GET_ACCOUNTS permission while using GCM - Why is this needed? - android

I have an app, with Push notifications implemented.
I want to understand the reason why we need "GET_ACCOUNTS"(android.permission.GET_ACCOUNTS), while implementing GCM? Some users are raising concerns with this permission. I have used this permission in the manifest as it was given in the official site here.
How safe is this permission? and if I remove this, from my manifest, will the push notifications work?

It uses an existing connection for Google services. For pre-3.0
devices, this requires users to set up their Google account on their
mobile devices. A Google account is not a requirement on devices
running Android 4.0.4 or higher.
SO this is the reason for requirement of the permission
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
to read Google account.
Read more about this GCM Overview
Google account login is no longer needed for GCM to work. So you do not need the android.permission.GET_ACCOUNTS permission.
If you are using GCM API with GoogleCloudMessaging.register), you no longer need to configure Google account on any Android version. But if you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on older versions (before ICS).
More details at https://groups.google.com/forum/#!topic/android-gcm/ecG-RfH-Aso. Another similer thread is Why google Account login is required for GCM to work for devices below 4.0.4 OS?

The GET_ACCOUNTS permission is no longer needed for GCM to work. It used to be required for registration to GCM, but a recent Play Services update stopped using the Google account even on Froyo and Gingerbread. If you are registering to GCM with Play Services (i.e. With GoogleCloudMessaging.register), you no longer need this permission on any Android version. If you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on pre 4.0.4 version, which requires that permission.
Source (posted on android-gcm Google Group by a Google developer) :
Some background:
Froyo and Gingerbread registration is implemented in
GoogleServicesFramework, using the Google account for registration.
This has resulted in a lot of auth errors for people where the account
was not in a good state.
Starting with ICS, GCM doesn't depend or uses the Google account - you
can use it before you add an account or without any accounts.
The "Play Services" update is implementing the new scheme on all
devices - but it seems a small number of devices have problems with
this, we're investigating - but the numbers are far lower than those
with the old scheme.

As everyone else here has said, GET_ACCOUNT is needed for android devices lower than 4.0.4.
If you are like me and have installed a library that automatically adds this permission but you do not need it to, you can tell the AndroidManifest to remove the permission by adding the permission with the tools:node="remove" attribute.
In your AndroidManifest.xml file, make sure the xmlns:tools attribute it defined in your manifest tag and then add the permission with remove set:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
...>
...
<uses-permission android:name="android.permission.GET_ACCOUNTS" tools:node="remove" />
...
</manifest>
Word of warning that this never actually works for me but I know it has worked for others. If you can see what I might be doing wrong or have any more info about it, please comment!
*Edit: There is a bug report open to get this feature working:
https://bugzilla.xamarin.com/show_bug.cgi?id=48153

when you use
compile 'com.google.android.gms:play-services:7.5.0'
add the build.gradle file means GET_ACCOUNT permission added automatically.
forexample if developer have to use only admob in project means only specify this permission in build.gradle file
compile 'com.google.android.gms:play-services-ads:7.5.0'
if have any another clarification see this link https://developers.google.com/android/guides/setup

I don't think this is actually the case. I tested it on a freshly factory reset Gingerbread device with a new Gmail account and I could receive GCM messages just fine without that permission. So the documentation is WRONG.

GET_ACCOUNT is to verify if user synced Google account in mobile, and generate the key value for each user(each Google account). This is required if the device is running a version lower than Android 4.0.4.

Related

Query to Android developers who is using QUERY_ALL_PACKAGES permission

I'm a developer of an Android library which requires QUERY_ALL_PACKAGES permission at app targets Android 11 or higher.
There was a new policy from the Google Play store 2 years ago, they would enforce developers to submit a reason for using QUERY_ALL_PACKAGES permission. But the policy was postponed for 2 years, and now they restarted this policy.
Related Link: https://support.google.com/googleplay/android-developer/answer/10158779
In this document, Google says this policy will block app updates from 12th July 2022, if there is no declaration. But one of my customers got alert mail from Google, their app will be blocked from 4th May 2022 if they don't declare the reason for this permission usage.
My team is not managing the Android app, just managing the library, so we have not received similar mail at all. And also my other customers are not received similar mail yet.
Is there Android developers who have received a similar mail from the Google team? If you are, would you share the due dates of declaration to use the QUERY_ALL_PACKAGES permission mentioned in your mail?
For security reasons you cannot ask for QUERY_ALL_PACKAGES permission. This will allows you to check or you can get all installed app in Phone.
If your app is like cleaner app or have feature like app manager, so for this kind of feature you can add QUERY_ALL_PACKAGES. You will need to show video of that feature which is using QUERY_ALL_PACKAGES or need to give specific reason.
If your app only required to check any specific app installed or not then you can add like below.
//remove QUERY_ALL_PACKAGES permission and add like below
<queries>
<package android:name="com.whatsapp" /> <!-- replace with your packagename --!>
<package android:name="com.whatsapp.w4b" />
</queries>
I need to check whatsapp and business whatsapp installed or not. Same way you can added. And I think there no limit to check like above.
Same mail I also received, Before deadline date you need to give reason or update your app with I explained above.
I hope you understand.
I also received an email about this policy, but the paradox is that I do not need or use that permission, at least explicitly stated in the Manifest

What Permissions are Required for Google Admob and Firebase with Analytics?

I'm new to developing android apps, and this is my first one that I'm about to publish. The last step for me is adding permissions. I have to add permissions manually as I'm building the app through Phonegap. Anyway, I can't find what the specific permissions are required to ask of the user if you are going to use Firebase with Google Analytics and Google Admob. My app doesn't need any other permissions than for these services. (By the way, I am not adding these services via SDK, I am adding my app to these services online. However, I believe I still need to add app permissions.)
Only internet, you can add it in your Manifest:
<uses-permission android:name="android.permission.INTERNET" />
No need for runtime permissions for internet.

How to handle a rejection based on new Android Store policies regarding permissions?

While I am updating an app on Play store. I am getting following error according to the new policy of Google:
I have also checked all the options that are available, but again and again, Google rejects my application.
I am new to Android.
Issue: Violation of Permissions policy
After reviewing your app, we found that it doesn’t qualify to use the requested permissions for the following reason(s):
Based on our review, we found your app’s expressed user experience did not match your declared core functionality {SMS-based financial transactions (e.g., 5 digit messages), and related activity including OTP account verification for financial transactions and fraud detection}. Please remove these permissions from your app.
This is my manifest containing permissions I have declared
SMS permission is no more allowed to read OTP as android is going to give this feature to users out of the box.
You have to register as a messaging app to get SMS and CALL_LOG permissions.
So recently, Google changed its policies, read it at XDA
Same thing happened with my app, It got removed from play store, for using SMS features.
You need to remove those permissions from Android Manifest and if you need to send a message to someone, you need to use Intents to form a message and fill out the messaging app and user has to manually send the message.
Or if you are trying to access SMS permission for automatic OTP, there are other ways to do it.
As it turns out, you need to fill a form. Read this article from Google and refer to this answer on StackOverFlow
Do not update your minSdkVersion in this release. You need to rollout removal of permissions for all of your users.
Try deactivating previous versions of your apk on play console. If you updated minSdkVersion of your app and did not deactivate older apks, older devices are still served the apk with permissions.
This worked for me!

Google Play Game Service adds an unwanted permission in my app (Phone status and Identity)

I am using Google Play Game Service and the BaseGameUtils lib in my game, but it adds the Permission "Read Phone Status and Identity" in my app.
Is this strictly necessary? I have seen other apps that makes use of the Google Play Game Service without requiring that permission.
The build.gradle of the BaseGameUtils compile against "com.google.android.gms:play-services-games:8.1.0" API.
(It also compiles with play-services-plus but this is not causing the problem)
I have tested with older/newers versions (7.5.0 / 8.4.0) but its the same.
Thanks in advance.
EDIT:
I also check the required permissions required by the play-services-games in the Manifest for the component: ANDROID_SDK/extras/google/m2repository/com/google/android/gms/play-services-games/7.5.0/play-services-games-7.5.0.aar but it has not "uses-permission" tags.
(What permissions are needed by each Google Play Services component?)
EDIT#2:
My Solution was to remove it explicitly in the app Manifest using this line:
<uses-permission android:name="android.permission.READ_PHONE_STATE"
tools:node="remove"/>
I found that neither of both APIs adds me none permission, but apparently when I compile with the BaseGameUtils it does (despite that the BaseGameUtils's Manifest adds none permission). It is really weird
Play Game Services definitely does not require any permissions (Implicitly is uses the internet permission to communicate with the server). An now the latest version of play-services-games (8.x) does not have dependencies on plus either.
To confirm, I suggest building one of the samples from Android Basic Samples and verify which permissions are used in the sample.
Next, I'd review any other libraries that you are including (ad providers? analytics providers?) to see if their libraries require phone permission.

Google Drive API Manifest Permissions

this isn't really a big problem. I've got an Android App that stores user's passwords on a SQLite Database. So last week I launched an update that allows the user to export those passwords to their Google Drive. To do this, I've used the Google Drive Android API. I didn't add any special permission to the Application Manifest (AndroidManifest.xml) and it works fine (tested on KitKat4.4). But one of my friends told me that it might not work on Android 6.0+, because I should always ask for permissions. But I checked some samples and none of them had those permissions on the Manifest. Do you guys think it's necessary to add permissions? Perhaps INTERNET or GET_ACCOUNTS?
If you are using the Google Drive Android API you don't need INTERNET or GET_ACCOUNTS permissions.
The API automatically handles previously complex tasks such as offline access and syncing files. This allows you to read and write files as if Drive were a local file system.
Check the official Quickstart and the demos sample on GitHub. None of them is having special permissions in the AndroidManifest.xml.
BUT if you are using the Google Drive REST API for Android then you need INTERNET permission for sure.
If you follow the tutorials on Drive API using Android, you will see in the Step 4:Prepare the project that you need to add the permissions below in your code.
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
The permission "android.permission.INTERNET" is used if you want your application to connect/perform network operation.
For the "android.permission.GET_ACCOUNTS", it's stated in this documentation that:
Note: Beginning with Android 6.0 (API level 23), if an app shares the
signature of the authenticator that manages an account, it does not
need "GET_ACCOUNTS" permission to read information about that account.
On Android 5.1 and lower, all apps need "GET_ACCOUNTS" permission to
read information about any account.
For more information about different meaning/uses of android permission, check this page.
According to the Google Maps API documentation, INTERNET and ACCESS_NETWORK_STATE permissions will be automatically merged to project's manifest, meaning you don't have to specify them by yourself as long as calling API over Google Play services.
Couldn't find the same description for Google Drive API, though.

Categories

Resources