--- last_verified: 2026-06-01 verified_version: 0.1.48 freshness_days: 180 --- # Platform Permissions Policy (MUST / NEVER) **Principle:** every OS permission is a threat-model liability. pvtcoms requests the **absolute minimum** to receive messages and (only on demand) attach media. Anything a privacy messenger does not strictly need is **never** requested. This policy is binding on the Android, Desktop, and (v2) iOS apps. ## Android **MUST request (core function):** - `INTERNET` — required for Tor/onion transport. - **Background execution** so messages still arrive when the app isn't foregrounded: - `FOREGROUND_SERVICE` + `FOREGROUND_SERVICE_DATA_SYNC` (Android 14+) — a long-running service that keeps the Tor session / relay poll alive. - `POST_NOTIFICATIONS` — to show the mandatory foreground-service notification and message alerts. - `RECEIVE_BOOT_COMPLETED` *(optional)* — restart the message service after reboot. Ship only if it materially improves delivery; otherwise omit. - Battery-optimization exemption is **requested, not required** (user-prompted; degrade gracefully if denied). **MUST request ONLY on demand (runtime, at the moment the user sends media — denial just disables that one action, never blocks messaging):** - `READ_MEDIA_IMAGES`, `READ_MEDIA_VIDEO` — to pick a photo/video to send. Prefer the **Photo Picker** (no permission at all) where possible; fall back to these scoped permissions only if needed. - `CAMERA` — only if the user taps the in-app camera to capture media to send. **NEVER request:** contacts, location (fine/coarse), microphone (until v2 calls), phone state, SMS/call log, accounts, nearby devices, or any advertising/analytics identifier. No telemetry, ever. ## Desktop (Windows / macOS / Linux) - **No OS permissions.** Networking is inherent; there is no permission model to satisfy. - **Windows tray behaviour (required UX):** the app lives in the **system tray near the clock**. Closing the window **minimizes to tray** (keeps receiving messages in the background); the app is **quit explicitly from the tray menu** ("Quit pvtcoms"). This lands with the native Tauri desktop shell (tray + minimize-to-tray + quit) — see SR-2026-06-01-014. Until then the browser-served build runs in the background as a single instance. - Media send uses the OS file picker — no standing permission. ## iOS (v2, deferred) - Background delivery via push + a Notification Service Extension; designed under the same minimal-permission rule. Photo/camera access requested on demand only. ## Rule of thumb for contributors Before adding any permission to a manifest, answer: *does a message fail to send or arrive without it?* If no — it does not ship. If it is only for **sending media**, it must be **runtime, on-demand, and non-blocking** for text messaging.