On the Google Play webpage for every application there is a permission section. Almost all of these applications uses some standard terminology to describe their permissions like "READ PHONE STATUS AND IDENTITY", "SEND SMS","FULL INTERNET ACCESS" etc. However on the Android Developer's page the permissions are listed as constants and their descriptions but not the standard terminology found at the Google Play webpage of the application.
For eg.There is a String Internet with the description Allows applications to open network sockets but not the FULL INTERNET ACCESS permission which is generally used for this description.
Is there some link which provides a mapping of the permission constants to these standard permission notation?
"READ PHONE STATUS AND IDENTITY" this is nothing but description about the permisson.U can get the Description about all permission using Packagemanger class in android.PermisionInfo is the class which will give u the Description-
PermissionInfo pinfo = packageManager.getPermissionInfo("Specify permisson constant", PackageManager.GET_META_DATA);
pinfo.loadLabel(packageManager).toString();
I guess you are looking for Manifest Permissions.
Which are defined in your project. Under AndroidManifest.xml
And a list if you need
Eg. for some common permissions
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Related
Say I have these permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.GET_TASKS" />
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions" />
I would like to tell the Play Store that these permissions are not required and are not to be used for filtering out devices. I found that with some permissions like bluetooth you can add the <uses-feature tag and then to that add android:required="false". For example:
<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
<!-- Tells the Play Store that the above two permissions are not required -->
<uses-feature
android:name="android.hardware.bluetooth"
android:required="false" />
However I found no features to declare for any of the permissions I listed in the beginning of this post. So how am I supposed to tell the Play Store that they're not required?
So how am I supposed to tell the Play Store that they're not required?
You don't. No devices will be filtered out based on those permissions.
I would like to tell the Play Store that these permissions are not required and are not to be used for filtering out devices
No permissions are used directly for filtering out devices. As you noted, some permissions imply features, and you can declare that the features are not required.
I would like to tell the Play Store that these permissions are not
required and are not to be used for filtering out devices.
Don't worry! If your next update/package don't require some permissions, just remove those permissions from the mainfest.xml, and done. If you still have doubt, you can see the number of compitable device models during creation of release in your console.
I found that with some permissions like bluetooth you can add the
<uses-feature tag and then to that add android:required="false".
They are all for feature-based filtering and not for permissions. Because, features might be critical for some apps to work. If an app uses a feature which is not critical for its functionality, required=false might be helpful.
You can use like that:
<uses-permission android:name="android.permission.INTERNET"
tools:node="remove"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"
tools:node="remove"/>
While releasing the apk to play store, I found out that the my app requires the android.hardware.telephony feature but I haven't added it in manifest anywhere. I have also check the merged manifest in android studio and it also does not contain this feature so I think no third party sdk is adding this. What could be the source of this feature?
For reference, I have following permissions declared in the manifest:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Also, when I make it optional using below code, the app is available on devices without this feature:
<uses-feature
android:name="android.hardware.telephony"
android:required="false" />
So why is required by default without adding it anywhere?
Google Play automatically adds some features, depending on which permissions you have requested.
As you have requested READ_SMS and RECEIVE_SMS permissions, this implies you use the telephony feature. So, Google Play reacts as if you had the following in your AndroidManifest.xml:
<uses-feature
android:name="android.hardware.telephony"
android:required="true" />
When you manually add this and declare it required="false", this tells Google Play that whilst you do ask for the permission, you can handle the case where the user does not have the telephony feature.
This is confirmed via this note in the docs:
Note: Some system permissions implicitly require the availability of a device feature. For example, if your app requests permission to access to BLUETOOTH, this implicitly requires the FEATURE_BLUETOOTH device feature.
The full list of permissions and the feature requirements implied is available here, and includes your situation:
Finally, with your ACCESS_COARSE_LOCATION you are also declaring a feature requirement on android.hardware.location, just for your information.
There's also further detailed information over on the GameDev StackExchange.
One or more of the dependencies / modules / libraries your project is using is adding that requirement to your Android Manifest.
To investigate open your main Android Manifest file in Android Studio, and click on the Merged Manifest tab at the bottom of the page.
This will show you a view of the final merged Manifest, along with sources of each line.
Read more about this here: https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts
HOW TO FIX
If you wish to avoid adding that requirement to your final Manifest, you can use Node Markers in your Manifest to control how the merge works.
Read more about Node markers here: https://developer.android.com/studio/build/manifest-merge#node_markers
e.g. try this:
<uses-feature
android:name="android.hardware.telephony"
android:required="false"
tools:node="replace" />
A 3rd party security application reads into my application. They probably read my asset folder.
How is this possible? I thought that the sandbox model prevented from external access to the internal data structure of an app?
I've checked their permission. They are using: access_coarse_location, access_fine_location, access_network_state, change_network_state, internet, kill_background_processes, modify_audio_settings, manage_device_admins, wake_lock, read_sms, receive_sms, write_secure_settings, flashlight, vibrate, disable_keyguard, get_accounts, camera, read_phone_state, get_tasks, receive_boot_completed, read_external_storage, read_call_logs, write_call_logs, write_external_storage, write_media_storage, access_wifi_state, change_wifi_state
What are manage_device_admins and write_media?
I thought that write_secure_settings and write_media_storage were reserved for android?
Here are the permissions I am using:
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions" />
<uses-permission android:name="android.permission.OPSTR_GET_USAGE_STATS" />
Is there any issues associated with android:allowBackup="true"?
They probably read my asset folder.
Sure. Other apps read other things out of your APK. For example, the home screen reads your icon and label for your launcher activity.
How is this possible?
The contents of your APK are world-readable. This includes assets/ and res/.
I thought that the sandbox model prevented from external access to the internal data structure of an app?
Android protects files created on internal storage. Those may hold private information for the user. Android does not protect the APK itself from inspection.
My application accepts certain files to be opened with the application but I've seen a couple crashes recently that say
java.lang.RuntimeException: Unable to start activity java.lang.SecurityException: Permission Denial: opening provider com.yahoo.mobile.client.android.mail.provider.MailProvider from ProcessRecord{42cb5ff0 7953:com.my.package/u0a10163} (pid=7953, uid=10163) that is not exported from uid 10147
In my AndroidManifest.XML I have the following permissions
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />
<uses-permission android:name="com.android.setting.permission.ALLSHARE_CAST_SERVICE" />
<uses-permission android:name="com.android.vending.BILLING" />
Is there any permission that I might be missing for specifically Yahoo?
I'm getting the feeling that it's specifically blocked. If so is there any way I can block attachments in Yahoo from being opened with my app? Thanks
Is there any permission that I might be missing for specifically Yahoo?
Not based on that error. That error indicates that Yahoo created a ContentProvider (com.yahoo.mobile.client.android.mail.provider.MailProvider) and screwed up their security. They should be using FLAG_GRANT_READ_URI_PERMISSION with their ACTION_VIEW Intent, to allow its otherwise-not-exported provider to provide you with the file contents.
If so is there any way I can block attachments in Yahoo from being opened with my app?
Catch the exception and point out to the user that the app that started you up is broken.
There is nothing you can put in the manifest to say "...but not Yahoo Mail".
i agree with CommonsWare that yahoo's app data provider is not configured right, they should do one of the following:
Declaring android:exported=true (without declaring any specific
permissions) which will give a free access to the content provider to
the external apps.
Declaring temporary permission specifying
android:grantUriPermissions=true on the provider tag in the manifest
and setting FLAG_GRANT_READ_URI_PERMISSION flag on the action intent.
But in my case i found another soulution:
Context.grantUriPermission((String toPackage, Uri uri, int modeFlags)
Normally this method should be called from the provider app granting access to another package, but in our case calling this method from our app:
grantUriPermission(BuildConfig.APPLICATION_ID, fileUri, Intent.FLAG_GRANT_READ_URI_PERMISSION);
gained access to the specified file, and we were able to open yahoo attachments.
I have a problem while publishing on the Market. My application does not use autofocus feature but when I publish it on the market I see in console following:
android.hardware.camera
android.hardware.camera.autofocus
And here are permissions and features that I request in manifest file:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
Can anyone tell me what's the problem please?
Are the proper <uses-feature> tags included in your manifest? That means only
<uses-feature android:name="android.hardware.camera" />
The doc states:
For example, if an application requests the CAMERA permission but does not declare a element for android.hardware.camera, Google Play considers that the application requires a camera and should not be shown to users whose devices do not offer a camera.
from filtering based on implicit features
You can check this list and see that the two features mentioned by you are assumed when you use the camera permission and don't state anything in your manifest. Add the above code snippet and it should get reduced to just the camera-feature.