An excerpt from http://www.sitepoint.com/developers-guide-risky-android-app-permissions/
The Android Operating System is an open platform based on Linux, integrated into mobile devices, smart watches, tablets and even televisions and cars. The opportunity to create applications across a myriad of devices raises the problem of security, which I believe to be Android’s biggest challenge.
Android maintains application level security by using a full permissions based security mechanism that lets users restrict access to application components. Permissions can prevent malicious applications from corrupting data, gaining access to sensitive information, or making excessive or unauthorized use of hardware resources or external communication channels.
By default no Android application has permissions to perform any operation that would impact the operating system, the users private data or other applications. But without permission to use anything, an Android Application is not a useful application.
##The Security issue
Android uses permissions to filter the capabilities of an application and it’s up to the user whether to accept the permissions of an application upon installation. The problem is that users tend to not read permissions and accept them thoughtlessly. This can lead to a range of security issues from private information flowing to the Android operating system and worse, kernel alterations.
In this article I will discuss the Android manifest and permissions. The manifest file contains information on the app package, including permissions, content providers, services, activities and broadcast receivers.
Here is a general structure of the manifest file to show where permissions go in the manifest.
##The most dangerous application permissions
To judge what permissions to accept, every user must keep the function of installed applications in mind. For example “Why does a Game need permission for my contacts or asks for permission to send SMSs?”. You don’t need to send SMSs in a Game. Such permissions tend to be dangerous and leak private user information.
Continue reading at http://www.sitepoint.com/developers-guide-risky-android-app-permissions/