I am maintaining one existing (very-huge, very-sensitive) Android Application.
The other day, I have received an email from my client that, the Application might be declaring the Permissions that are not actively being used.
For example, they wants me to remove "WRITE_EXTERNAL_STORAGE" permission.
I have removed it and compiled it and run the App. There is NO error at all.
But, just because of that, I don't think I can assume that permission is not actively being used at all.
My question is "Is there anyway I can easily and simply check the permission if it is actively being used ?"
Frankly, I don't want to go through every little detail aspect of that application just to fine out the permission is required or not.
I just don't have time.
My goal is check if the permission is actively being used. If not, remove the permission.
Hope there is an less-time consuming way for that.
Regards
In Android Studio 1.3 & Android Support Library v7:22.2.0, you have solution for it.
Steps:
Update Android Studio to V1.3
Update your Android Support Library to v7:22.2.0
Run Android Lint (Analyse -> Inspect Code), In Lint Error see for Type "Android -> Constant & Resource Type MisMatch", Which shows all methods which requires permission.
Explanation
Android has introduced new annotation #requirespermission.
All SDK methods which requires permission are annotated with #requirespermission.
When we call any sdk method which requires permission without properly checking whether we have permission or not, Android studio will through lint error.
There is a group at Berkeley that wrote a paper about Android permissions. They talk about over-permissions and developed a tool called Stowaway that would analyze your APK for unused permissions. The analysis was based on the app's API calls and their own mapping of the permissions needed for each API call (see the paper for details). The tool throws a flag if there is a permission in the manifest that is not mapped to any of the API calls found in the APK.
For a while, a web-based version of the tool was available at http://www.android-permissions.org/, but it is from the Gingerbread era and was never updated. The page now suggests using PScout.
PScout does a better job than Stowaway at generating the permission maps. However, PScout does not include an APK analyzer, so you will have to manually compare the mappings they provide with API calls made by your app. Unfortunately, if you're interested in maps for versions beyond 5.1.1, you'll have to generate them yourself using the provided PScout code and your own Framework source.
You might also check out the various APK analyzers here to see if they include the functionality you are looking for.
I tried the method suggested by Vasanth but it doesn't work for me. In fact, because my project has flavors and Code Inspection doesn't work for the project with flavors. See https://code.google.com/p/android/issues/detail?id=210073.
But Running Lint from console works. So steps are simple:
Remove permissions from your manifest.
Run Lint for flavor as described here https://stackoverflow.com/a/32708435/1170154.
Open Lint result and find section Correctness > Error MissingPermission: Missing Permissions. It will contain all calls that require permissions.
As of Android Studio 3.3, running Analyze → Inspect Code will inform you of missing permissions under Android → Lint → Correctness → Missing Permissions
Related
Status: Approved with Issues - Further Action Required
We found issues with your app. You need to review and take action as described below, so that your app is not impacted in the future.
Issue found: Use of permission is not directly related to the core purpose of the app.
We found that your app is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed to be used. Specifically, the use of the permission is not directly related to the core purpose of the app.
Additionally, follow these steps to bring your app into compliance:
Please remove the use of REQUEST_INSTALL_PACKAGES permission from your app.
About the Request Install Packages Permission
Starting September 29, 2022, your app must be in compliance with the REQUEST_INSTALL_PACKAGES permission or your app may face additional enforcement actions. The REQUEST_INSTALL_PACKAGES permission allows an application to request the installation of app packages. To use this permission, your app’s core functionality must include:
Sending or receiving app packages, AND
Enabling user-initiated installation of app packages.
Permitted functionalities include any of the following:
Web browsing or search
Communication services that support attachments
File sharing, transfer or management
Enterprise device management
The REQUEST_INSTALL_PACKAGES permission may not be used to perform self updates, modifications, or the bundling of other APKs in the asset file unless for device management purposes. All updates or installing of packages must abide by Google Play’s Device and Network Abuse policy and must be initiated and driven by the user.
For more help addressing this issue, read more in our Help Center.
If your app does not install other apps externally, simply add the following permission to the manifest.
<uses-permission
android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
I faced the same issue a month ago. This is related to the open_file package using REQUEST_INSTALL_PACKAGES permission in the manifest.
Issue: https://github.com/crazecoder/open_file/issues/204
The recommended solution is to use this fork: https://github.com/bertoldofonseca/better_open_file
I faced the same issue yesterdey. This permission used by open_file package.
you can user alternative packages such as better_open_file or open_filex or you can by pass this permission by adding belove code to AndroidManifest.xml:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="{you package name}"
xmlns:tools="http://schemas.android.com/tools">
and in permissions section add this code:
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
good luck
If you are going to delete this permission from manifest of your app. You need to do these:
REMEMBER It's unnecessary to remove any pub.dev package which uses REQUEST_INSTALL_PACKAGES permission, after adding this to your manifest
android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
because, they remove all such kinda permission from merged manifest file(make sure that manifest opening tag involve xmlns tools like that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="YOU_APP_PACKAGE_NAME">
ONE OF THE MOST IMPORTANT STEP:
You need to update all Open Testing, Internal testing and Closed testing (all tracks even if they are not active). Update your Production channel too. You can check that you updated all required ones in Policy -> App content -> App bundles and APKs using sensitive permissions section. If section is not shown here, then you updated all tracks and channels
AFTER DOING JUST THESE SIMPLE BUT REQUIRED STEPS, YOUR NEW VERSION WILL BE ACCEPTED. GUARANTEED
Remove the permission from your manifest and in-app functionality.
Double check that your app is compliant with all other Developer Program Policies.
Sign in to Play Console and submit the update to your app.
Alternatively, you may also choose to deactivate these versions to avoid additional enforcements that could occur. You may follow the given steps to deactivate the non-compliant app bundles or APKS:
Go to your Play Console.
Select the app.
Go to the track where the non-compliant APK or app bundle is.
Near the top right of the page, click Create new release. (You may need to click Manage track first) If the release with the violating APK is in a draft state, discard the release.
Under the new release page, you can choose to: A) Upload a new, compliant APK/app bundle and make sure the new release is rolled out 100% to completely deactivate the non-compliant APK. B) Not upload any new APK/app bundle (publish an empty release to just deactivate the non-compliant old version).
Regardless of what you choose in step 5, please make sure that the non-compliant version of APK/app bundle is under the Not included section of this new release. For further guidance, please see the "Not included (app bundles and APKs)" section in the Play Console Help article.
To save any changes you make to your release, select Save.
When you've finished preparing your release, select Review release.
If the non-compliant APK is released to multiple tracks, repeat steps 3-8 in each track.
Experienced the same issue a week ago. Check your builds in the Internal Testing or any other environments. Because I received the same email, but there was no information about where exactly this permission exists. Because I removed it from production build. But when I wrote to policy status technical support - they answered that the issues in the build in the Internal testing environment. I updated the build for Internal Testing and app in production was accepted.
I don't know why I have to update build in the Internal testing, because I haven't updated it for months.
But rules are rules.
Recently I've added HMS PushKit SDK with this gradle code:
implementation "com.huawei.hms:push:5.0.4.302"
After That I've noticed that my application added to the list of apps with access to install apps from unknown source (special permission). I checked the AndroidManifest.xml file of one of this library's dependency (com.huawei.hms.base.availableupdate) and saw that it has this special permission:
<!-- If it is Android 8.0, the targetSdkVersion of the application compilation configuration>=26, please be sure to add the following permissions -->
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
So Why PushKit needs this permission? I don't want my app to use this permission. And If I remove it with this code is there gonna be a problem (crash):
<uses-permission
android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
UPDATE
If you remove this permission, it will not be affected on Huawei phones,but the HMS Core APK may not be installed on non-Huawei phones.
can it cause to crash in our app because of upgrade failure?--no,Only will make the application cannot be automatically upgraded,have to uninstall and download the new version.
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
This permission is used to update the HMS Core and push kit APK. Push kit strongly depends on the HMS Core and push kit APK. If this permission is not granted, applications may fail to be installed, and causing upgrade failures of the HMS and push kit`s APK.
Therefore, this permission is mandatory.
android.permission.REQUEST_INSTALL_PACKAGES is a permission that allows a framework or a component on Android, to refer to an external (maven most often) repository, in order to minimise the final installation apk size for the end user by installing source code remotely, instead of packaging it all inside the same apk (for initial download).
Be careful with this permission, because if it is enabled, not on your app, but rather a dependency, it will be rejected. This is because if there are any security issues with your dependency, there is no way for google to pick this up, when you upload the app bundle onto the store. This is because of a remote download of the source code, instead of it being packaged inside the same apk that google can strip.
As a result google will not accept this apk, and it will be rejected (just because google does not know, and has no way of knowing if there is any malicous code being included in the final end user package).
You can try to fork this library, and remove the permission from the manifest, but then you will encounter missing method exceptions.
Your best bet in this case is to find another library that does not install extra source code from a remote maven repository, in order to avoid a google play store rejection.
Looking at this package, it looks like it's an SDK built on top of the Android SDKs. If there is a way for you to get around this, and work directly on the google android sdk, while also making it so the customer does not notice, then that should be fine. At the end of the day the customer does not care how you do it, as long as it works.
After I open the "Profile / debug APK" at the Android Studio for my apps, I found out there is a list of the properties. When I check other's apk, there is none like my apps. Should I care about it or not?
these libraries are from third parties, therefore should be considered as "outside of your responsibility" and most likely, their Manifest.xml does not even have attribute android:debuggable="true".
since you demand "official sources", have a look here, which only confirms what I've wrote:
However, you need to make sure you’re using an APK with debugging enabled.
I want to add this permission to my Android manifest:
<uses-permission android:name="android.permission.MODIFY_PHONE_STATE" />
But after I paste this permission in my manifest, it tests red underline and says:
permission is only granted to system apps
What can I do?
MODIFY_PHONE_STATE permission is granted to system apps only.
For your information, there are 2 types of Android apps: system & user
User apps are just all your normal app installations through the Google Play Store, Amazon Appstore or sideloading. These go into the /data partition of your Android phone, which is the part of the internal memory made available for user data and apps.
System apps are basically the apps that come pre-installed with your ROM. In a standard Android user environment, the user doesn’t have write access to the /system partition and thus, installing or uninstalling system apps directly isn’t possible.
In order to install an app as a system app on your Android device,
your device must either be rooted or have a custom recovery installed (or both).
That being said, that error is actually wrong because you have a valid code and compilation should work. It would be better if it gave a warning instead. In Eclipse you can easily fix it. Just go to:
Window -> Preferences -> Android -> Lint Error Checking.
Find ProtectedPermission from the list and set the severity to something other than error(info for example). This way your project will still compile.
MODIFY_PHONE_STATE is a system-only permission. System Apps are either pre-installed into a system folder or compiled by a manufacturer using their security certificate.
Hence, if you are trying to do this you are trying to use API which are no longer supported. With Android versions 2.3+ you can monitor incoming calls, but blocking is not allowed (i think from the link you posted thats what you're trying to do).
Android issues if you need to follow: Issue 15022 and Issue 14789
This error appears in SDK 19 onwards, when you change the manifest.
Do Project Clean and Build.
It should clear this error.
just clean your project it will be fine like this :
project > Clean...
There are four types of Permission
Regular
Dangerous
Signed
Signed or System
The first two can be used by Simple Apps Other two can only be used by the app which is build in framework
Because this is the system level permission device developer not grant this so application development tools also warn against this so you have to
Simply Clean project & Rebuild this is it
Find ProtectedPermission from the list in
Window -> Preferences -> Android -> Lint Error Checking.
and set the severity to something other than error(info for example). This way your project will still compile.
We have a manufacturer that wants to pre-install our application on their Android device. We sent them the APK and even though it installs fine when used by a user, it appears to not get installed correctly when included in the manufacturer's build image. FYI, our application uses the JNI layer and some libraries built with NDK. The exception we're seeing seems to indicate that the class loader cannot find the library and is unable to load it. They have verified that the library files are indeed present in the APK.
Since we dont make devices, its unclear why they are seeing this exception and what needs to be done differently when including a package as part of the Android build image.
Any Android folks here care to comment?
I have worked with pre-installed Android apps, that also uses library files, in my case jar files. I am assuming that you have added the appropriate lines to AndroidManifest.xml like <uses-library android:name..... I am also assuming that you have provided instruction on how to install your library files on handset, with instructions like adb push ... on the command prompt. If you havent, do provide them the instructions.
Another issue may be permissions, we had to get the library jar AND the permissions xml file installed, that may be the issue.
Also ensure that you are using the correct version of Android for testing. And if everything fails, ask them to send one of the handsets that is not working to you and you can then compare with the one in office and debug this. Good Luck, as all this can be pretty frustrating.
Besides moving the apk file into /system/app, you should ask the manufacturer to move the native libraries created by NDK (.so files) to /system/lib or the path specified by LD_LIBRARY_PATH.
Please refer to https://groups.google.com/d/topic/android-porting/r_Ao7_PWgKQ for more details.