A 3rd party security application reads into my application. They probably read my asset folder.
How is this possible? I thought that the sandbox model prevented from external access to the internal data structure of an app?
I've checked their permission. They are using: access_coarse_location, access_fine_location, access_network_state, change_network_state, internet, kill_background_processes, modify_audio_settings, manage_device_admins, wake_lock, read_sms, receive_sms, write_secure_settings, flashlight, vibrate, disable_keyguard, get_accounts, camera, read_phone_state, get_tasks, receive_boot_completed, read_external_storage, read_call_logs, write_call_logs, write_external_storage, write_media_storage, access_wifi_state, change_wifi_state
What are manage_device_admins and write_media?
I thought that write_secure_settings and write_media_storage were reserved for android?
Here are the permissions I am using:
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions" />
<uses-permission android:name="android.permission.OPSTR_GET_USAGE_STATS" />
Is there any issues associated with android:allowBackup="true"?
They probably read my asset folder.
Sure. Other apps read other things out of your APK. For example, the home screen reads your icon and label for your launcher activity.
How is this possible?
The contents of your APK are world-readable. This includes assets/ and res/.
I thought that the sandbox model prevented from external access to the internal data structure of an app?
Android protects files created on internal storage. Those may hold private information for the user. Android does not protect the APK itself from inspection.
Related
Say I have these permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.GET_TASKS" />
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions" />
I would like to tell the Play Store that these permissions are not required and are not to be used for filtering out devices. I found that with some permissions like bluetooth you can add the <uses-feature tag and then to that add android:required="false". For example:
<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
<!-- Tells the Play Store that the above two permissions are not required -->
<uses-feature
android:name="android.hardware.bluetooth"
android:required="false" />
However I found no features to declare for any of the permissions I listed in the beginning of this post. So how am I supposed to tell the Play Store that they're not required?
So how am I supposed to tell the Play Store that they're not required?
You don't. No devices will be filtered out based on those permissions.
I would like to tell the Play Store that these permissions are not required and are not to be used for filtering out devices
No permissions are used directly for filtering out devices. As you noted, some permissions imply features, and you can declare that the features are not required.
I would like to tell the Play Store that these permissions are not
required and are not to be used for filtering out devices.
Don't worry! If your next update/package don't require some permissions, just remove those permissions from the mainfest.xml, and done. If you still have doubt, you can see the number of compitable device models during creation of release in your console.
I found that with some permissions like bluetooth you can add the
<uses-feature tag and then to that add android:required="false".
They are all for feature-based filtering and not for permissions. Because, features might be critical for some apps to work. If an app uses a feature which is not critical for its functionality, required=false might be helpful.
You can use like that:
<uses-permission android:name="android.permission.INTERNET"
tools:node="remove"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"
tools:node="remove"/>
When I create a project using Ionic Capacitor, automatically both iOS (info.plist) and Android(AndroidManifes.xml) have some default permissions:
AndroidManifes.xml Permissions:
<!-- Permissions -->
<uses-permission android:name="android.permission.INTERNET" />
<!-- Camera, Photos, input file -->
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<!-- Geolocation API -->
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-feature android:name="android.hardware.location.gps" />
<!-- Network API -->
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<!-- Navigator.getUserMedia -->
<!-- Video -->
<uses-permission android:name="android.permission.CAMERA" />
<!-- Audio -->
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
Info.plist Permissions:
<key>NSCameraUsageDescription</key>
<string>To Take Photos and Video</string>
<key>NSLocationAlwaysUsageDescription</key>
<string>Always allow Geolocation?</string>
<key>NSLocationWhenInUseUsageDescription</key>
<string>Allow Geolocation?</string>
<key>NSMicrophoneUsageDescription</key>
<string>To Record Audio With Video</string>
<key>NSPhotoLibraryAddUsageDescription</key>
<string>Store camera photos to camera</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>To Pick Photos from Library</string>
<key>UILaunchStoryboardName</key>
<string>LaunchScreen</string>
Let's say my app doesn't need Camera access, If I remove it from AndroidManifest.xml, my app builds successfully and is posted in PlayStore without that permission, but if I remove anything from Info.plist after uploading through xCode I get email notification that I should add that permission that I just removed.
What is the correct way to do this, should I change other files in iOS?
On iOS they are not permission, they are usage descriptions.
Usage descriptions are an additional text explaining why your app needs a permission at the moment the app request it.
Since Capacitor ships all the core plugins and some of them request permissions, Apple code scanner detects the code and warns you to make sure you didn't forget about them. It's just a warning, you shouldn't worry, but also, there is no harm if you leave them there.
On Android on the other hand, you can remove the permissions you don't use.
When my Android app is installed on a device set to French, it request access to photos and contacts. The main app does not need or request these. Is there somewhere that I need to change a setting to not request for any language?
Manifest permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
While releasing the apk to play store, I found out that the my app requires the android.hardware.telephony feature but I haven't added it in manifest anywhere. I have also check the merged manifest in android studio and it also does not contain this feature so I think no third party sdk is adding this. What could be the source of this feature?
For reference, I have following permissions declared in the manifest:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Also, when I make it optional using below code, the app is available on devices without this feature:
<uses-feature
android:name="android.hardware.telephony"
android:required="false" />
So why is required by default without adding it anywhere?
Google Play automatically adds some features, depending on which permissions you have requested.
As you have requested READ_SMS and RECEIVE_SMS permissions, this implies you use the telephony feature. So, Google Play reacts as if you had the following in your AndroidManifest.xml:
<uses-feature
android:name="android.hardware.telephony"
android:required="true" />
When you manually add this and declare it required="false", this tells Google Play that whilst you do ask for the permission, you can handle the case where the user does not have the telephony feature.
This is confirmed via this note in the docs:
Note: Some system permissions implicitly require the availability of a device feature. For example, if your app requests permission to access to BLUETOOTH, this implicitly requires the FEATURE_BLUETOOTH device feature.
The full list of permissions and the feature requirements implied is available here, and includes your situation:
Finally, with your ACCESS_COARSE_LOCATION you are also declaring a feature requirement on android.hardware.location, just for your information.
There's also further detailed information over on the GameDev StackExchange.
One or more of the dependencies / modules / libraries your project is using is adding that requirement to your Android Manifest.
To investigate open your main Android Manifest file in Android Studio, and click on the Merged Manifest tab at the bottom of the page.
This will show you a view of the final merged Manifest, along with sources of each line.
Read more about this here: https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts
HOW TO FIX
If you wish to avoid adding that requirement to your final Manifest, you can use Node Markers in your Manifest to control how the merge works.
Read more about Node markers here: https://developer.android.com/studio/build/manifest-merge#node_markers
e.g. try this:
<uses-feature
android:name="android.hardware.telephony"
android:required="false"
tools:node="replace" />
On the Google Play webpage for every application there is a permission section. Almost all of these applications uses some standard terminology to describe their permissions like "READ PHONE STATUS AND IDENTITY", "SEND SMS","FULL INTERNET ACCESS" etc. However on the Android Developer's page the permissions are listed as constants and their descriptions but not the standard terminology found at the Google Play webpage of the application.
For eg.There is a String Internet with the description Allows applications to open network sockets but not the FULL INTERNET ACCESS permission which is generally used for this description.
Is there some link which provides a mapping of the permission constants to these standard permission notation?
"READ PHONE STATUS AND IDENTITY" this is nothing but description about the permisson.U can get the Description about all permission using Packagemanger class in android.PermisionInfo is the class which will give u the Description-
PermissionInfo pinfo = packageManager.getPermissionInfo("Specify permisson constant", PackageManager.GET_META_DATA);
pinfo.loadLabel(packageManager).toString();
I guess you are looking for Manifest Permissions.
Which are defined in your project. Under AndroidManifest.xml
And a list if you need
Eg. for some common permissions
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />