Note: This question is specific to Unity3D
I have a very clean android manifest file in Unity project under Plugins/Android/ folder with no <uses-permissions/> tag at all. I believe that some permissions in final APK comes from Android Player Settings for-example READ_EXTERNAL_STORAGE. In my Gear VR project I see following lines added in final manifest which can be accessed in Temp/StagingArea/:
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-feature android:name="android.hardware.microphone" android:required="false" />
Now this is definitely coming from one of the plugins that I have in my project (I have many plugins).
My app is getting rejected from Oculus saying
Your app is asking for excessive user permissions for using user
permissions inappropriately.
I found a workaround here, but I dont want to do such a thing as this may result in app rejection once again.
So
Is there a way I can find out that where this permission is coming from?
How to find out if there is some code in my scripts which causes unity to include this permission?
Thanks
Easy Way
I think this easier approach applies if your Unity project is being built with gradle. If it isn't, here is one more reason to upgrade.
Also, a big shout-out to an article called, Hey, Where Did These Permissions Come From?)
Build Your Project
Open the file /path/to/my/project/Temp/gradleOut/build/outputs/logs/manifest-merger-release-report.txt
Profit!
Search the file for the name of your permission, and it'll show you where it came from.
Here is part of the file, where I'm looking for the WRITE_EXTERNAL_STORAGE permission.
uses-permission#android.permission.WRITE_EXTERNAL_STORAGE
ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:3-79
MERGED from [gradleOut:IronSource:unspecified] /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/IronSource/build/intermediates/bundles/default/AndroidManifest.xml:13:5-81
android:name
ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:20-76
Hard Way
There are three ways permissions get added to your project.
They are specified in an Android Manifest file.
They are specified in library (a .aar file).
Unity adds the permission when you use a certain feature. (Added)
My examples use command-line tools on a Mac. I don't know Windows equivalents, but it is possible to find and run unix tools there (using the linux subsystem for windows 10, cygwin, custom binaries, etc.)
1. Find all permissions used in (uncompressed) Android Manifests.
cd /path/to/my/project/Assets
grep -r "uses-permission" --include "AndroidManifest.xml" .
This will find all files named AndroidManifest in the current folder (.) or any of its subfolders (-r tells it to search recursively) and spit out any line with the words 'uses-permission'.
In my current project, I get output something like this:
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
./Plugins/Android/AndroidManifest.xml: <uses-permission
./Plugins/Android/IronSource/AndroidManifest.xml: <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/IronSource/AndroidManifest.xml: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
2. Find the permissions required in Android Libraries
Your project likely contains android libraries (.aar files) and java archives (.jar files). Some android libraries contain an android manifest and specify permissions needed to use the library. (I don't think .jar files actually do this, but .aar files absolutely do). Both .aar and .jar files are .zip files, with a different extension and with specific metadata in specific places.
Find them by running:
find . -iname "*.?ar" -print -exec zipgrep "uses-permission" "{}" "AndroidManifest.xml" ";" 2> /dev/null
Here's what this does.
It finds any file (in the current folder (.) and its subfolders) has an extension of (something) a r, thus .jar, or .aar (-name "*.?ar").
It outputs the archive's file name (-print).
It then runs zipgrep (-exec).
Zipgrep is told to search through any files in the archive ({}) named "AndroidManifest.xml", and output any line with the words "uses-permission".
We then pipe the errors to the bit bucket (2> /dev/null) so we don't see lots of errors about archives that don't have android manifests in them.
An example output looks like this:
./OneSignal/Platforms/Android/onesignal-unity.aar
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.WAKE_LOCK" />
AndroidManifest.xml: <uses-permission android:name="android.permission.VIBRATE" />
...
./Plugins/Android/android.arch.core.common-1.1.0.jar
./Plugins/Android/android.arch.core.runtime-1.1.0.aar
./Plugins/Android/android.arch.lifecycle.common-1.1.0.jar
...
./Plugins/Android/com.google.android.gms.play-services-gcm-11.8.0.aar
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-gcm-license-11.8.0.aar
./Plugins/Android/com.google.android.gms.play-services-iid-11.8.0.aar
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-iid-license-11.8.0.aar
...
The filenames all start with periods. I can thus see, for example, that the onesignal-unity.aar sets several permissions, several .jar files were searched with no permissions inside them, and some of the play services libraries specify permissions.
If I needed to change a library, I could rename the .aar to .zip, extract it, edit it, compress it, and rename it back. (It isn't necessarily wise to change the permissions inside a library, but possible.)
3. Unity Adds the Permission
I didn't have anything to add on this; as said above, if you use the Microphone API, Unity will add a permission for you so your app will work.
However, I've since realized that you can do the following:
bring up the Build Settings for Android
tick the 'Export Project' box
Export the project, noting the location
go to /my/project/export/src/main/AndroidManifest.xml. This is what Unity emits for the android manifest (before google's tools do all the merging).
compare it (using your favourite diff tool) to Assets/plugins/Android/AndroidManifest.xml; the differences come from Unity.
Unity will add permissions for you on the fly during build time as mentioned by eriQue of Unity Technologies this is to prevent malfunction of code, and unexpected behaviours.
You could use a tool such as this Apk-decompiler to take a look at your new manifest, and which permissions this uses. Based on that you may look for certain functions that could trigger these permissions.
Certain functions such as isGeniune will require several permissions as it will use verification against an external server.
Alternatively you can also replace your manifest in the decompiled APK, manually change out the manifest with the one intended, and resign it. This is some more grunt work, but if proper error logging is in place it might speed up the process of tracking down the problematic functions.
Update
As I mentioned in the comments below as well. There is no real way to pinpoint functions. But a quick check list can not hurt, but will require some work
Are you using any external services?
A lot of external services, think of google, twitter, facebook api's and tools require additional permissions. Usually these are storage/network related, but depending on the goals of the tool / api, it could be many more.
Try building your APK with and without the tools/apis to see if there are any differences.
Are you using unity ads?
Unity ads makes use of 3 permissions by itself, and older versions might still even make use of 5. If you are using their ads, then you will have to take these for granted.
Did you disable unity statistics?
Ever looked at those fancy stats Unity seems to be able to provide? Well, unless you disabled this, you are most likely participating in this as well.
These stats require several permissions, as the phone will be analysed on a hardware level as well as seen in the provided stats.
Are you really using all your api/tool/assets requirements?
You might have included some api's, tools or just about any dll from an external party that may or may not include code that requires dependencies. Just as often those are not 100% sanitized, and might include permission requirements not relevant to their functionality, or to the functionality that you require.
Say, some ad service might want to access a users microphone. But as you are not using their "OMG vocal response analyses" functions, this permission is not required for you.
These permissions can either be removed manually, as I earlier described in my answer. Or through some form of automation such as the post build marked editor script.
QUESTION SPECIFIC:
RECORD_AUDIO permission makes its way into android manifest file if there is a call to Microphone library in any of script in project. It doesn't matter if the script exists in scene or not. In this specific case, if Oculus Platform SDK is imported in project (which is a store requirement) there are few scripts which uses Microphone library. So if you don't use any audio recording feature e.g voice input, just remove the following files under OculusPlatform/Scripts: MicrophoneInput.cs, IMicrophone.cs, MicrophoneInputNative.cs
#mx-d is right. I just want to add another way of fixing this: in build settings you can tick the Google Android Project which will generate an Android Studio project. From there you can use Android Studio's manifest merger tool to override the permissions.
Question #1: the only way to find which library is throwing in the extra permission is to remove libraries one by one, building the project and checking the .apk manifest. Unfortunately unity is not as flexible as Android Studio production-wise.
Question #2: You can not add permissions in Unity through code (unless it's a custom editor script specifically designed for stitching up manifest files)
I found with Unity 2021 the path is now:
/Library/Bee/Android/Prj/IL2CPP/Gradle/launcher/build/outputs/logs/manifest-merger-release-report.txt
Related
When a cross platform nuget package is used in a Xamarin project, it may add some permissions to the Android Manifest at build time (i.e. you do not have to change the Manifest.xml in your Android project). This is often useful. When the package is well designed, it only adds permissions which are needed for it to work properly.
But sometimes it adds to much permissions. It even might add permissions you have to explain the usage to pass the review. Is it possible to prevent these permissions are added by the package? Or to remove it in a post processing?
(of course, in case of open source projects it is possible to remove the nuget and replace it by the source code and manipulate it. but this is not a very comfortable solution)
It is possible to mark an XML Node as "to be removed" by adding the attribute tools:node="remove" in your apps Manifest.xml file of the Android project.
Example:
Let's say the nuget library adds the "android.permission.ACCESS_BACKGROUND_LOCATION".
<manifest ... xmlns:tools="http://schemas.android.com/tools">
...
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" tools:node="remove" />
....
</manifest>
Credits goes to houman.sanati
When Uploaded App in Google play getting privacy issue in pre-launch report, how to get resolve this issue.
this is as a result of automatic comparison with similar apps, if you are sure that you are using IAP correctly do not worry about it and continue and way.
Clean and Rebuild your project and Add this line in your Manifest
file.
<uses-permission
android:name="com.android.vending.BILLING"
tools:node="remove" />
Furthermore,
Delete and Clear all the Caches from the Users Profile folders located in your system .android and .gradle Located: C:\Users\DELL\.android
Update and Download the latest SDK from the SDK Manager and delete the older, unused ones.
Update Gradle Wrapper.
distributionUrl=https\://services.gradle.org/distributions/gradle-7.3-all.zip
I've fixed this by researching merged manifest, text file which located in app\build\intermediates\manifest_merge_blame_file\{flavorBuildType}\manifest-merger-blame-{flavor}-{buildType}-report.txt
In this file we can see all permissions which are available in our compiled build + library which is bring this permission to merged permission list.
You can easily find which library brings permission which invoke the warning from play market:
In my case it was unused library, so as a result I've just removed unused library.
Also anouther solution - check newest version of the library and try to update (and check permissions with new library), for example in oldest version of dji sdk there is a lot of system permissions, but in new version the list was cleanuped.
Also you can remove the permission from thrird party libraries like:
<uses-permission
android:name="com.android.vending.BILLING"
tools:node="remove" />
But in this case ^ some part of functionality can be restricted.
Sorry for the length of this. Please read on.
How can I configure phonegap's project files so that either phonegap platform add or phonegap build generate APK (or intermediate files that are used to generate APK) without any permissions, while not touching any of the /platform/android/ files manually?
Below describes what I tried.
I'm using the latest Phonegap and I'm trying to use CLI (so, not Adobe's build service). I went through everything that I could find online (documentation, forums, here) trying to find at least some hints on how to control the build process, preferably via config (specifically for Android), so that files in /platforms/android/ (e.g. AndroidManifest.xml) get assembled the way that I want.
For example, even with all plugins removed (phonegap plugin remove [plugin name] + manually removed <plugin element from /config.xml, resulting in nothing but an empty json object in /plugins/fetch.json), I can't get AndroidManifest.xml to get created without these 3:
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
I'd really not like to get into the discussion of why I'm trying to remove all permissions without manually changing /platform/android/AndroidManifest.xml. I previously used Visual Studio Cordova project template, and I was able to make this work (it's got a different file merge/replacement system, equivalent of which I'm trying to discover on Phonegap side). Both Phonegap and Cordova documentation in general are very selfish/basic, IMO (but, that's another topic).
Of course, I've been removing/re-adding android-platform via phonegap platform remove/add android + phonegap build android each time after config change attempts (which I tried within /config.xml; I also tried to find a spot in the folder tree to place AndroidManifest.xml that would replace the one in /platform/android), but nothing worked. I've been verifying success/failure of my mission via aapt d permissions "platforms\android\build\outputs\apk\android-debug.apk", and by manually checking generated /platforms/android/AndroidManifest.xml, and - no kidding - by release-bulding + signing + uploading to my Google account for their report of my APK (by that was before I discovered aapt.exe).
If anyone can share some links, samples, book titles, or similar - I'd be grateful.
Thank you.
Add:
xmlns:android="http://schemas.android.com/apk/res/android"
to widget declaration in config.xml.
Then add the following:
<platform name="android">
<config-file target="AndroidManifest.xml" parent="/manifest">
<uses-permission android:name="android.permission.RECORD_AUDIO" />
</config-file>
</platform>
Hope it helps!
Hi I'm finding lots of posts about people having to many permissions for their android platform when they use cordova.
I'm missing the INTERNET permission. I can add this manually, but I don't want to do this every single time someone wants to compile an app (The platforms dir is on .gitignore and should not be versioned, so whenever someone takes over the project or w/e it should generate fine).
Currently the manifest adds 2 permissions:
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
It should however also add INTERNET, which works fine when I add it manually.
I tried adding
in my config.xml, also
But no cigar, I removed the android platform also to see if it was just not being built.
Recently tried using Phonegap Build, causes the same issue, also for Windows Phone. So currently I can only do iOS properly.
It magically started working, I have no clue why it didn't get added before. I did not even update the platforms or w/e.
I am having an issue in publishing my app in Google play when I include some plugins like cordova-plugin-geolocation in my app, as it adds the following 2 permissions in my manifest file
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
this causes an issue that some of the phones are not able to view the app in the google play as they tell me that android.hardware.location.network access is not compatible on those devices.
when I researched a bit more, I can see that this can be avoided by converting uses-permission to uses-feature and setting the android:required="false" then I can handle it in my code as this is not a must have feature for me.
My issue is I am unable to find how to change this in my visual studio project. can someone please help me understand whats the way to fix this?
Regards
Kiran
There is no way within VS to add contents to your Android projects manifest file. You will have to hand edit those, but beware that these changes would be over-written every time you build your project through VS. There are couple of ways you can workaround this -
You can add post_build Cordova hook that would update the Manifest file.
You can add a gulp task and hook this to MSBuild post_build event through VS.
SOak
(PM - Microsoft)