I've got the source code for an Android app and its manifest includes a lot of uses-permissions, some of which I think it doesn't need. Aside from testing the whole app, is there an easy way to find which classes or methods use a specific permission?
delete all permission in Manifest, then run App. Then the logcat will show you what permission needed.
As this paper points out, the API documentation is frequently wrong about which permissions are needed, and many application are 'over-privileged' meaning the manifest declares permissions which are not necessary for the classes and methods used.
Unfortunately, the Stowaway tool described in the paper is currently off-line, and I know of no other tool that is specifically designed to perform the analysis you're looking for. One problem with such a tool is that the method->required permissions mapping must re-accomplished based on the Android source code every time a new version is released. The paper is based on Gingerbread and obviously a lot has changed since then. Maybe they are having trouble keeping it relevant.
So at this point, the quickest way to do a one-off check would be to remove all of the permissions and then add them back one-by-one based on the security exceptions you see in the logcat.
Related
I have a problem where Unity is requiring too many permissions. Before, I was building with Unity 2017, and my app needed three android permissions. These are the only ones I think I need:
android.permission.RECORD_AUDIO
android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
Now, I've upgraded to 2019.2.21f1, and I discovered a few extra permissions were added without changing the code:
android.permission.MODIFY_AUDIO_SETTINGS
android.permission.BROADCAST_STICKY
android.permission.BLUETOOTH
I've gone through all my code, deleting bits of it, until I found the line that caused these permissions to appear in my merged manifest (I was checking the manifest-merger-release-report) -- it's a reference to the list of microphones: Microphone.devices. When I make a reference to that, the permissions appear.
I need to reference this string array because I need to call Microphone.Start somewhere in order to get audio input, but I don't care about bluetooth or broadcasting stickies. I don't want to use any of these new permissions. Does anyone know why using Microphone.devices would cause these permissions to appear?
In the build settings, my minimum API level is 16, and the target API level is highest installed.
I don't want to downgrade my Unity version again. I want to find a way to just require the RECORD_AUDIO permission, without the three new ones -- the only other option is to not use the Microphone, which will make my game less fun. Boo hoo.
Now i don't think this answer will be of much help but since you seem pretty desperate, as in out of options since this is a problem in unity's core system, could you not try to instead use a different microphone library than the one builtin to unity?
For example i found this:
NatDevice is a cross-platform media device API for iOS, Android, macOS, and Windows. NatDevice provides powerful abstractions for using hardware cameras and microphones through a concise .NET API.
https://assetstore.unity.com/packages/tools/integration/natdevice-media-device-api-162053
You could also roll your own with native android code, like this guy describes:
https://support.frozenmountain.com/hc/en-us/community/posts/115000768894-Unity-Android-Audio-Capture-Provider
You can do it using a Unity "plugin":
https://docs.unity3d.com/Manual/PluginsForAndroid.html
Their docs go into more detail, but the general idea is that you want
to write the app component that uses the native library using Java,
and then activate it from C#. This avoids a lot of expensive
cross-calls between the two runtimes. Using this approach, you would
extend RtcLocalMedia in Java along with the rest of your component
code, and then activate that component from C#.
Another option is to completely overwrite the manifest file to exclude the permissions you don't want (although you need to make sure it all works still, because unity could still depend on them)
A good description is here:
https://stackoverflow.com/a/40931309/4122889
Hope this atleast gave you some ideas.
You will need to include these permissions if you would like to use microphone built into Bluetooth headset. They are required by AudioManager when using Bluetooth microphone.
I want to read the whole AndroidManifest.xml file content. Is there any way to read its content?
AndroidAnnotations processor has the code, that does exactly that. Note, that instead of copying/reimplementing that code you might be better off writing a plugin for Android Annotations main processor (their code already has few examples of such plugins, such as OrmLitePlugin). The library itself is rather popular, so there is a good chance, that your users might have it in their setup and may even pass the path to AndroidManifest.xml to it via an option. So even if the above code fails, you would have a backup plan, that requires zero to little user's effort.
I'm developing an Android library which provides ways to reach into various system services and gather data for analysis. My classes make use of various system service managers (like WifiManager) to gather the data.
I'd like to structure the manifest of my library such that it doesn't grab all the possible permissions that all of these features require. Instead, I'd like to leave it up to the app consuming that library to declare only the permissions that it will need, which might be a smaller subset of what's used by the library.
This actually works in practice, because the manifests all get merged together during the build process, so the app ends up with the permissions it needs to use the features of the library. However, since the <uses-permission> tag isn't in the library's manifest, the code is all lit up with warnings from Android Studio.
Is there a way to annotate my library code such that the permission check is ignored?
Of course I can simply turn off the "Constant and Resource Type Mismatches" inspection in my Android Studio settings, but that won't help anyone else who's trying to use the library. I tried finding a reference to this inspection in the documentation (so I could kill it with #SuppressWarnings but haven't found it yet.
Is this even a worthwhile approach?
…or should I, instead, have the library grab all the permissions it needs, which would force a consumer of the library to turn off the ones it doesn't need using the tools:node="remove" property in its manifest? The problem here is that, as I add features to my library, my library's consumers would repeatedly have to circle back and explicitly remove those new permissions as well. I feel like that's not a great model and I'd rather leave the permission requests to my consumers.
Consider the following conversations on the subject —
Android: New permissions added behind my back after library updates (StackOverflow)
Hey, Where Did These Permissions Come From? (CommonsBlog)
In just randomly right-clicking around the issue I was able to choose the Suppress for method context command in Android Studio and it added the following annotation:
#SuppressWarnings( "ResourceType" )
So… yay! There's the answer to which annotation to use.
I'm still interested, though, in what people's thoughts are regarding the approach in general. Please feel free to hash that out in the answers section. ^_^
I want to call functions provided in com_android_bluetooth_hid.cpp in android source from my own app. Target Android versions are >=4.4 and <=5.x. I understand JNI, and can compile my own code and call from my own app.
Would it be possible to call android's library from my app? How
Also, to call functions in that specific cpp file, are BLUETOOTH and BLUETOOTH_ADMIN permissions sufficient or something else (other permission, or root) would be required?
The cleanest way to call Android's CPP code is, generally, copying the relevant pieces to your repository and building as part of your app. Following this approach, your app will only call the public APIs - either Java or C/C++.
But this may not be relevant in cases when this code must run with special permissions, as system service, like mediaserver or Bluetooth stack.
I am afraid that the code you wish to run belongs to this second category, therefore none of the available tricks will not help.
On the other hand, a custom ROM may be a solution you are looking for. It may happen that you don't need to forge a full system. It may be enough to use a rooted device and replace the bluetooth service with your custom one.
I would still advise you to provide the missing callbacks for the service, instead of calling the functions directly from your app: you better not mix contexts between a user-space app and system service.
Okay, so I was looking for something like answered here. The only problem is I've been looking at that zygote fork code but I have no idea what is going on. I'm trying to figure out where exactly permissions are enforced for native method calls in Android. More basically, I want to know how the Linux Kernel is enforcing permissions. Something like enforcePermission() which I've seen in some of the android source code, except I want to know where it is at the kernel level. If someone can point me in some sort of direction or make sense of what that zygote fork code is doing I'd appreciate the hell out of it.
If that doesn't make sense it's probably because I'm an idiot or something.
Thanks!
What that post says (which is true) is that there is no special enforcePermission()-style call for native code: each permission granted effectively translates into a specific supplementary group id. Individual permissions checks are performed either using the standard Linux permissions/capabilities model, using specific code in IPC routines (so for example when you bind to certain services the services can check the calling processes membership in the appropriate group) or using specific patches the the kernel/libraries (for example network permission is explained here).