I recently added firebase messaging to my android app and I noticed some new permissions required to my app at similar time, for example:
android.permission.READ_PHONE_STATE
I couldn't find anywhere in documentation, why is this permission required. I even tried to explicitly disable it in manifest (tools:node="remove") and messaging still works for me. It's kinda messy and I want to use only as few permissions as I need for sake of my users.
Is this permissions really needed by messaging or is it added automatically from one of library dependencies?
How can I tell what permissions is being added by what? I tried manifest-merger-report.txt, but there was no mention about READ_PHONE_STATE.
Thanks!
The READ_PHONE_STATE permission is not needed for Firebase Cloud Messaging to work (see the Edit your App Manifest docs).
From what I can tell, you've already done quite the digging with this tiopic (checking the manifest-merger-report.txt, adding tools:node="remove" to disable it). You've probably seen Commonsware's blog too.
It's hard to tell from where the READ_PHONE_STATE permission is coming from (with the current details your post), but it is most probably the cause of manifest merging. Try double checking if there are any dependencies that have the library's min SDK is lower than the app's min SDK, wherein if true, the permission is added, as per this answer:
The second one, READ_PHONE_STATE is because of the saxrssreader library. When the library's min SDK is lower than the app's min SDK, the permission is added during build. I simply changed the library's minimum SDK to the number my app is using and the permission is gone.
I had the same problem, i checked manifest-merger-report, and found that READ_PHONE_STATE was added because some library that I'm using has target version < 4
Here is exact quote from report:
ADDED from [com.google.firebase:firebase-messaging:10.2.0] C:\Users\user\project\app\build\intermediates\exploded-aar\com.google.firebase\firebase-messaging\10.2.0\AndroidManifest.xml:23:18-87 android:uses-permission#android.permission.READ_PHONE_STATE IMPLIED from C:\Users\user\project\app\src\main\AndroidManifest.xml:1:1-135:12 reason: org.apmem.tools.layouts has a targetSdkVersion < 4
Hope, this will help you.
Question is possibly duplicate of: Firebase + Permissions
Firebase did not add this permission. Update your Google Play services to 10.0.1 as this bug seems to have been fixed in that version:
"This release fixes a missing minSdkVersion value in
play-services-location.aar that caused unintended
WRITE_EXTERNAL_STORAGE, READ_EXTERNAL_STORAGE, and READ_PHONE_STATE
permissions to be merged into app manifests."
Ok this is embarrassing. I in the end, I was adding permissions myself in parent manifest. Thank you for your comments, based on those I managed to track it down.
Related
When Uploaded App in Google play getting privacy issue in pre-launch report, how to get resolve this issue.
this is as a result of automatic comparison with similar apps, if you are sure that you are using IAP correctly do not worry about it and continue and way.
Clean and Rebuild your project and Add this line in your Manifest
file.
<uses-permission
android:name="com.android.vending.BILLING"
tools:node="remove" />
Furthermore,
Delete and Clear all the Caches from the Users Profile folders located in your system .android and .gradle Located: C:\Users\DELL\.android
Update and Download the latest SDK from the SDK Manager and delete the older, unused ones.
Update Gradle Wrapper.
distributionUrl=https\://services.gradle.org/distributions/gradle-7.3-all.zip
I've fixed this by researching merged manifest, text file which located in app\build\intermediates\manifest_merge_blame_file\{flavorBuildType}\manifest-merger-blame-{flavor}-{buildType}-report.txt
In this file we can see all permissions which are available in our compiled build + library which is bring this permission to merged permission list.
You can easily find which library brings permission which invoke the warning from play market:
In my case it was unused library, so as a result I've just removed unused library.
Also anouther solution - check newest version of the library and try to update (and check permissions with new library), for example in oldest version of dji sdk there is a lot of system permissions, but in new version the list was cleanuped.
Also you can remove the permission from thrird party libraries like:
<uses-permission
android:name="com.android.vending.BILLING"
tools:node="remove" />
But in this case ^ some part of functionality can be restricted.
I recently get the warning to update the Android Target Version to 26 or more from the Google Play Console. However, I have already set the target SDK to 26.
I check the AndroidManifest file and the merged manifest for all the libraries I have included in the project.
There are few libraries which are under Manifest Sources and few are under the
Other manifest files(Included in merge, but did not contribute any elements) - what does this mean?
Can i update the manifest to target API 26 for this project only and upload the to see if it gets accepted or not.
Google needs to verify the App for SMS and Call Log permission but when i upload the app to the play store i get the warning - •
Your app needs to be using runtime permissions for us to complete the
review. Please update your app to target API level 26 or above and
resubmit the declaration form.
There are few libraries which are under Manifest Sources and few are
under the Other manifest files(Included in merge, but did not
contribute any elements) - what does this mean?
When you use other libraries their manifest files will merge with yours to form one Manifest that will ultimately be used.
Can i update the manifest to target API 26 for this project only and
upload the to see if it gets accepted or not.
It's better to set the minSdkVersion and targetSdkVersion in your build.gradle file not in the manifest because Gradle overrides the manifest values reference can be found here
Google needs to verify the App for SMS and Call Log permission but
when i upload the app to the play store i get the warning
When you target API 23 or above you need to write Runtime permissions or you will get a crash when you try to access them.
it's called WorkManager now; the Firebase Job-Dispatcher might not receive updates anymore.
implementation "android.arch.work:work-firebase:1.0.0-alpha11"
androidTestImplementation ("android.arch.work:work-testing:1.0.0-beta01") {
exclude group: "android.arch.work"
}
only the API level of the application package matters - and the run-time permissions need to function - except these critical permissions for SMS and Call Log, which are subject to review. recently had one install from US territory, which might have been such review, even if I only use SIP telephony. there might have been people sending premium SMS from apps, which quickly deduct prepaid credits - or providing robocall services with phone numbers to bother. also smartTAN depends on SMS. the attack vector is realistic, therefore these checks are in place for a reason.
While updating the apk file to google play store started getting this error Duplicate declarations of permission android.permission.INTERNET with different maxSdkVersions. Internet permission is only there in app manifest file and corresponding modules.
Also recently there is no SDK update as well, like play services or any third party.
The app does not define maxSdkVersions as well.
If any of you might have faced the similar issue please update.
This kind of problem occurs when you have declared a permission in your manifest that is also declared in one of the library that you are using. To rectify this issue you have to find that permission in all your libraries's manifests files. When you find it then remove one of them in your main Manifest like this:
can't upload apk: READ_EXTERNAL_STORAGE with different maxSdkVersions
Ok, so here that is worked for us:
<uses-permission-sdk-23 tools:node="removeAll"/>
Note you have to check that your app is not using sdk-23 specifically in your libraries.
I am currently trying to remove all unneeded permissions from my AndroidManifest, and my first thought was to remove all permissions to see if it would give me an error at build or at run time. When I removed all of them I didn't get failure at build or run time.
Looking a bit deeper I found the generated manifest generated at build at /app/build/intermediates/manifest/full/debug/AndroidManifest. The manifest surprisingly had almost all of the permissions that I had removed.
EDIT
I am trying to ask if it is an acceptable practice for me to leave permissions out of my AndroidManifest that I know will be merged from my gradle dependencies at build.
If manifest merging in gradle is enabled, then you will get all the activities, permissions, and other manifest tags from your dependencies (https://developer.android.com/tools/building/manifest-merge.html). You will need to add only the ones that your app explicitly requires. It is a good practice to add to the app manifest the permissions your app relies on, even if they are duplicated, since your app dependencies might remove those permissions on future versions.
I am trying to ask if it is an acceptable practice for me to leave permissions out of my AndroidManifest that I know will be merged from my gradle dependencies at build.
Technically it would work and there's nothing really bad with it now, but the same way you do not keep i.e. unused assets in your app res/drawables folders, your manifest should list only these permissions your code requires.
I pushed a beta version to Google Play that accidentally added more permissions compared to the version that's current in production.
Before pushing the final new version to production via a staged rollout, I removed those permissions, but despite that, users are still complaining about the new permissions when they received the update on the Play Store.
Why are the new permissions still visible? I removed the APK from the beta channel, neither of the production APKs (both the old one, and the new one in staged rollout) have the new permissions. I even see those new permissions in the Play Store listing.
By using a newer SDK but not changing the targetSdkVersion of all my imported modules, I automatically inherited some implicit permissions.
For one, there is one library with a targetSdkVersion of 3 - that will automatically add READ_PHONE_STATE, as already documented in this answer, and the official docs.
This can be easily seen by looking at the manifest merger log in build/output/logs/manifest-merger-release-report.txt:
android:uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from AndroidManifest.xml:2:1 reason: com.foo.library has a targetSdkVersion < 4
The other problem was having READ_CONTACTS set, but at least one library used both minSdkVersion and targetSdkVersion < 15. That automatically added READ_CALL_LOG. See the documentation about this. Curiously enough I didn't see a mention of that in the merger log, but I may have missed it.
The final APK permissions can be checked with aapt:
aapt dump badging build\outputs\apk\foo-release.apk
That prints out the list of permissions.
Full credit to CommonsWare for leading me to this. Thanks Mark!