If I wanted to research how and where permissions [requested in the Mainfest.xml] were used in an Android app for the purposes of removing them is there an easy way of doing this? Does lint or findbugs offer some sort of support for tracking permissions used/abused in a project?
I came from the future to save your lives.
Here (in the future), LINT does check for missing permissions as you can see on LINT checks.
So, go to your AndroidManifest.xml and remove all tags <uses-permission> using Android permissions (meaning, don't delete permissions that belong to your app, such as UA_DATA and C2D_MESSAGE).
Then run LINT analysis. Click on Analyze then Inspect Code...
Look under Android -> Constant and Resource Type Mismatches
You should see all missing permissions.
Then you can just right-click them and select Apply fix "Add Permission". If you select this option, Android Studio will include one permission for every error. So you'll end up with multiple copies of the same permission on your Manifest file, just delete the duplicates. You can do it manually too.
Here is the description of the LINT rule:
ID ResourceType
Description
This inspection looks at Android API calls that have been annotated with various support annotations (such as RequiresPermission or UiThread) and flags any calls that are not using the API correctly as specified by the annotations. Examples of errors flagged by this inspection:
Passing the wrong type of resource integer (such as R.string) to an API that expects a different type (such as R.dimen).
Forgetting to invoke the overridden method (via super) in methods that require it
Calling a method that requires a permission without having declared that permission in the manifest
Passing a resource color reference to a method which expects an RGB integer value.
...and many more. For more information, see the documentation at http://developer.android.com/tools/debugging/annotations.html
I'm using Android Studio 2.1.2.
In your app manifest file you should have a tab "Merged Manifest" there you can see your final manifest and the permissions you request you can click on a permission to see where it came from. (who added it - ex': sdk or what code it came from)
There is also a simple way to remove a permission by adding to manifest:
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"
tools:node="remove" />
Also remember to add the tools at the top:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="...">
The way I would do it for an app for which I didn't write the code would be to remove the permissions one by one and test the app end-to-end each time. When it fails, narrow it down. If not, that permission may not be used.
You will have to try removing them one by one and checking i fthe app still works OK. This is not checked by lint in any way (it should be).
When they come back (they are currently down), you can upload your apk to this website (if that's ok with you) and let them statically analyse the permissions you are using: http://www.android-permissions.org/
Best way is to understand what the may actually do. If it is ever going to use the camera then you know you need the camera permission.
Or you could just learn what your app does and then go through the permissions and see which ones are extra. What does your app do, what phone features does it use. There should be some documentation somewhere on what it should do and what methods are in there
Related
I am trying to build an app, as a self project, to understand permissions in detail. There are certain permissions, such as 'Bluetooth Connect' that was introduced in Android version 12 (API 31). Now if I am building an app with multiple features, say some of the features were introduced in the first version of Android, but some of them were introduced in the last version, do I have a method to check whether said permission exists in Android? The idea is to remove or restrict those features which are using APIs not defined and still have the app run on all phones.
For example, In my tests, I have noticed the permission when checked, using the ContextCompat.checkSelfPermission method, come back as 'Not granted' for permissions that are supposed to be undefined. Essentially, I want to know if there is a method of knowing whether the permissions are 'undefined'.
Additionally, I have seen some research papers go into the Android system logs and retrieve information. For example - . This is from the paper: Sleeping android: the danger of dormant permissions
I've tried to use ADB logcat to read the log files but not only is it very difficult, it doesn't say anything similar. Am I doing it wrong or was there an update which removed the information?
Even if I can see whether the permission exists or not via logs would be helpful.
Lint is set up to check this for you at compile time. It will force you to check that the SDK version is high enough to check for whichever permission you’re trying to use. For instance, if your minSdkVersion is lower than the version in which a permission constant was introduced, it will be a compile error to use that constant without wrapping it in an if statement that makes sure the SDK version on the device is high enough for it to exist.
I’m not sure how you have defeated this mechanism except that maybe you have compiled the app with Lint disabled.
The paper you linked is absolutely ancient. Lint probably didn’t help you with this back then.
My users are complaining that my app now requires "run at startup" permission according the listing on Google Play. I have no need for this permission so would like to remove it from my app. I assume it must be from a library that I use but which one? In the "Merged Manifest" there is nothing about "boot" or "startup". I just have these:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
How can I track this down? My users are acting like I'm the anti-Christ for having this extra permission and I look stupid(maybe accurately) for not knowing why. Also, is there a list somewhere that shows what permissions correspond to what text on the Play store description page?
I want to address the comment about removing the permission. I understand how that is done and that's not what I'm asking. I need to know how to find the permission. Else, how can you remove something if you don't know what is is? Also, I may want to keep the permission but need to explain what it is for to my end-users.
#Mike is probably correct about WorkManager API. Still the question is how did he find that out? Why doesn't Android Studio show the permission in the Merged Manifest?
Also, even stranger is that I have removed the WorkManager API so the permission should be gone. I did check out the code for the released version and there are no left over references to WorkManager.
The easy way is from Android Studio. First build your app. Then from the build menu select Analyze APK. From there you can see the full AndroidManifest.
https://developer.android.com/studio/build/apk-analyzer
In my case the permissions did not show up in the Merged Manifest tab. Could be a bug. I think what happened is that I used a library during beta testing. Removed the code that uses library but still had a reference in build.gradle. That added the permission to the released apk's Manifest.
I'm just trying to justify the permissions that my app requires and realize that I can't remember why I needed android.permission.READ_LOGS
I can't seem to figure out which classes I use need this permission. I've commented out the permission and the app builds fine. However it builds fine if I remove all permissions. Running it crashes for some of those missing permissions, however I can't figure out which function uses the READ_LOGS permission.
Is there something in android studio that will flag missing permissions if you comment out ones you need? Or some cross reference of classes to permissions?
I really don't want to ask users for permissions that are not needed nor justified at least.
If you are using any critical Permission then android studio will definitely point out by showing error that permission is missing for function.
If you are specifically asking about android.permission.READ_LOGS so this permission allows an application to read the low-level system log files. Means for the devices when you want to read the log then this is used.
Other way is you can check the Official Doc of permission that which permission is used for which purpose so you can match it with set in your Manifest file. Keep the one you need and remove the one you dont need. But in coding it ll just point for the Critical permissions otherwise it ll give error when you are executing your app during testing.
Hope you got the answer. If any doubt then you can comment below.
We are moving our app to SDK 23 and realize that we need to explicitly handle permissions in the code.
Instead of going through the entire code base, is there a best practice (or an IDE shortcut) that would help us determine all the places where we may need to use 'ContextCompat.checkSelfPermission' for each permission in the app?
If you are using Android Studio try this:
1- Click on Hector the Inspector (the small icon of a man with a moustache at the very bottom-right of Android Studio). This will show up an option to Configure inspections.
2- Type 'Permissions' into the searchbar, and ensure that "Constant and Resource Type Mismatches" is checked.
3- Run Analyse > Inspect Code.
You need to check for permission each time you use the functionnality who requires it, because you do not know witch path the user will follow in your app.
Remove all permissions node in Manifest, test your app and identify every time you get a permission denied error.
In Android studio 2.2 a new feature is implemented to make it easier to move your app to SDK 23. It is still work in progress howerver.
It is shown here. It adds an option to the refactor menu, which automatically implements the necessary permission checks.
I've mentioned the following permission:
<uses-permission android:name="android.permission.NFC" />
in my manifest.xml. But NFC code is no more in use and I commented the source code. Means NFC is no more in use for my app, but while installing the app, it's still shows in installing window.
So, is it possible in android that don't ask for permissions mentioned in Manifest.xml file, if code is not in use? Thanks
No, it is not possible, because the Android system has no idea which permissions your application requires before run-time. Picture the following scenario:
You are writing an application, not specifying NFC permission as you're not using it in your code, but you ARE using a framework that in 50% of the implementations do use NFC (device manufacturer specific framework).
The Android system has no way of telling if the NFC permission is required and thus it relies on your explicit instruction for permissions
As I'm sure you've noticed, an exception will be raised if the permission does not exist for the specified action
The only way to make sure the requirement is gone is to remove the permission from the manifest (and frankly, is it that much of a deal?)
Besides commenting out the unnecessary codes, you have to remove the permission from your manifest as well.