There is an app called bodyweight fitness on the play store without any permissions. It is available on git hub as well:
https://github.com/mazurio/bodyweight-fitness-android
I used the files from git hub and compiled the apk myself with Android Studio (without changing the files). When I try to install the self compiled app apk, it tells me that it will use the INTERNET though the play store app did not. There is no reason why this app should need any internet connection. Thus I removed this line from the AndroidManifest.xml
<uses-permission android:name="android.permission.INTERNET" />
After compiling and installing the app, it still tells me that it will use INTERNET. Does someone know why and how I can remove this permission?
PS: I asked the developer as well, but I got no response yet.
update:
You are right, it is added from another part aswell: crashlytics.
And you are right aswell about the hidden permission. It is shown in
the app details when the app is installed and it is shown in the play
store when you click on the "permissions" button.
Each android lib contains manifest file with package, permissions, acitivities etc so your app will show all permissions from dependencies. You may check final manifest creation log at {projectDir}/{moduleDir}/build/outputs/logs/manifest-merger-*-report.txt
This log will contain something like that
uses-permission#android.permission.INTERNET
ADDED from {myModulePath}/app/src/main/AndroidManifest.xml:6:5-67
MERGED from [net.hockeyapp.android:HockeySDK:4.1.1] /Users/devindi/.android/build-cache/ce70c6f87efc05633a59a88fccdb712db509e22d/output/AndroidManifest.xml:12:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics:2.6.8] /Users/devindi/.android/build-cache/424d420499b90aec0a26ab1b5f575e318d0342b9/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:beta:1.2.5] /Users/devindi/.android/build-cache/be2498e53f6aa976b3927954da943b23f0a800f6/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics-core:2.3.17] /Users/devindi/.android/build-cache/e5b1b150113ac2f0789b76a886f379cdafa8af2b/output/AndroidManifest.xml:52:5-67
MERGED from [com.crashlytics.sdk.android:answers:1.3.13] /Users/devindi/.android/build-cache/c86f3a3daec296cb6a32deb0b3d0c3f1370a024f/output/AndroidManifest.xml:9:5-67
MERGED from [io.fabric.sdk.android:fabric:1.3.17] /Users/devindi/.android/build-cache/0a51b13dbc46dc870c598edab9d128bf8f26a8d4/output/AndroidManifest.xml:29:5-67
As you see I requested network permission at my manifest and hockeyapp, crashlytics, fabric libs requested same permission also. https://developer.android.com/studio/build/manifest-merge.html
To force permission remove just add tools:node=”remove” to your permission declaration like that:
<uses-permission android:name=”android.permission.INTERNET” tools:node=”remove” />
This is because the INTERNET permission is a "harmless" permission. This means that you don't have to ask the user for permission, and that it will not show in the Google Play Store
Since Android 5.0, permissions have a "protection level". Some are dangerous, and some are normal. Normal means that you as an app developer do not have to ask the user for permission, and that it will not show in Google Play. Dangerous means that Google Play displays it and that you have to ask the User for permission.
Source and further reading: Android Developers
There is a difference between apps installed during development via your Android Studio, apps installed from an APK and apps installed from Google Play Store. Some permissions are granted automatically in the latter case, like for example the Internet or drawing on top of other apps. You need to take this into account while planning your deployment strategy.
Related
Google Play again rejected my app because I'm apparently using REQUEST_INSTALL_PACKAGES permission in my app. I never had this permission ever, I never had this issue before.
I checked merged manifest to find that kind of permission. There is none.
I've added
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
tag into my AndroidManifest.xml to be certain that my App is not using this kind of permission EVER. Even Merged Manifest is not containing that permission and at the bottom of the Merged Manifest there is Android Studio warning that I'm removing something that is not even present in my app:
Warning uses-permission#android.permission.REQUEST_INSTALL_PACKAGES was tagged at AndroidManifest.xml:25 to remove other declarations but no other declaration present MyApp.app main manifest (this file), line 24
So either I'm missing something or their app validation is broken and Google is false-flagging my app validation for some unknown reason.
There has to be some serious issues with their validation methods past 2 weeks because amount of issues I've got with my app is unacceptable. App has same permissions and using same libraries and their version for past 2 years and I never had any issues like this before.
And I'm not sure what else I can do to get my app validated and accepted again.
If you have previous builds with REQUEST_INSTALL_PACKAGES permission in the Open, Closed, or Internal testing you need to upload a new build without REQUEST_INSTALL_PACKAGES permission to Internal testing and then promote it to production.
If this solution does not work for you check the permissions used in your app at Google Play console. If REQUEST_INSTALL_PACKAGES is not shown there you must contact them and explain your problem and request again.
Google Play Support keeps Rejecting the last deployment of my App.
Below I'm quoting the reason for the reject:
Issue found: Permission use is not directly related to your app's core
purpose. We found that your app is not compliant with how
REQUEST_INSTALL_PACKAGES permission is allowed to be used.
Specifically, the use of the permission is not directly related to the
core purpose of the app.
Additionally, follow these steps to bring your app into compliance:
Please remove the use of REQUEST_INSTALL_PACKAGES permission from your
app.
After removing an unused package that was using the REQUEST_INSTALL_PACKAGES permission, I tried to re-deploy but I've kept getting the app rejected.
I can confirm that the current list of used permissions does NOT include the REQUEST_INSTALL_PACKAGES.
On play.google.com, I checked the permission lists of the last uploaded versions (see attached screenshot).
I also unpacked the lastly uploaded SDK file (using apktool), and searched "REQUEST_INSTALL_PACKAGES" in the extracted folder; of course, no results were found.
Has anyone any suggestion on how to solve this issue?
The same issue occurred with me. My app's previous versions included this permission but in the latest update, I removed them but still received rejection message via mail. Then I found that in the other track (internal testing track), I had an apk with REQUEST_INSTALL_PACKAGES permission. This was the main cause of rejection of my app update. I observed that the form 'App bundles and APKs using sensitive permissions' was showing the internal track's apk information regarding the use of REQUEST_INSTALL_PACKAGES.
So, I tried to deactivate my previous internal track's apk with the new version (that didn't include any REQUEST_INSTALL_PACKAGE permission). Now when I open my form page 'App bundles and APKs using sensitive permissions' again.
Now, it showed that no app bundle or apk uses this sensitive permission.
Hope that it could solve this issue. I am too waiting for my update to be approved.
First step, Check in your manifest merger file if the specified
sensitive permission is shown. Check in release variant. (Most likely
not, if yes, remove this permission)
Second step, In playstore, Go to app bundles explorer and check if
any of the older app bundles have this permission and is still
active. If yes. you have to provide an update to this track. It is
unfortunate that Google play review email does not mention that issue can
be in an older app bundles or other tracks
Provide an update to playstore.
Note, If you want to forcefully remove this permission (if you do not care
which library is adding it)
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
If none of the above works. You have to write them an email and clarify.
i got the following notification when i upload Flutter my app to Google console.
We found that your manifest file contains the REQUEST_INSTALL_PACKAGES permission.
Starting September 29, 2022, apps that use this permission will not be able to submit >updates for review until they have completed a new sensitive permission declaration.
This declaration will be available in Play Console on August 31, 2022. You'll need to >declare which permitted functionality your app provides, tell us about a core feature in >your app that uses the permission, and provide a video showing its use.
You must remove this sensitive permission from your manifest if your app does not use >the permitted functionalities, or if you no longer use this permission. To learn more, >watch this PolicyBytes video.
Permission description
https://support.google.com/googleplay/android-developer/answer/12085295?hl=en
I checked the Mainefest. The permission is not declared there! How can i delete it!? It does not exist.
If you are using android studio try command + shift + f and type REQUEST_INSTALL_PACKAGES. Select project from the top section. It will display all codes that use this key. Remove the package if its not being used.
Hello Shareef Dweikat,
It seems like you are using a 3rd library that's using this permission
It could be a Huawei SDK
Please double check inside the following path:
app/build/intermediates/merged_manifests
My old version of my app contained QUERY_ALL_PACKAGES permission but after the Google email sent to me saying that I can't use this permission in my app so I deleted it and I check if my apps still have the permission or not and I'm sure that my app does not have the permission and Google still accepting my app with QUERY_ALL_PACKAGES permission issue saying that I must not use the permission that I already deleted.
you can check if I missed anything from screenshots in the bottom
release details from google play console
and
permission from a device after installing the app
I also tried to add the following line to my AndroidManifest.xml file
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" tools:node="remove" tools:ignore="QueryAllPackagesPermission" />
As we discussed in the comments, you need to also check your "Internal Testing", "Closed Testing", and "Open Testing" release tracks. If these tracks still contain versions of the app that use this permission, you'll need to create new releases to supersede those versions.
Also, understand that you might still get a rejection email even after you've updated all release tracks. This is because the automated review might finish for one track before the others. So the review fails because it's not yet considering the new versions on your other release tracks.
I've just created a very simple Android application that captures an Intent, manipulates it a bit, and sends out a new Intent. I transferred the app to my phone with adb install, and now looking at the app's requested permissions, I'm seeing that it requires permissions I never asked for:
read phone status and identity
modify or delete the contents of your USB storage
test access to protected storage
There's nothing in my manifest file requesting permissions, and the app itself is dead simple (here's the source on GitHub). Are these extra permissions added because I installed it with adb install, perhaps? Or is there something in my app that merits requiring these permissions that I'm just not seeing?
You are missing a <uses-sdk> element with android:minSdkVersion. These permissions were added to Android after its initial release, and apps supporting very old Android devices have these permissions "grandfathered in".
You really should add <uses-sdk> and add android:minSdkVersion, saying how old of an Android device (from an API level standpoint) you are willing to support.