this isn't really a big problem. I've got an Android App that stores user's passwords on a SQLite Database. So last week I launched an update that allows the user to export those passwords to their Google Drive. To do this, I've used the Google Drive Android API. I didn't add any special permission to the Application Manifest (AndroidManifest.xml) and it works fine (tested on KitKat4.4). But one of my friends told me that it might not work on Android 6.0+, because I should always ask for permissions. But I checked some samples and none of them had those permissions on the Manifest. Do you guys think it's necessary to add permissions? Perhaps INTERNET or GET_ACCOUNTS?
If you are using the Google Drive Android API you don't need INTERNET or GET_ACCOUNTS permissions.
The API automatically handles previously complex tasks such as offline access and syncing files. This allows you to read and write files as if Drive were a local file system.
Check the official Quickstart and the demos sample on GitHub. None of them is having special permissions in the AndroidManifest.xml.
BUT if you are using the Google Drive REST API for Android then you need INTERNET permission for sure.
If you follow the tutorials on Drive API using Android, you will see in the Step 4:Prepare the project that you need to add the permissions below in your code.
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
The permission "android.permission.INTERNET" is used if you want your application to connect/perform network operation.
For the "android.permission.GET_ACCOUNTS", it's stated in this documentation that:
Note: Beginning with Android 6.0 (API level 23), if an app shares the
signature of the authenticator that manages an account, it does not
need "GET_ACCOUNTS" permission to read information about that account.
On Android 5.1 and lower, all apps need "GET_ACCOUNTS" permission to
read information about any account.
For more information about different meaning/uses of android permission, check this page.
According to the Google Maps API documentation, INTERNET and ACCESS_NETWORK_STATE permissions will be automatically merged to project's manifest, meaning you don't have to specify them by yourself as long as calling API over Google Play services.
Couldn't find the same description for Google Drive API, though.
Related
I'm new to developing android apps, and this is my first one that I'm about to publish. The last step for me is adding permissions. I have to add permissions manually as I'm building the app through Phonegap. Anyway, I can't find what the specific permissions are required to ask of the user if you are going to use Firebase with Google Analytics and Google Admob. My app doesn't need any other permissions than for these services. (By the way, I am not adding these services via SDK, I am adding my app to these services online. However, I believe I still need to add app permissions.)
Only internet, you can add it in your Manifest:
<uses-permission android:name="android.permission.INTERNET" />
No need for runtime permissions for internet.
Recently I tried to publish an app in Google Play Store, but I am receiving the following error and my app is getting rejected every time.
I have removed all the SMS related permissions only basic permissions required are included in the app, and I have used some 3rd party libraries like PayPal, Payumoney.
Please find the reference link below for more information regarding the updated Google Policy:
Privacy, Security, and Deception
If you cannot disable adding this permission by a dependency you can explicitly remove it from merged manifest like this:
<uses-permission
android:name="android.permission.READ_PHONE_STATE"
tools:node="remove" />
There is an app called bodyweight fitness on the play store without any permissions. It is available on git hub as well:
https://github.com/mazurio/bodyweight-fitness-android
I used the files from git hub and compiled the apk myself with Android Studio (without changing the files). When I try to install the self compiled app apk, it tells me that it will use the INTERNET though the play store app did not. There is no reason why this app should need any internet connection. Thus I removed this line from the AndroidManifest.xml
<uses-permission android:name="android.permission.INTERNET" />
After compiling and installing the app, it still tells me that it will use INTERNET. Does someone know why and how I can remove this permission?
PS: I asked the developer as well, but I got no response yet.
update:
You are right, it is added from another part aswell: crashlytics.
And you are right aswell about the hidden permission. It is shown in
the app details when the app is installed and it is shown in the play
store when you click on the "permissions" button.
Each android lib contains manifest file with package, permissions, acitivities etc so your app will show all permissions from dependencies. You may check final manifest creation log at {projectDir}/{moduleDir}/build/outputs/logs/manifest-merger-*-report.txt
This log will contain something like that
uses-permission#android.permission.INTERNET
ADDED from {myModulePath}/app/src/main/AndroidManifest.xml:6:5-67
MERGED from [net.hockeyapp.android:HockeySDK:4.1.1] /Users/devindi/.android/build-cache/ce70c6f87efc05633a59a88fccdb712db509e22d/output/AndroidManifest.xml:12:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics:2.6.8] /Users/devindi/.android/build-cache/424d420499b90aec0a26ab1b5f575e318d0342b9/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:beta:1.2.5] /Users/devindi/.android/build-cache/be2498e53f6aa976b3927954da943b23f0a800f6/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics-core:2.3.17] /Users/devindi/.android/build-cache/e5b1b150113ac2f0789b76a886f379cdafa8af2b/output/AndroidManifest.xml:52:5-67
MERGED from [com.crashlytics.sdk.android:answers:1.3.13] /Users/devindi/.android/build-cache/c86f3a3daec296cb6a32deb0b3d0c3f1370a024f/output/AndroidManifest.xml:9:5-67
MERGED from [io.fabric.sdk.android:fabric:1.3.17] /Users/devindi/.android/build-cache/0a51b13dbc46dc870c598edab9d128bf8f26a8d4/output/AndroidManifest.xml:29:5-67
As you see I requested network permission at my manifest and hockeyapp, crashlytics, fabric libs requested same permission also. https://developer.android.com/studio/build/manifest-merge.html
To force permission remove just add tools:node=”remove” to your permission declaration like that:
<uses-permission android:name=”android.permission.INTERNET” tools:node=”remove” />
This is because the INTERNET permission is a "harmless" permission. This means that you don't have to ask the user for permission, and that it will not show in the Google Play Store
Since Android 5.0, permissions have a "protection level". Some are dangerous, and some are normal. Normal means that you as an app developer do not have to ask the user for permission, and that it will not show in Google Play. Dangerous means that Google Play displays it and that you have to ask the User for permission.
Source and further reading: Android Developers
There is a difference between apps installed during development via your Android Studio, apps installed from an APK and apps installed from Google Play Store. Some permissions are granted automatically in the latter case, like for example the Internet or drawing on top of other apps. You need to take this into account while planning your deployment strategy.
I have an app, with Push notifications implemented.
I want to understand the reason why we need "GET_ACCOUNTS"(android.permission.GET_ACCOUNTS), while implementing GCM? Some users are raising concerns with this permission. I have used this permission in the manifest as it was given in the official site here.
How safe is this permission? and if I remove this, from my manifest, will the push notifications work?
It uses an existing connection for Google services. For pre-3.0
devices, this requires users to set up their Google account on their
mobile devices. A Google account is not a requirement on devices
running Android 4.0.4 or higher.
SO this is the reason for requirement of the permission
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
to read Google account.
Read more about this GCM Overview
Google account login is no longer needed for GCM to work. So you do not need the android.permission.GET_ACCOUNTS permission.
If you are using GCM API with GoogleCloudMessaging.register), you no longer need to configure Google account on any Android version. But if you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on older versions (before ICS).
More details at https://groups.google.com/forum/#!topic/android-gcm/ecG-RfH-Aso. Another similer thread is Why google Account login is required for GCM to work for devices below 4.0.4 OS?
The GET_ACCOUNTS permission is no longer needed for GCM to work. It used to be required for registration to GCM, but a recent Play Services update stopped using the Google account even on Froyo and Gingerbread. If you are registering to GCM with Play Services (i.e. With GoogleCloudMessaging.register), you no longer need this permission on any Android version. If you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on pre 4.0.4 version, which requires that permission.
Source (posted on android-gcm Google Group by a Google developer) :
Some background:
Froyo and Gingerbread registration is implemented in
GoogleServicesFramework, using the Google account for registration.
This has resulted in a lot of auth errors for people where the account
was not in a good state.
Starting with ICS, GCM doesn't depend or uses the Google account - you
can use it before you add an account or without any accounts.
The "Play Services" update is implementing the new scheme on all
devices - but it seems a small number of devices have problems with
this, we're investigating - but the numbers are far lower than those
with the old scheme.
As everyone else here has said, GET_ACCOUNT is needed for android devices lower than 4.0.4.
If you are like me and have installed a library that automatically adds this permission but you do not need it to, you can tell the AndroidManifest to remove the permission by adding the permission with the tools:node="remove" attribute.
In your AndroidManifest.xml file, make sure the xmlns:tools attribute it defined in your manifest tag and then add the permission with remove set:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
...>
...
<uses-permission android:name="android.permission.GET_ACCOUNTS" tools:node="remove" />
...
</manifest>
Word of warning that this never actually works for me but I know it has worked for others. If you can see what I might be doing wrong or have any more info about it, please comment!
*Edit: There is a bug report open to get this feature working:
https://bugzilla.xamarin.com/show_bug.cgi?id=48153
when you use
compile 'com.google.android.gms:play-services:7.5.0'
add the build.gradle file means GET_ACCOUNT permission added automatically.
forexample if developer have to use only admob in project means only specify this permission in build.gradle file
compile 'com.google.android.gms:play-services-ads:7.5.0'
if have any another clarification see this link https://developers.google.com/android/guides/setup
I don't think this is actually the case. I tested it on a freshly factory reset Gingerbread device with a new Gmail account and I could receive GCM messages just fine without that permission. So the documentation is WRONG.
GET_ACCOUNT is to verify if user synced Google account in mobile, and generate the key value for each user(each Google account). This is required if the device is running a version lower than Android 4.0.4.
Consider this as a wiki question.
While I setup my project to support Map V2, There has been a step to add MAPS_RECEIVE permission.
<permission
android:name="com.example.mapdemo.permission.MAPS_RECEIVE"
android:protectionLevel="signature"/>
<uses-permission android:name="com.example.mapdemo.permission.MAPS_RECEIVE"/>
Why we creating and consuming the permission from the app itself?
Is that google play services app interact using this permission ?
This permission can't takes care of these things?
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES"/>
I thought the use of custom permission is to allow other apps to launch/use our app's services/resources.
For future visitors:
This permission is now completely unnecessary. The latest update of
Google Play Services 3.1.59 made it useless. As a result, it can be
removed.
source
This is the same pattern you see when using Google Cloud Messaging (GCM) with its C2D_MESSAGE permission. The idea is to protect an endpoint in your application (e.g. a broadcast receiver) so that some other component (presumably part of the Maps API) can contact it securely (otherwise, another application could impersonate your application by using the same intent filter).
In this case, then, Maps API internally sets up such an endpoint (transparently to you) and can, with the use of this permission, that this endpoint cannot be impersonated (because to do so would require the permission, which is protected by your application signature).
This permission specifies your package name.
i.e.
<permission
android:name="package_name.permission.MAPS_RECEIVE"
android:protectionLevel="signature"/>
<uses-permission android:name="package_name.permission.MAPS_RECEIVE"/>
thus, the google API simply allows your project to recieve the map.
The permission tells where to use the API.
I found that this permission is still needed when using the debug certificate. When I exported and signed my application it worked fine, but it wouldn't work when I used the debug cert. I have the MD5 for both my debug cert and application cert associated with the same key. When I finally added these extra permissions, it worked. I am using a Moto X running 4.4 with everything up to date.