In the current context where customers are more sensible about protecting their privacy, our duty as developers is to consider security in our developments. Google did understand this global problematic and provides in Android OS different kinds of security systems : selinux, permissions system, etc. Throughout this talk, we are going to present how the Android permission system is implemented, all the way from the kernel to the application layer. How Android low layers use the concepts of the Linux kernel users and groups in order to provide its own permission system? What is the communication flow in the framework when an access to a specific device is asked by an Android application? Next, we will demonstrate an use case of an Android application which leads to a huge security hole, then fix it.