I just updated one app from Firebase 9.0.0 to Firebase 9.0.2.
I use messaging + ads.
compile 'com.google.firebase:firebase-messaging:9.0.2'
compile "com.google.firebase:firebase-ads:9.0.2"
Now a lot of unwanted permission have cropped up
android:name="android.permission.READ_PHONE_STATE"
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
I didn't add those permissions anywhere, so they must be from Firebase.
I know my clients don't like these permissions, so I removed them with
<uses-permission
android:name="android.permission.READ_PHONE_STATE"
tools:node="remove" />
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"
tools:node="remove" />
<uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
tools:node="remove" />
My app still works, messaging and ads still work, still I'd like my suspicions confirmed.
Why does Firebase add those permissions and is it really ok to remove them like I did?
This issue was fixed in 12.0.1. Source https://developers.google.com/android/guides/releases
March 28, 2018 - Verison 12.0.1
Issues fixed in 12.0.1:
Fixes issue that caused spurious Android lint errors claiming
GoogleSignIn and CredentialsClient were internal-only.
Adds missing
minSdkVersion in -license artifacts to prevent automatic inclusion of
READ_PHONE_STATE and READ_EXTERNAL_STORAGE permissions.
Restores
unique package names for runtime linked -license artifacts which
affected some build systems' (e.g. Ionic Pro) compatibility issues.
Restores some fields names that were obfuscated in 12.0.1, namely the
value() method of #PropertyName annotations in firebase-firestore and
firebase-database.
android:name="android.permission.READ_PHONE_STATE"
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
these permissions are different they are not used in fcm.
PHONE_STATE permission to know current state of phone
and READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE to add and delete file in memory from your app, if you are not using any of these functionalities you can remove it.
Related
I am using the reactiveBLE library (which is by the way excellent, thank you for that).
However, with the newer version, it brings its own manifest file, so I don´t have to add any permissions to mine. The manifest file of reactiveBLE and one of my app are supposed to be merged together when building the app.
Because different rules are needed for different APIs, reactiveBLE adjusts its permissions accordingly. It seems that for Bluetooth, android.permission.ACCESS_FINE_LOCATION and android.permission.ACCESS_COARSE_LOCATION are only needed for APIs 23 - 30.
The code is then (for example):
uses-permission-sdk-23
android:name="android.permission.ACCESS_FINE_LOCATION"
android:maxSdkVersion="30"
However, as I also include other location services (which do need these permissions for other APIs as well), I would have to remove the "android:maxSdkVersion="30" part. This is also recommended in the official documentation:
official documentation on how to remove maxSdkVersion
However, this is not possible, because the manifest file of reactiveBle is generated automatically each time I build something (and my changes are overwritten again).
The app is working fine, but I am getting errors in the Play Console when uploading the app to the Playstore.
Please advise how I can merge the manifest files properly, so I do not get an error when uploading to the Play Console.
Kind regards
René
This solution from reactiveBLE issues worked for me.
To prevent conflicts with you own permissions, in your AndroidManifest.xml file include:
<uses-permission-sdk-23 android:name="android.permission.ACCESS_FINE_LOCATION" tools:node="remove"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission-sdk-23 android:name="android.permission.ACCESS_COARSE_LOCATION" tools:node="remove"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
You will also need to add xmlns:tools="http://schemas.android.com/tools" in the manifest tag at the top of the file.
I'm porting an old game from AdMob to the latest AdMob with Firebase. I was using a deprecated version of AdMob.
I want the smallest integration as possible, I don't want Firebase analytics. I have a working integration (using Android Studio project), but when uploading my apk to Google Play, I realized new permissions were automatically added:
android.permission.WAKE_LOCK
com.frozax.hashiextreme.permission.C2D_MESSAGE
com.google.android.c2dm.permission.RECEIVE
What is this C2D thing? I don't want and don't need it. com.frozax.hashiextreme is the package name of my app. It looks like it's added from firebase-iid, but I don't want it either.
Is there a way to ignore these? I try to have as few permissions as possible.
In my dependecies, I only have
compile 'com.google.firebase:firebase-ads:9.0.0'
I tried to remove
classpath 'com.google.gms:google-services:3.0.0'
But it's not working and I still have these permissions.
Thanks
I have the same issue.
As described in this Reddit post you can add some lines to your manifest to avoid that:
<uses-permission android:name="android.permission.WAKE_LOCK" tools:node="remove" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" tools:node="remove" />
<uses-permission android:name="your.app.package.permission.C2D_MESSAGE" tools:node="remove" />
But I definitively do not know if there will be an impact on Firebase integration.
I have the below permissions defined in the Manifest but I still see Android asking the app needs permission to write to External storage even though I don't want to access External Storage
Could it be because of Google Play services
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
Pls try This for google play service error:
<uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
android:maxSdkVersion="Version code" />
Metadata used end of application.
It's almost a year since post publication but maybe this'll help someone.
If you are using play-services version < 8.3 then play-services-maps uses this permission.
If you are not using play-services-maps then probably you are using play-services-fitness which takes maps as transitive dependency.
If you are not using nor of them, then probably you have other transitive dependency which needs this permission.
TIP to check transitive dependencies
Add these permissions
<uses-permission android:name="ANDROID.PERMISSION.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
This might be because of below two reason.
If you're targeting version 8.3 or later of the Google Play services SDK, you no longer need the WRITE_EXTERNAL_STORAGE
permission to use the Google Maps Android API.
If you're targeting earlier versions of the Google Play services
SDK, you must request the
android.permission.WRITE_EXTERNAL_STORAGE permission.
Check this link.
There was a bug in Google play services that causes unintended WRITE_EXTERNAL_STORAGE, READ_EXTERNAL_STORAGE, and
READ_PHONE_STATE permissions to be merged into app manifests. That
is solved in Google Play services 10.0 release. Check this.
To avoid this I recommend to include necessary individual Play service APIs and corresponding build.gradle descriptions. Check this.
Hope this will help you and future user also.
This is missing :
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
I've just noticed that my app has new permission requests that I have not explicitly declared in my AndroidManifest.xml. I didn't see these declared in any of the manifests in the
"intermediates" directory created by gradle, and the only dependency that I declare without an explicit version is crashlytics (as they suggest to do), i.e:
compile 'com.crashlytics.android:crashlytics:1.+'
The new permissions found in the full manifest are:
<android:uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
android:maxSdkVersion="18" />
<android:uses-permission android:name="android.permission.READ_PHONE_STATE" />
<android:uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:maxSdkVersion="18" />
So what my guess is that whatever new version of crashlytics is now requesting this?
If you're using Gradle to build, you can add the following to your AndroidManifest.xml to remove the permission:
<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />
There is an issue within the Android Gradle plugin version 1.0.0-rc1 that may be causing the behavior to happen: https://code.google.com/p/android/issues/detail?id=81017
Version 1.0.0 has a fix for this.
Crashlytics only requires the INTERNET permission to send crash reports.
Testing my Android app (made in Unity) on the live store shows that it requests "Device ID & call information". As far as I can tell, I don't request these permissions. Here are the permissions I request in my AndroidManifest.xml file. Is this a permission required for all apps? Or is it hidden under one of these other permissions?
<uses-permission android:name="com.android.vending.BILLING" />
<uses-sdk android:minSdkVersion="9" android:targetSdkVersion="19" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
Thanks!
I just spent an absurd amount of time trying to resolve this so figured I would share with anyone out there going through a similar agony.
Removing the permissions from your manifest will not necessarily remove them from the final build. Unity auto-detects required permissions from all included libraries. The libraries which are most likely causing you to have this permission included are from the Facebook sdk.
If you want to keep the Facebook sdk in the build, there's a relatively straightforward solution. Remove the Facebook SDK (completely) and install a version <= 7.80. For whatever reason, the changes to the sdk in 7.9+ prompt Unity to auto-include the READ_PHONE_STATE permission which triggers the Device ID & Call Information permission warning in google play.