I just installed the OneSignal package and set it up like it is described in the docs. However, OneSignal always has/gets permissions from the user although there is no popup coming app asking the user for permissions. Maybe thats the usual way Android works but I am used to a popup asking for permissions (I am an iOS user).
Isn't Android asking the user for push notification permissions? Is that usual? And is that even machting with the GDPR regulations?
Or is all I need the AndroidManifest.xml which is taking care of asking for permissions?
Cause when I am installing my .apk on my test device Android IS NOT asking for further permissions although in the AndroidManifest.xml I am asking for push notification permission and location permissions!
This is the install screen:
This is the OneSignal code for the AndroidManifest.xml:
<!-- Optional - Add the necessary permissions (Choose one of those) -->
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> <!-- Approximate location - If you want to use promptLocation for letting OneSignal know the user location. -->
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> <!-- Precise location If you want to use promptLocation for letting OneSignal know the user location. -->
<!-- End optional permissions -->
<application ....>
<activity
android:name=".MainActivity"
android:label="OneSignal Example"
android:launchMode="singleTop"> <!-- Add this attribute to your main activity -->
</activity>
.....
In Android you only have to ask for permissions that they class as dangerous.
https://developer.android.com/guide/topics/permissions/overview
Only dangerous permissions require user agreement. The way Android
asks the user to grant dangerous permissions depends on the version of
Android running on the user's device, and the system version targeted
by your app.
You can find a table here that lists of permissions that are currently classed as dangerous.
https://developer.android.com/guide/topics/permissions/overview#permission-groups
Push Notifications is clearly missing from this list so you do not need to ask the user for permission to send them push notifications.
With regard to any other permissions, if OneSignal wants access to them and they are classed as dangerous (e.g. location) then the only way for them to get it is to show a dialog requesting the permission to access that information. Otherwise they won't have access to that information.
In iOS the system of permissions is much more rigorously controlled and before you do most things you have to ask permission.
Related
I am developing an Android application which is suppose to run on an embedded device which does not have UI. My application uses various permissions for which usually Android system will present user to grant permission. This is not possible in our case because the device does not have any screen. What is the way to grant permissions in this case. Note that, we can publish this app as System app as we can build our own firmware too but not sure about how to get past this user prompt.
As you have already said you are going to publish this app as system application
you also need to mention this in your manifest file
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
I am following the instructions found here at android developer. These instructions say to add these two lines of code into the manifest:
<manifest ... >
<uses-permission android:name="android.permission.ACCOUNT_MANAGER" />
<uses-permission android:name="android.permission.INTERNET" />
...
</manifest>
The problem is that I now get an error on the "ACCOUNT_MANAGER" line saying "Permission is only granted to system apps".
My application is not going to be a system application and I need to authenticate to OAuth2 services. How can it be possible that ANY app that uses OAuth2 needs to be a system application?
Does anyone know how to use ACCOUNT_MANAGER without requiring my application to be a "system application"?
I've looked at this question and this question. They say that, for the permissions they have listed, the error is a "fake" error message. Does anyone know if the 'ACCOUNT_MANAGER error is a fake message? Can I tell the compiler to ignore this like the suggestions in these other posts?
From documentation
String ACCOUNT_MANAGER
Allows applications to call into AccountAuthenticators.
Not for use by third-party applications.
ACCOUNT_MANAGER permission can only be granted to system app
If your app requires AccountManager, you can create an AccountAuthenticator service like in this tutorial
Or you can request MANAGE_ACCOUNTS permission as explained in this answer
MANAGE_ACCOUNTS: The API documentation is not that clear about this
permission. But according to Bryans answer, an app can only
delete/modify an account it created itself. Of course it can create
any new account, and manage that.
Can someone tell me where in the docs it goes over how to ask for permissions to access the file system or other media?
If an app doesn't ask for permission during installation, this means it does not have permissions to ask for any data other than its own isolated storage space?
Permissions
If you're using Android 5.1 or lower all the permissions your app requires have to be declared on the AndroidManifest.xml file. As you can see on the docs.
Example:
<manifest xlmns:android...>
...
<uses-permission android:name="android.permission.INTERNET" />
<application ...>
...
</application>
</manifest>
If you didn't declare a permission on your manifest file, it was impossible to request a new one after installation, unless you updated your app requestion new permissions.
But that changed on Android 6.0 (API Level 23), where you can request permissions at runtime.
From the docs:
Beginning in Android 6.0 (API level 23), users grant permissions to
apps while the app is running, not when they install the app. This
approach streamlines the app install process, since the user does not
need to grant permissions when they install or update the app. It also
gives the user more control over the app's functionality; for example,
a user could choose to give a camera app access to the camera but not
to the device location. The user can revoke the permissions at any
time, by going to the app's Settings screen.
So instead of asking for all permissions on app install:
Starting from Android 6.0, permissions can also be requested like this:
For more information, check the training guide or this link.
File access
If you want to have write access the external file storage, you have to declare a permission for that, as it's stated on the docs.
To write to the external storage, you must request the
WRITE_EXTERNAL_STORAGE permission in your manifest file.
Example:
<manifest ...>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
...
</manifest>
And if you just want to read it, all apps already have that ability, but it might change in the future, so it's better to use this permission instead:
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
Every thing you need to know about system permissions is located here in the documentation :
Working with System permissions
Starting at API 23 (Marshmallow), the system will not ask permission at install time but at runtime when the developer thinks the permission is needed.
I have an app which use GCM and Billing. In order to make it Android M-ready i'm trying to implement the new permission model.
Unfortunately i can't find any informations about GCM and Billing permissions.
They don't appear in the normal permission list and are obviously not available with Manifest.permission.* because they are not under android.permission namespace.
Nevertheless , we still have to declare them in the manifest
<uses-permission android:name="com.android.vending.BILLING">
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE">
So how those permissions should be handled ? Are they automatically granted ?
Those permissions are granted automatically at install time:
checkSelfPermission("com.android.vending.BILLING") returns PERMISSION_GRANTED without ever asking the user.
As far as I understood the documentation and the behaviour of the most recent M preview, the only permissions that have to be requested at runtime are the ones that have a permission group, since the popups that are prompted to the user only mention permission groups.
I am developing an application which has a number of components, each component will be a separate Android app. The "Core" app will use content providers to offer access to the database, and reading the permissions documentation "Signature" protection is the way I want to go.
I've defined a group for my permission, mainly so my permissions would show up nicely against my own icon in the "Permissions" section of the App Info. with android:protectionLevel="normal" they show up just fine. But when I use the android:protectionLevel="signature" they disappear.
<permission-group
android:name="com.example.permissions.GROUP"
android:label="#string/lblGroup"
android:description="#string/descGroup"
android:icon="#drawable/ic_menu_permissions_group" />
<permission
android:name="com.example.permission.CONFIG_READ"
android:permissionGroup="com.example.permissions.GROUP"
android:protectionLevel="signature"
android:label="#string/lblConfigRead"
android:description="#string/descConfigRead" />
<permission
android:name="com.example.permission.CONFIG_WRITE"
android:permissionGroup="com.example.permissions.GROUP"
android:protectionLevel="signature"
android:label="#string/lblConfigWrite"
android:description="#string/descConfigWrite" />
Given that I am currently developing and, therefore using the developers key, are there some other hoops I need to jump through in order to get the "signature" protection level to work for developers?
As always many thanks for your help
Steve
But when I use the android:protectionLevel="signature" they disappear.
That is because the user does not need to approve them. Signature-level permissions are automatically granted and denied based upon the signatures of the apps.
are there some other hoops I need to jump through in order to get the "signature" protection level to work for developers?
It already works, for your own apps. If "developers" are third parties, you cannot use signature-level permissions, as they will be signing with their own signing keys.