I've just noticed that my app has new permission requests that I have not explicitly declared in my AndroidManifest.xml. I didn't see these declared in any of the manifests in the
"intermediates" directory created by gradle, and the only dependency that I declare without an explicit version is crashlytics (as they suggest to do), i.e:
compile 'com.crashlytics.android:crashlytics:1.+'
The new permissions found in the full manifest are:
<android:uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
android:maxSdkVersion="18" />
<android:uses-permission android:name="android.permission.READ_PHONE_STATE" />
<android:uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:maxSdkVersion="18" />
So what my guess is that whatever new version of crashlytics is now requesting this?
If you're using Gradle to build, you can add the following to your AndroidManifest.xml to remove the permission:
<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />
There is an issue within the Android Gradle plugin version 1.0.0-rc1 that may be causing the behavior to happen: https://code.google.com/p/android/issues/detail?id=81017
Version 1.0.0 has a fix for this.
Crashlytics only requires the INTERNET permission to send crash reports.
Related
VS 2022 17.1.0
Xamarin Android SDK 12.2.0.4
We have a Xamarin Forms project that includes an Android target. That Android target has recently been updated to have a targetSdkVersion 31 (Android 12)
We are now getting the following errors when trying to upload our Signed APK to Google Play
Duplicate declarations of permission
android.permission.ACCESS_COARSE_LOCATION with different
maxSdkVersions. Duplicate declarations of permission
android.permission.ACCESS_FINE_LOCATION with different maxSdkVersions.
If I look at the signed APK created by VS2022 build I can see these entries in AndroidManifest.xml
<uses-permission
android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission
android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission-sdk-23
android:name="android.permission.ACCESS_COARSE_LOCATION"
android:maxSdkVersion="30" />
<uses-permission-sdk-23
android:name="android.permission.ACCESS_FINE_LOCATION"
android:maxSdkVersion="30" />
How can I see what is causing these permission values to be merged into our AndroidManifest?
Our currently released build has a targetSdkVersion of 30 (Android 11) and whilst these duplicate permissions are present in the merged manifest for that relesase, Google Play does not complain.
Other AndroidManifest values that might be important are
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="1"
android:versionName="3.7.0"
android:installLocation="0"
android:compileSdkVersion="31"
android:compileSdkVersionCodename="12"
package="com.OurCompany.OurApp"
platformBuildVersionCode="31"
platformBuildVersionName="12">
<uses-sdk
android:minSdkVersion="24"
android:targetSdkVersion="31" />
OTHER VALUES REMOVED
</manifest>
I finally managed to trace which component was adding ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permission entries.
The only way I found to track it down was from all the entries in the "obj" folder under "lp" e.g. \obj\Debug\120\lp
This was wear the various libraries I was using would unpack themselves. I search that folder for occurences of "ACCESS_COARSE_LOCATION" and that gave me the library name that was the problem
The change I made in our AndroidManifest was
<uses-permission-sdk-23
android:name="android.permission.ACCESS_FINE_LOCATION"
tools:node="remove"
android:maxSdkVersion="30" /
Note the use of the tools:node attribute, the Android docs for this are here, https://developer.android.com/studio/build/manage-manifests
We are trying to update Google Play Install Referrer Library and
Internally it's adding some external read write permissions.
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
Do we really need to stick with the permissions ?
dependency implementation 'com.android.installreferrer:installreferrer:1.1
Source https://developer.android.com/google/play/installreferrer/library.html
Install referrer adds this permission due to the fact that the targetSdkVersion is a value lower than the version in which the restriction was added.
If you take a look at generated manifest-merger-report in the build folder of your app, you can see this information:
uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from android/app/src/main/AndroidManifest.xml:1:1-130:12 reason: com.android.installreferrer has a targetSdkVersion < 4
Information on how this implicit system permission works on Android can be found in this documentation :
https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts
Quoting from this answer (and completing):
Version 1.1 and 1.1.1 are missing "minSdkVersion". This would automatically add those permissions (because the default SDK < 4 as said by #thiagolr). See similar issue here: Google Play Services 12.0.1.
Solution
Version 1.1.2 solves this issue.
Details
Manifest.xml for v1.0 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.0)
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer" >
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="22" />
<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />
<application />
</manifest>
Manifest.xml for v1.1 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.1)
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer">
<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />
<application />
</manifest>
I've also come across this issue.
But in my case, the 1.1 version is also adding the READ_PHONE_STATE permission
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
I've decompiled the .aar file for installreferrer:1.1 and checked the manifest and pom file, there is nothing in those files to indicate that these permissions should be added.
The library manifest file only adds this permission (which is always has in previous versions):
<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>
I haven't been able to find any official information regarding this.
But other Google libraries have had issues in the past with adding additional, unneeded, permissions, which have then been removed in a hotfix version shortly after.
For example, this:
Why has the READ_PHONE_STATE permission been added?
So i hope the same is gonna happen here.
Edit: Solution: Version 1.1.2 (and above) solves this issue.
From this answer:
This is because they have added a dependency to
com.google.android.gms:play-services-measurement:17.2.1
Which adds those permissions.
You can find it on the file: manifest-merger-blame-debug-report.txt which is under "yourApp/build/intermediates/manifest_merge_blame_file/debug"
It's a bug. Also, installreferrer 1.1.1 doesn't solve it.
Solution:
Update to installreferrer 1.1.2 or any version above (current version is 2.1`)
Obsolete:
Easiest solution is to downgrade installreferrer back to 1.0 for now.
But if you need this version, you can add:
<uses-permission android:name="<permission_name>" tools:node="remove" />
To disable it.
But know that if you'll use any API which needs it inside the library, it could lead to a crash, so I won't recommend doing so.
These permissions are added because com.android.installreferrer has a targetSdkVersion < 4. You can see it on the manifest-merger-release-report.txt file located on Temp\gradleOut\build\outputs\logs folder inside your project. This is a bug and it will probably be fixed on a newer version.
In order to fix this, you need to find out which plugin is adding com.android.installreferrer as dependency.
In my project, the culprit was the Facebook plugin. It uses the com.facebook.android:facebook-core:5.15.x package which is responsible for adding the com.android.installreferrer:installreferrer:1.1 dependency.
The solution was to rollback to com.facebook.android:facebook-core:5.13.0, which doesn't have a com.android.installreferrer dependency.
Edit the file FacebookSDK/Plugins/Editor/Dependencies.xml and change these packages to:
<androidPackage spec="com.facebook.android:facebook-core:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-applinks:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-login:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-share:[5,5.13.0)" />
Next, don't forget to resolve the dependencies again: Assets > Play Services Resolver > Android Resolver > Force Resolve
1.1.2 is released, it adds minSdkVersion correctly.
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="22" />
One could theoretically remove them altogether with the manifest-merger:
<manifest
xmlns:tools="http://schemas.android.com/tools">
<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" tools:node="remove" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" tools:node="remove" />
</manifest>
But if the library will then still work as expected is another story -
it's rather an exception, that a Google library requires unnecessary permissions.
The release notes and the documentation do not mention permissions.
I just updated one app from Firebase 9.0.0 to Firebase 9.0.2.
I use messaging + ads.
compile 'com.google.firebase:firebase-messaging:9.0.2'
compile "com.google.firebase:firebase-ads:9.0.2"
Now a lot of unwanted permission have cropped up
android:name="android.permission.READ_PHONE_STATE"
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
I didn't add those permissions anywhere, so they must be from Firebase.
I know my clients don't like these permissions, so I removed them with
<uses-permission
android:name="android.permission.READ_PHONE_STATE"
tools:node="remove" />
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"
tools:node="remove" />
<uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
tools:node="remove" />
My app still works, messaging and ads still work, still I'd like my suspicions confirmed.
Why does Firebase add those permissions and is it really ok to remove them like I did?
This issue was fixed in 12.0.1. Source https://developers.google.com/android/guides/releases
March 28, 2018 - Verison 12.0.1
Issues fixed in 12.0.1:
Fixes issue that caused spurious Android lint errors claiming
GoogleSignIn and CredentialsClient were internal-only.
Adds missing
minSdkVersion in -license artifacts to prevent automatic inclusion of
READ_PHONE_STATE and READ_EXTERNAL_STORAGE permissions.
Restores
unique package names for runtime linked -license artifacts which
affected some build systems' (e.g. Ionic Pro) compatibility issues.
Restores some fields names that were obfuscated in 12.0.1, namely the
value() method of #PropertyName annotations in firebase-firestore and
firebase-database.
android:name="android.permission.READ_PHONE_STATE"
android:name="android.permission.READ_EXTERNAL_STORAGE"
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
these permissions are different they are not used in fcm.
PHONE_STATE permission to know current state of phone
and READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE to add and delete file in memory from your app, if you are not using any of these functionalities you can remove it.
My app uses a couple of permission:
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
and:
android:permission="com.google.android.c2dm.permission.SEND">
Yesterday I uploaded a new version to google play and somehow the
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
has been added and thus users won't get an auto update of my app but have to give permission first. I don't want this permission added to my project, but I have no idea how to remove it since pre-build it's not requested in my code anywhere.
Does anyone have some advice?
I was able to remove the permission by adding:
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"
tools:node="remove"/>
Also #Arnav: I wasn't using any functionality of the library that needed this permission so removing caused no issues.
The library projects as dependency needs to be used as this require that permission. You have enabled the manifestmerger property true in project properties () because of which this issue may occurs.
This permission can be removed as follow:
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"
tools:node="remove"/>
I am compiling a project that does not explicitly request the READ_PHONE_STATE permission, but when I compile I am seeing the permission in my compiled Android Manifest file. I'm assuming some library that's being pulled in is adding it explicitly or forgot to set its minimum SDK version (which would add it).
The only thing I have to go on is that in the final manifest, the permissions I requested myself look like this:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="com.android.vending.BILLING" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
And the READ_PHONE_STATE looks like this:
<android:uses-permission android:name="android.permission.READ_PHONE_STATE" />
Does the android prefix mean anything?
Is there any way to narrow down which library is adding this permission?
You can exactly see if a (or because of) library adds some extra Permission to your manifest. Check at file generated (see below) during build process and look for the unwanted permission within the file!
Go to your project folder and look for this path:
[ProjectFolder]/build/outputs/logs/manifest-merger---report.txt
open the file and search for the permission
In my case I found these lines at the
uses-permission#android.permission.READ_PHONE_STATE IMPLIED from
C:\..\...\AppFolder\src\..\AndroidManifest.xml:2:1-14:12 reason:
com.some.evil.library has a targetSdkVersion < 4
This generated file show the output of the merge process described here in Android Developers site.
I would look at:
Android Library Manifest vs. App Manifest
This isn't really a duplicate so I won't flag, however I think he covers the topic fairly well in his answer to that question.
After that and assuming you can't figure it out, I would do the following:
Locate your gradle cache
Crack open the artifacts of each of your dependences (rename to .zip and extract is the easiest way to do this)
check if they have manifests included and see whats in the,