I know(am I wrong?) that an Android app may request more permissions than specified in manifest file.
E.g. compiling with google play services, or some other third party libraries include permissions I am not aware of.
Is there a way to list all required permissions after building APK file?
I want to know of all requested permissions before publishing the app.
an Android app may request more permissions than specified in manifest file
on the manifest that the developer wrote him/herself yes, but on the manifest actually inside the .apk all the permissions are there
on android studio you can go to the manifest file and on the bottom left there's a little tab that says "merged manifest" that shows what your manifest will be on the final .apk.
Related
I am using open_filex package especially to avoid this problem. I am confused because the permission is nowhere to be found in my particular Android manifests and manifest merge file.
I have tried to manually remove permission by tool:remove
tried open_file_safe library as well. Just stopped passing reviews for some reason, maybe something is connected to newer Android version (13).
Add the following line to your AndroidManifest in order to explicity remove the REQUEST_INSTALL_PACKAGES permission
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
and on your manifest tag add
xmlns:tools="http://schemas.android.com/tools"
so that it looks something like this:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="*" xmlns:tools="http://schemas.android.com/tools">
Then build your apk or aab and then upload it Google Play Store and then submit the build for release to ALL the tracks; Internal testing, Closed testing(Alpha & Track), Open testing and Production regardless of whether the track is active or not. This is a very important step. Your build will not be rejected.
I'm encountering very strange problem. When I build apk or bundle dangerous permissions like write external storage is being added to manifest. I found out it when wanted to publish on play store, it gave me that warning. After extracting bundle I looked at manifest file and there were bunch of permissions which I don't use in my app.
Have anyone had this issue ever?
Thanks for everyone who directed me to the right place. So, the reason is because some of 3rd party libs used that permissions. There will be two options in this case:
Remove 3rd party lib which is using dangerous permission
In AndroidManifest.xml file add the following:
<uses-permission
android:name="android.permission.SomePermission"
tools:node="remove" />
During build process this will remove permission from final bundle or apk.
I added some libraries to an Android app and after upload to the Google Play Store I got this warning:
The main manifest file does not declare this permission, so I assume it comes from a library.
I then check out the source code of the previous version, which did not use this permission.
Looking at the merged manifest file in Android Studio, I still see the permission:
When I click on "Go to declaration" for this permission, it takes me to the main manifest file, which does not declare this permission.
I tried to clean and rebuild the project and restart Android Studio but the permission still shows in the merged manifest tab in Android Studio. It shows in the debug and release build variant.
Why is that?
After building your app you should be able to find a manifest merger report under app/build/outputs/logs. Among other things, this file lists the origin of every permission that has been added to the merged manifest.
I am trying to upload a apk to the google play store but its saying to my surprise that i am using the following permission:
Your APK is using permissions that require a privacy policy: (android.permission.RECORD_AUDIO).
so i searched the entire IDE for "android.permission.RECORD_AUDIO" but i cant find it. How can i find out which 3rd party is requesting this ? There should be a way to view in the manifest merger process all the manifest but when i hit shift twice and search manifest only the local manifest are showing up. The other is bit code and i cant view it.
In project build directory, there is a manifest merger report.
In my case, it is located under [ProjectRoot]/app/build/outputs/logs/manifest-merger-debug-report.txt
From this file, your can find where the permission is added. For example:
uses-permission#android.permission.RECORD_AUDIO
ADDED from /home/jack/AndroidProject/ApiDemos/app/src/main/AndroidManifest.xml:45:5-71
android:name
ADDED from /home/jack/AndroidProject/ApiDemos/app/src/main/AndroidManifest.xml:45:22-68
uses-permission#android.permission.CAMERA
ADDED from /home/jack/AndroidProject/ApiDemos/app/src/main/AndroidManifest.xml:49:5-65
android:name
ADDED from /home/jack/AndroidProject/ApiDemos/app/src/main/AndroidManifest.xml:49:22-62
You can use Merged Manifest[About] feature
Open AndroidManifest.xml -> Merged Manifest
If the library is open source you can check their source code for the permissions they have used.
They usually list the permission on their Read.me files.
Even if they are proprietary libs they will list the permissions they will be using otherwise their security is questionable.
Guess I have redundant permissions for my app in Apps → App info → Permissions: Phone and Storage. Indeed, previously in the Manifest were declared following permissions: WRITE_EXTERNAL_STORAGE and READ_PHONE_STATE. But when I have removed this permissions I still can see according options in App info page, even after reinstall of the app. So how can I remove this options?
This may occur because of Module project that you may be using in your project, i have experienced same problem by removing permissions from other module project