When I create a project using Ionic Capacitor, automatically both iOS (info.plist) and Android(AndroidManifes.xml) have some default permissions:
AndroidManifes.xml Permissions:
<!-- Permissions -->
<uses-permission android:name="android.permission.INTERNET" />
<!-- Camera, Photos, input file -->
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<!-- Geolocation API -->
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-feature android:name="android.hardware.location.gps" />
<!-- Network API -->
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<!-- Navigator.getUserMedia -->
<!-- Video -->
<uses-permission android:name="android.permission.CAMERA" />
<!-- Audio -->
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
Info.plist Permissions:
<key>NSCameraUsageDescription</key>
<string>To Take Photos and Video</string>
<key>NSLocationAlwaysUsageDescription</key>
<string>Always allow Geolocation?</string>
<key>NSLocationWhenInUseUsageDescription</key>
<string>Allow Geolocation?</string>
<key>NSMicrophoneUsageDescription</key>
<string>To Record Audio With Video</string>
<key>NSPhotoLibraryAddUsageDescription</key>
<string>Store camera photos to camera</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>To Pick Photos from Library</string>
<key>UILaunchStoryboardName</key>
<string>LaunchScreen</string>
Let's say my app doesn't need Camera access, If I remove it from AndroidManifest.xml, my app builds successfully and is posted in PlayStore without that permission, but if I remove anything from Info.plist after uploading through xCode I get email notification that I should add that permission that I just removed.
What is the correct way to do this, should I change other files in iOS?
On iOS they are not permission, they are usage descriptions.
Usage descriptions are an additional text explaining why your app needs a permission at the moment the app request it.
Since Capacitor ships all the core plugins and some of them request permissions, Apple code scanner detects the code and warns you to make sure you didn't forget about them. It's just a warning, you shouldn't worry, but also, there is no harm if you leave them there.
On Android on the other hand, you can remove the permissions you don't use.
Related
When my Android app is installed on a device set to French, it request access to photos and contacts. The main app does not need or request these. Is there somewhere that I need to change a setting to not request for any language?
Manifest permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
While releasing the apk to play store, I found out that the my app requires the android.hardware.telephony feature but I haven't added it in manifest anywhere. I have also check the merged manifest in android studio and it also does not contain this feature so I think no third party sdk is adding this. What could be the source of this feature?
For reference, I have following permissions declared in the manifest:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Also, when I make it optional using below code, the app is available on devices without this feature:
<uses-feature
android:name="android.hardware.telephony"
android:required="false" />
So why is required by default without adding it anywhere?
Google Play automatically adds some features, depending on which permissions you have requested.
As you have requested READ_SMS and RECEIVE_SMS permissions, this implies you use the telephony feature. So, Google Play reacts as if you had the following in your AndroidManifest.xml:
<uses-feature
android:name="android.hardware.telephony"
android:required="true" />
When you manually add this and declare it required="false", this tells Google Play that whilst you do ask for the permission, you can handle the case where the user does not have the telephony feature.
This is confirmed via this note in the docs:
Note: Some system permissions implicitly require the availability of a device feature. For example, if your app requests permission to access to BLUETOOTH, this implicitly requires the FEATURE_BLUETOOTH device feature.
The full list of permissions and the feature requirements implied is available here, and includes your situation:
Finally, with your ACCESS_COARSE_LOCATION you are also declaring a feature requirement on android.hardware.location, just for your information.
There's also further detailed information over on the GameDev StackExchange.
One or more of the dependencies / modules / libraries your project is using is adding that requirement to your Android Manifest.
To investigate open your main Android Manifest file in Android Studio, and click on the Merged Manifest tab at the bottom of the page.
This will show you a view of the final merged Manifest, along with sources of each line.
Read more about this here: https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts
HOW TO FIX
If you wish to avoid adding that requirement to your final Manifest, you can use Node Markers in your Manifest to control how the merge works.
Read more about Node markers here: https://developer.android.com/studio/build/manifest-merge#node_markers
e.g. try this:
<uses-feature
android:name="android.hardware.telephony"
android:required="false"
tools:node="replace" />
A 3rd party security application reads into my application. They probably read my asset folder.
How is this possible? I thought that the sandbox model prevented from external access to the internal data structure of an app?
I've checked their permission. They are using: access_coarse_location, access_fine_location, access_network_state, change_network_state, internet, kill_background_processes, modify_audio_settings, manage_device_admins, wake_lock, read_sms, receive_sms, write_secure_settings, flashlight, vibrate, disable_keyguard, get_accounts, camera, read_phone_state, get_tasks, receive_boot_completed, read_external_storage, read_call_logs, write_call_logs, write_external_storage, write_media_storage, access_wifi_state, change_wifi_state
What are manage_device_admins and write_media?
I thought that write_secure_settings and write_media_storage were reserved for android?
Here are the permissions I am using:
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions" />
<uses-permission android:name="android.permission.OPSTR_GET_USAGE_STATS" />
Is there any issues associated with android:allowBackup="true"?
They probably read my asset folder.
Sure. Other apps read other things out of your APK. For example, the home screen reads your icon and label for your launcher activity.
How is this possible?
The contents of your APK are world-readable. This includes assets/ and res/.
I thought that the sandbox model prevented from external access to the internal data structure of an app?
Android protects files created on internal storage. Those may hold private information for the user. Android does not protect the APK itself from inspection.
I'm building an app and I want to send push notifications to the users of this app, so I use the PushBots services.
In their guide, they say to put these permissions in the manifest:
<!-- GCM connects to Google Services. -->
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<!-- GCM requires a Google account. -->
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<permission android:name="com.example.sampleapp.permission.C2D_MESSAGE" android:protectionLevel="signature" />
<uses-permission android:name="com.example.sampleapp.permission.C2D_MESSAGE" />
<!-- This app has permission to register and receive dataf message. -->
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
But in the new permission request system, I have to request every single permission.
So now I'm asking these permissions in my app:
-location permissions (I use map activity).
-accounts permissions (PushBots said it is required).
I've tried to run my app, and this is the error I get:
java.lang.IllegalStateException: Application does not define permission com.giladneiger.haerev.permission.C2D_MESSAGE
How can I request a permission for this? There is no option for it, and my app will request so many permissions that the user will lose his patience for it.
What do I have to do with this error?
You should use your package name com.giladneiger.haerev instead of com.example.sampleapp in the lines
I have a problem while publishing on the Market. My application does not use autofocus feature but when I publish it on the market I see in console following:
android.hardware.camera
android.hardware.camera.autofocus
And here are permissions and features that I request in manifest file:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
Can anyone tell me what's the problem please?
Are the proper <uses-feature> tags included in your manifest? That means only
<uses-feature android:name="android.hardware.camera" />
The doc states:
For example, if an application requests the CAMERA permission but does not declare a element for android.hardware.camera, Google Play considers that the application requires a camera and should not be shown to users whose devices do not offer a camera.
from filtering based on implicit features
You can check this list and see that the two features mentioned by you are assumed when you use the camera permission and don't state anything in your manifest. Add the above code snippet and it should get reduced to just the camera-feature.