I need to upgrade old android aplication from minSdkVersion="19" , so I need to handle all the permissions.
In the manifest, it requires some dangerous permissions.
e.g.:
<uses-permission android:name="android.permission.BLUETOOTH" /> <!-- normal -->
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" /> <!-- normal -->
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <!-- normal -->
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <!-- dangerous -->
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" /> <!-- ??? -->
<uses-permission android:name="android.permission.WAKE_LOCK" /> <!-- normal -->
<uses-permission android:name="android.permission.INTERNET" /> <!-- normal -->
<uses-permission android:name="android.permission.VIBRATE" /> <!-- normal -->
<uses-permission android:name="android.permission.CAMERA" /> <!-- dangerous -->
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <!-- dangerous -->
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <!-- dangerous -->
<android:uses-permission android:name="android.permission.READ_PHONE_STATE" /> <!-- dangerous -->
<android:uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="18" /> <!-- dangerous -->
How can I find in code where these dangerous permissions are needed? Is there a list of functions that depends on each permission?
Regarding MOUNT_UNMOUNT_FILESYSTEMS - where can I find if it is dangerous or normal?
Before answering the specific questions, let me say that if your app is to be used by normal users (i.e. download it from Google play or other stores) listing so many permissions will probably scare users away.
From the question it sounds like you inherit someone else's code, and some of those permissions are not even needed.
Another important thing to notice here is the difference between 3rd party apps (for example, apps you download from Google's play store) and phone-manufacturer apps (most of the apps installed on your phone when you buy it).
Manufacturer apps can use permissions that 3rd parties can't.
To your question:
I don't recall a complete list for functionalities with needed permission for each. Maybe someone else can enlighten both of us here :)
Code targeting Android M and above SHOULD wrap any "dangerous" behaviour with a check that permission is granted, using functions like ContextCompat.checkSelfPermission(Context, String) in order to avoid runtime SecurityExceptions.
But finding "dangerous" behaviors in old code is almost impossible, mainly because Android OS's agreement with the developers was "you just request those permissions in the manifest and I will make sure no runtime security exceptions will be thrown".
A manual search is in need here, I'm afraid.
Here is a complete list of all available permissions, from Android official documentation -
https://developer.android.com/reference/android/Manifest.permission
Notice that MOUNT_UNMOUNT_FILESYSTEM permission is ignored for 3rd party apps, so (unless you work for e.g. Samsung or Xiaomi) you can safely delete this permission from your manifest.
Also notice that it you request FINE_LOCATION permission there is no need to request also COARSE_LOCATION permission.
Related
I am trying to upload an bundle to play with the following permissions:
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.WRITE_CONTACTS" />
<uses-permission android:name="android.permission.READ_CALL_LOG" />
<uses-permission android:name="android.permission.WRITE_CALL_LOG" />
<uses-permission android:name="android.permission.READ_PROFILE" />
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" />
<uses-permission android:name="android.permission.NFC" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
My app's core functionality is to work as a complete dialer like other phone apps like google phone, it shows call history, contacts place calls, etc. I have filled the declaration form and also gave reasons why I need the following permissions but still, my app is getting rejected again and again, also filed an appeal for the same still waiting for a response, please can anyone guide me what I am doing wrong.
below is the message sent by Google:-
Issue: Violation of Permissions policy After reviewing your app, we
found that it doesn’t qualify to use the requested permissions for the
following reason(s): Requested permissions do not match the core
functionality of the app You declared the Default Phone handler (and
any other core functionality usage while the default handler) as the
core functionality of your app. However, after review, we found that
your app does not match the declared use case(s). Learn more about
permitted uses and exceptions. Please either:
• Make changes to your app so that it meets the requirements of the
declared core functionality or,
• Select a use case that matches your app’s functionality
Some of requirements may not be met:
Your app must be able to perform the functionality for which it's a default handler. For example, a default SMS handler should be able to send text messages.
Your app must provide a privacy policy.
Your app must make its core functionality clear in the Play Store description. For example, a default Phone handler should describe its phone-related capabilities in the description.
Your app must declare permissions that are appropriate for its use case. For more details about which permissions you can declare as a given handler, see the guidance on using SMS or call log permission groups in the Play Console Help Center.
Your app must ask to become a default handler before it requests the permissions associated with being that handler. For example, an app must request to become the default SMS handler before it requests the READ_SMS permission.
Here's the two different Permissions on web vs play store.
Web
App Store
Ive looked at the build/intermediate.manifests folder. There's no EXTERNAL_STORAGE in the Manifest
Same for the outputs/logs/manifest-merger files.
BNelow is the merged manifest
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"
/>
<permission
android:name="com.formulaone.production.permission.C2D_MESSAGE"
android:protectionLevel="signature" />
<uses-permission android:name="com.formulaone.production.permission.C2D_MESSAGE" />
<uses-permission android:name="com.android.vending.BILLING" />
Is there any reason why this is different on web s app?
edit : Wrong permissions at Google Play
The app does use shared prefs, does that add the external_storage permission?
The Permission Request depends on many factors. Like if you're sending some data which requires storage permission, then you need to add READ_EXTERNAL_STORAGE permission
Also, the permissions on Web and Android varies
I think you are using wrong Android permissions
Here's a quick guide for Android Permissions
I have an Android app,but when user click "Install" button,the app install directly and it didn't prompt up to ask for permission for user to accept directly.So,I need to request permission during runtime.
But what I need to do,when user click "Install" button,request all the permission needed before the app start downloading from Google Play just like the image below:
So far my manifest is look like this
<uses-feature android:name="android.hardware.camera" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
So what I need to add in order to achieve this?
You are welcome to have your targetSdkVersion below 23, which will force the request for permissions at install time.
Over time, seeing this permission dialog at install time will signal to prospective users that your app is obsolete and not being maintained. An increasing number of those prospective users will elect to not install your app as a result.
Also, bear in mind that users can still remove your requested permissions via the Settings app.
The runtime permissions was introduced since 5.0 Android.
The reason that most of users don't read permissions while installation.
So, all up-to-date API have to use runtime permissions.
Even default apps such as Google maps require runtime permissions.
https://developer.android.com/training/permissions/requesting.html
If you don't want to use runtime permissions you have to use old API version. but you have to check. Your app may crash.
For devices with android < 6.0 permissions are request at installation.
For devices with android > 6.0 permissions are request at runtime.
So if you want your app compatible with devices below and above 6.0, you need to declare permission in your Manifest.xml and request permission at runtime too.
The official guide
My problem is that I do not want to set a privacy policy for my app, I would rather remove all of the unnecessary permission requests.
I have removed the "READ_CONTACTS" permission from my AndroidManifest.xml, but when trying to upload to Play Store, it always says:
The apk has permissions that require a privacy policy set for the app, e.g: android.permission.READ_CONTACTS. [403]
It seems to me, that "READ_CONTACTS" permission is always added automatically.
Is there a way to remove this?
I only use the following permissions:
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
It was definitely a 3rd-party library issue.
After app building and merging of manifest my app manifest request the following permissions (app/build/intermediates/manifests/full/arm/release/AndroidManifest.xml):
<!-- sd card -->
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<!-- downloads -->
<uses-permission android:name="android.permission.INTERNET" />
<!-- ga -->
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<!-- in-app billing -->
<uses-permission android:name="com.android.vending.BILLING" />
However in Google Play it looks like it's able to "read sensitive log data". How can that be?
Previous versions of the app requested "read_log" permissions to provide more information for app crashes and it's secure as the app is unable to read log output of another apps. Are previous versions permissions shown too?