgroundservice
resourcestats-manage
idle
time
(replaced bysystem-time
)embed-apps
embed-widgets
moz-audio-channel-telephony
(useaudio-channel-telephony
)moz-audio-channel-ringer
(useaudio-channel-ringer
)open-remote-window
input-manage
audio-capture:3gpp
(useaudio-capture
)audio-capture:3gpp2
(useaudio-capture
)nfc
nfc-share
nfc-manager
nfc-hci-events
mobileid
test-permission
kaios-accounts
(replaced byaccount-observer-kaiaccount
)kaios-accounts:service
(replaced byaccount-observer-kaiaccount
)themeable
settings:wallpaper.image
engineering-mode
(replaced byengmode
)tv
before-after-keyboard-event
presentation-device-manage
requestsync-manager
(API removed)secureelement-manage
inputport
system-update
presentation
open-hidden-window
moz-extremely-unstable-and-will-change-webcomponents
(no longer needed)system-app-only-audio-channels-in-app
keyboard-event-generator
customization
deviceconfig
(replaced bydevice-configuration
)external-api
engmode-extension
spatialnavigation-app-manage
(replaced byvirtualcursor
)sandboxed-cookies
(now the default behavior on KaiOS 3.0)libsignal
(now requiressystemXHR
)wamedia
Conclusion
With over 100 permissions, and major differences between KaiOS 2.5 and 3.0, it can be difficult knowing which APIs and permissions can be used for an optimal user experience. If you need an experienced partner to guide your KaiOS development, contact the author from the About page.