Effective in 2026, to align with our trunk stable development model and ensure platform stability for the ecosystem, we will publish source code to AOSP in Q2 and Q4. For building and contributing to AOSP, we recommend utilizing android-latest-release instead of aosp-main. The android-latest-release manifest branch will always reference the most recent release pushed to AOSP. For more information, see Changes to AOSP.

Privacy indicators

Android 12 (API level 31) and higher provides users with additional transparency by displaying indicators when an app uses a private data source through camera and microphone app-op permissions. App ops record accesses to runtime permission-protected APIs, tracking both the activity status and the number of individual API calls, and interacting with the camera and microphone and indicators to show users when apps have accessed audio and camera data on their devices. When users click the camera or microphone indicators, they see which apps have accessed their data.

Usage and features

In Android 12 or higher, the UI distinguishes between running usages and recent usages. Usages are considered active if they're either marked by the system as running, or are less than five seconds old.

Microphone and camera in-use indicators showing that access is active

Figure 1. Microphone and camera in-use indicators showing active access (top-right corner).

Status bar icons show each time an app has ongoing user-sensitive microphone or camera access.
Users can click these icons and see which apps are accessing the microphone, the camera, or both.

Access is considered active for as long as the indicators show. An icon shows first, and then transitions to a dot that persists until the app is either dismissed or closed. When a user opens Quick Settings and then taps the indicators, a dialog appears that shows whether the app is using the camera, the microphone, or both. The image in Figure 2 shows active access indicators when a running app has accessed data in the past five seconds:

Indicators for both active and recent access

Figure 2. Active and recent access indicators.

Recent access indicators show that an app accessed data during the prior 15 seconds, but that the app isn't active. All active apps show in the dialog, but only one app shows as the source of recent access, even when more than one app accessed data within a prior 15-second timeframe. The access view remains frozen until the user dismisses the notification dialog.

Deliver and enable

The PermissionManager class provides a method to populate the dialog (which resides in the System UI). The System UI reacts to the device configuration switch privacy/mic_camera_indicators_enabled; this switch is necessary because there are two separate delivery vehicles: (1) Deliver, then (2) Enable. If the method in PermissionManager can't provide the needed data, the System UI must not crash.

Process flow

The indicator functionality has three main parts:

The apps
The indicators (handled by the System UI)
A way to determine which apps are using the data

PermissionController provides the mechanism to determine which apps are using data. the System UI listens for apps using private data. The System UI shows an icon in the top navigation bar that corresponds to the permissions used. PermissionController displays data about usages when a user clicks an icon.

Process flow for indicator functions

Figure 3. System components and (UI) transitions flow.

1 An app requests private data from the system.
2 The system checks permissions. If the permissions are allowed, the system notifies the data provider, and notes the usage in app ops.
3 The data provider gives data to the app.
4-5 The user clicks the icons. The System UI requests data from PermissionManager and presents the dialog to the user.

Process details

Apps use the microphone and camera, calling AppOpsManager.startOp, stopOp, or noteOp. This creates app op records in the system server.
The System UI listens for new app ops using the AppOpsManager.OnOpActiveChangedInternalListener and OnOpNotedListener listeners. When a new usage comes in (through a call to either startOp or noteOp), the System UI verifies that the usage is by a system app:
- If the System UI verifies system app usage, and if the usage is for the microphone, the System UI checks if the microphone is muted.
- If the System UI verifies nonsystem app usage, it shows an icon reflecting such usage, provided the microphone is unmuted for microphone usage, or the camera is toggled on for camera usage.

If the System UI receives noteOp, which has no duration, it shows the icon for at least five seconds. Otherwise, the icon shows either until it receives stopOp, or for five seconds, whichever is longer. The user clicking an icon initiates an intent that goes to PermissionController to start the dialog.

PermissionController loads all recent usage for microphone and camera. It checks if any of those are running, or were running within the timeframe set by the System UI. If it finds a match, it displays the name of the app that used the permission, and which permissions the app used.

Telephony must implement permission usage, to account for the separate microphone stack used in phone calls, while working with Android Google Search app (AGSA) and GMS.