I've just created a very simple Android application that captures an Intent, manipulates it a bit, and sends out a new Intent. I transferred the app to my phone with adb install, and now looking at the app's requested permissions, I'm seeing that it requires permissions I never asked for:
read phone status and identity
modify or delete the contents of your USB storage
test access to protected storage
There's nothing in my manifest file requesting permissions, and the app itself is dead simple (here's the source on GitHub). Are these extra permissions added because I installed it with adb install, perhaps? Or is there something in my app that merits requiring these permissions that I'm just not seeing?
You are missing a <uses-sdk> element with android:minSdkVersion. These permissions were added to Android after its initial release, and apps supporting very old Android devices have these permissions "grandfathered in".
You really should add <uses-sdk> and add android:minSdkVersion, saying how old of an Android device (from an API level standpoint) you are willing to support.
Related
I'm receiving this email in apps compiled with api 29 and api 30.
These apps does not contains requestLegacyExternalStorage flag and does not contains MANAGE_EXTERNAL_STORAGE.
I already searched in manifest merger log, and in the final merged manifest, and didn't found requestLegacyExternalStorage flag inside.
These apps only have the old and deprecated WRITE_EXTERNAL_STORAGE in AndroidManifest.xml:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
Is that old and deprecated permission which is firing that warning from google? is enough with removing that permission from my apps to get this issue solved?
Starting May 5th, you must let us know why your app requires broad
storage access
We've detected that your app contains the
requestLegacyExternalStorage flag in the manifest file of 1 or more of
your app bundles or APKs.
Developers with apps on devices running Android 11+ must use Scoped
Storage to give users better access control over their device storage.
To release your app on Android 11 or newer after May 5th, you must
either:
Update your app to use more privacy friendly best practices, such as
the Storage Access Framework or Media Store API
Update your app to declare the All files access
(MANAGE_EXTERNAL_STORAGE) permission in the manifest file, and
complete the All files access permission declaration in Play Console
from May 5th
Remove the All files access permission from your app entirely
For apps targeting Android 11, the requestLegacyExternalStorage flag
will be ignored. You must use the All files access permission to
retain broad access.
Apps requesting access to the All files access permission without a
permitted use will be removed from Google Play, and you won't be able
to publish updates.
I have a problem. If the app displays a website in a WebView and this website wants for example to access device files, does it require storage permission? The same with camera, geolocation etc. When I tried this, it works both with and without appropriate permissions (I tried that with geolocation and storage), but some people try to imply that the permissions are required. Why is that?
Yes, App do need permission even if webview wants to access camera or storage,
And it's because of security issues that you need permission for using camera or storage or anything for that matter even if you're using webview.
Because even if you use webview, ultimately you are going to use camera or any hardware so you need to ask permission.
Android 6.0 Marshmallow introduces a new model for handling
permissions, which streamlines the process for users when they install
and upgrade apps. Provided you're using version 8.1 or later of Google
Play services, you can configure your app to target the Android 6.0
Marshmallow SDK and use the new permissions model.
If your app supports the new permissions model, the user does not have
to grant any permissions when they install or upgrade the app.
Instead, the app must request permissions when it needs them at
runtime, and the system shows a dialog to the user asking for the
permission.
To learn more, see the documentation for Android 6.0 Marshmallow and
the changes you must make to your app for the new permissions model.
Google has added WebChromeClient.onShowFileChooser. They even provide a way to automatically generate the file chooser intent so that it uses the input accept mime types.
source
There is an app called bodyweight fitness on the play store without any permissions. It is available on git hub as well:
https://github.com/mazurio/bodyweight-fitness-android
I used the files from git hub and compiled the apk myself with Android Studio (without changing the files). When I try to install the self compiled app apk, it tells me that it will use the INTERNET though the play store app did not. There is no reason why this app should need any internet connection. Thus I removed this line from the AndroidManifest.xml
<uses-permission android:name="android.permission.INTERNET" />
After compiling and installing the app, it still tells me that it will use INTERNET. Does someone know why and how I can remove this permission?
PS: I asked the developer as well, but I got no response yet.
update:
You are right, it is added from another part aswell: crashlytics.
And you are right aswell about the hidden permission. It is shown in
the app details when the app is installed and it is shown in the play
store when you click on the "permissions" button.
Each android lib contains manifest file with package, permissions, acitivities etc so your app will show all permissions from dependencies. You may check final manifest creation log at {projectDir}/{moduleDir}/build/outputs/logs/manifest-merger-*-report.txt
This log will contain something like that
uses-permission#android.permission.INTERNET
ADDED from {myModulePath}/app/src/main/AndroidManifest.xml:6:5-67
MERGED from [net.hockeyapp.android:HockeySDK:4.1.1] /Users/devindi/.android/build-cache/ce70c6f87efc05633a59a88fccdb712db509e22d/output/AndroidManifest.xml:12:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics:2.6.8] /Users/devindi/.android/build-cache/424d420499b90aec0a26ab1b5f575e318d0342b9/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:beta:1.2.5] /Users/devindi/.android/build-cache/be2498e53f6aa976b3927954da943b23f0a800f6/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics-core:2.3.17] /Users/devindi/.android/build-cache/e5b1b150113ac2f0789b76a886f379cdafa8af2b/output/AndroidManifest.xml:52:5-67
MERGED from [com.crashlytics.sdk.android:answers:1.3.13] /Users/devindi/.android/build-cache/c86f3a3daec296cb6a32deb0b3d0c3f1370a024f/output/AndroidManifest.xml:9:5-67
MERGED from [io.fabric.sdk.android:fabric:1.3.17] /Users/devindi/.android/build-cache/0a51b13dbc46dc870c598edab9d128bf8f26a8d4/output/AndroidManifest.xml:29:5-67
As you see I requested network permission at my manifest and hockeyapp, crashlytics, fabric libs requested same permission also. https://developer.android.com/studio/build/manifest-merge.html
To force permission remove just add tools:node=”remove” to your permission declaration like that:
<uses-permission android:name=”android.permission.INTERNET” tools:node=”remove” />
This is because the INTERNET permission is a "harmless" permission. This means that you don't have to ask the user for permission, and that it will not show in the Google Play Store
Since Android 5.0, permissions have a "protection level". Some are dangerous, and some are normal. Normal means that you as an app developer do not have to ask the user for permission, and that it will not show in Google Play. Dangerous means that Google Play displays it and that you have to ask the User for permission.
Source and further reading: Android Developers
There is a difference between apps installed during development via your Android Studio, apps installed from an APK and apps installed from Google Play Store. Some permissions are granted automatically in the latter case, like for example the Internet or drawing on top of other apps. You need to take this into account while planning your deployment strategy.
I'm trying to use a custom permission created by another application (Bazaar) in my app (It's a permission to use a market com.farsitel.bazaar.permission.PAY_THROUGH_BAZAAR). Normally it works right.
But if Bazaar is installed after my application. My app won't get the custom permissions (Which are created by Bazaar) and throws exception. I want to know If anybody else has faced a similar problem and what solutions do you have to it?
This is a desired behaviour.
In the textbook, Android Security Internals: An In-Depth Guide to Android's Security Architecture by Nikolay Elenkov(2014) said:
The system can only grant a permission that it knows about, which
means that applications that define custom permissions need to be
installed before the applications that make use of those permissions
are installed. If an application requests a permission unknown to the
system, it is ignored and not granted.
BTW, permissions are assigned to each application at the install time by PackageManager, it maintains some information of installed packages, such as package name, version and permissions, these info are stored in /data/system/packages.xml. If you want to query all permissions on device, you can try pm list permissions.
A small question: I am trying to debug my App, developing in Android Studio, with my Smartphone. I have listed several uses-permission in my manifest. But when I debug the app, the smartphone does not ask me for the permission to use the permissions... will I nevertheless have access to my "uses-permission" permissions? If not, how can I debug it :D
Runtime permissions are a new thing on Android. They only work if your both Target API and the device you are using are level 23 or higher. If any of those is lower, then Runtime permissions do not work and old permission model is used. In old model, permissions are granted at install time and when you install your app via USB, you automatically accept all permissions. Still, in new permission model, you need to write code in async style, meaning that first you have to ask user for permission and supply a callback, in which you will know whether the user granted or denied specific permission. You can read more about that at officials docs.