Android limit CALL_PHONE permission to avoid hidden calls - android

The Android docs for the CALL_PHONE permission reads:
"Allows an application to initiate a phone call without going through the Dialer
user interface for the user to confirm the call being placed."
Also this message is prompted to the user when he installs the app.
Reading that the application may start hidden calls can possibly discourage installation for some users.
Since my app does NOT start hidden calls, I wonder if there is a way to limit this behaviour, possibly with a more strict permission, to avoid displaying that dreadful message to the user.

Here is my corrected solution:
Intent callIntent = new Intent(Intent.ACTION_DIAL);
callIntent.setData(Uri.parse("tel:" + 1234));
startActivity(callIntent);
This doesn't require any permissions and just open the dialer. Should be exactly that what you were looking for.

I don't think it's possible. There are 2 permissions associated with phone calls (CALL_PHONE, CALL_PRIVILEGED) with CALL_PHONE being the less restrict one. Google Play will always show that discouraging description for any application holding these permissions.
If this permission is really important for your application, leave it as it is. But opening the dialer instead of calling is a much better option for the user experience (In most of the cases), so try using it instead (You said you're notifying the user anyway... So why can't you show the dialer instead of that notification?)

Related

Huawei Android devices - properly requesting permissions for background locations

We develop an application which requires several permissions in order to get the user’s location while in the background.
We are having problems requesting the required permissions on Huawei devices. It seems that in addition to location permission and white listing the app from battery optimizations, an additional step is required in order to disable battery optimizations and enable auto launching:
The problem is we found no way of automatically requesting permission from the user, and the only way we found is having the user manually go to these screens and change the settings.
We did find a shortcut to take us “half way”, to the application settings:
Intent intent = new
Intent(Settings.ACTION_APPLICATION_DETAILS_SETTINGS);
intent.setData(Uri.parse("package:"+context.getPackageName()));
But multiple non intuitive actions are still required from the user.
Our aim:
We would very much like to make the process easier for the user. Optimally, to have a system dialog appear which asks the user for the permissions, instead of having him manually change the settings, much like the whitelisting of normal Android devices:
Is it possible using a Huawei specific SDK extension?
If (1) is not possible, at the very least we need a way to know if the user changes these settings or not. Currently we don’t know and cannot inform the user if the application works properly or not!
Are you expecting that your app displays a permission popup so that users can easily assign related permissions to your app?
If yes, you can integrate HMS Core Location Kit into your app. Before performing an operation requiring a permission, your app dynamically checks its permissions.
If your app does not have the required permission, it will display a popup to prompt the user to assign the permission. You can implement the popup with few code lines and users can easily assign permissions in the popup. For details, visit https://developer.huawei.com/consumer/en/doc/development/HMS-Guides/location-guidev4.
In addition to dynamic authorization, do not forget to apply for static permissions in the Manifest file.

Grant permissions via voice input

Since Android 6 permissions can be requested on runtime. The user has the chance to grant or revoke permissions. He is always asked by the UI in form of a dialog popping up.
Is it somehow possible to grant permissions via voice input? I searched by myself but didn't find any approach for that. Is there any information to find about this topic? At least maybe some research how to make that possible maybe in future Android versions?
It would be great to find any kind of useful information about. that topic
I do not think so. It would not be safe, the user could accuse the application after capturing his audio without permission, for example.
You must EXPLICITLY allow anything (even acess the microphone to capture anything) that involves application access. So it's complicated for you to define something as explicit when using voice. The user may claim that he was only in a normal conversation when the application was granted permissions, and this can cause problems ...

Why does Android PlacePicker not(!) require ACCESS_FINE_LOCATION permission to work?

The PlacePicker is a useful widget added in com.google.android.gms:play-services-places:9.4.0. Find the description here: PlacePicker
The documentation clearly states that you need the ACCESS_FINE_LOCATION permission for it to work.
On Marshmallow and above you also must ask the user to grant this permission.
But it seems to work without doing any of this! My app does
provide a maps API key
not define the permission in the AndroidManifest
not ask the user to grant this permission at any time
But running the app on an Marshmallow device DOES start the PlacePicker and I can
correctly select a place (not possible without the API key).
go to "My Location" via the MyLocation-Button (possible without API key)
Can anyone confirm this or has an explanation why this widget works without proper permissions granted?
The question is almost an year old but I was trying to find the same answer so it can help somebody else.
It's because PlacePicker works with "intent based request". The documentation is not very clear with it, but it says
1: Only use the permissions necessary for your app to work. Depending on how you are using the permissions, there may be another way to do what you need (system intents, identifiers, backgrounding for phone calls) without relying on access to sensitive information.
Source
And give some clue here:
If your requirement for access to user data is infrequent — in other words, it's not unacceptably disruptive for the user to be presented with a runtime dialogue each time you need to access data — you can use an intent based request. Android provides some system intents that applications can use without requiring permissions because the user chooses what, if anything, to share with the app at the time the intent based request is issued.
Source
I've figured it out testing permissions use cases with Marshmallow and Lollipop devices, comparing the result with PlacePicker that I thought could be using intent based permissions with MediaStore that use this kind of permission according to documentation:
For example, an intent action type of MediaStore.ACTION_IMAGE_CAPTURE or MediaStore.ACTION_VIDEO_CAPTURE can be used to capture images or videos without directly using the Camera object (or requiring the permission). In this case, the system intent will ask for the user’s permission on your behalf every time an image is captured.
For example, an intent action type of MediaStore.ACTION_IMAGE_CAPTURE or MediaStore.ACTION_VIDEO_CAPTURE can be used to capture images or videos without directly using the Camera object (or requiring the permission). In this case, the system intent will ask for the user’s permission on your behalf every time an image is captured.
Source

Android 6.0 Permissions - Where to place permission requests?

with Androids new permission system, I was wondering how to implement it right. The tutorials about how and when to use the permissions seem to be pretty clear. However, I don't know who requests the permissions and where to request them.
So, basically my question is: should the Activity, who starts another Activity request the permission beforehand or should the Activity which requires the permission place the request?
If the Activity which requires the permission should request for it, should I call requestForPermission inside onCreate or in onStart?
Though it seems to be very simple questions, I haven't found any hints in the documentation.
Thanks.
should the Activity, who starts another Activity request the permission beforehand or should the Activity which requires the permission place the request?
That is up to you. The main guidance is that there should be a clear tie from something the user does to your request for permissions:
If your app needs certain permissions to do anything meaningful, ask for them when your app starts up, perhaps after any sort of "welcome" presentation to advise them about why you need the permissions.
If your app needs certain permissions to do something based on the user performing some in-app action, like tapping on an action bar item or ListView row, ask for the permission when the user performs that action.
Asking for permissions at semi-random points in the app will simply lead to user confusion ("what did I do? why is it asking me this? and why are these questions appearing in an Stack Overflow answer?!?").
If your app can't function properly without a particular permission might be good to have a welcome permission flow where you explain why need the permissions and ask for the grants. For example : Google maps and location permission
If some specific parts of the app need a separate permission you can call the permission check just before doing a method call that needs permission. In this case you can create a wrapper for your function that needs contact permission and always call that wrapper instead of the actual method. For example : Google maps and microphone permission when you try to use the search with voice functionality
More details http://inthecheesefactory.com/blog/things-you-need-to-know-about-android-m-permission-developer-edition/en
also check out https://github.com/permissions-dispatcher/PermissionsDispatcher could reduce a lot of permission code.
When ever your X task struck due to some "Y" permission then only ask for permission. There is no point of asking in onCreate or onStart method.
if you ask for "Y" permission at the start of Activity then there is no difference between Android M and below model. Exploit the beauty of Android M. for example if your require storage permission for creating a temp it's better make a temp file in App internal area i.e /data/data/your package name/files/ rather than asking for storage permission to users. Overall my point is exploit these options as much as you before it become necessary condition to ask for "Y" permission.
Regarding Activity concern , your task must be running be over some fragment or activity let that activity handle the onRequestPermission results.

Options for dealing with Android 6.0's new permissions requirements from a service or model component?

I'm looking into porting some existing code to take Android M's new way of dealing with permissions into consideration. However the permission API needs to have an activity associated with it (for example the requestPermissions() method's first parameter is an activity).
So how should a service that needs to check if a permissions has been granted and request for permissions use this new API if the service doesn't have an activity?
Is it possible for the service to create a dummy invisible activity just for use with the permissions API? (if its possible I don't like the thought of doing that anyway though).
Or suppose its not a service but a model class that needs to perform a permissions check, in MVC a model shouldn't have any knowledge of the Vs and Cs and yet now either it has to in order to know which Activity to use with the permission API. Or potentially lots of code might have to migrate from model code into Activity code.
Any thoughts on how to migrate non activity based code that needs to check/prompt for permissions over to Android 6.0?
Update: I left out an important piece of information - this is code that is pre-installed (our company provides code that device manufacture's place in rom) and often may be run at device boot time and run in the background. Therefore the usual situation of a user being prompted for permission when they launch the app or later (and there therefore being an activity at that point) does not necessarily apply.
So how should a service that needs to check if a permissions has been granted and request for permissions use this new API if the service doesn't have an activity?
There is almost always an activity, except for pre-installed apps and plugins for other apps. Otherwise, your service is unlikely to ever run, as nothing will have used an explicit Intent to start up one of your app's components, so it will remain in the stopped state.
For the ~99.9% of Android apps that have an activity already, if the permissions are needed for the whole operation of the app, request them on first run. As Snild Dolkow notes, if the user later revokes the permission through Settings, you can detect that without an activity, then use other UI options (e.g., Notification, app widget) to let the user know that operation is suspended until they grant you the permissions again, which they would then do through your activity.
Is it possible for the service to create a dummy invisible activity just for use with the permissions API?
Presumably you can have a Theme.NoDisplay activity use requestPermissions(). However, from the user's standpoint, it will not make much sense, unless there's some alternative UI (app widget?) that they are interacting with. Popping up a permission dialog out of nowhere is unlikely to make you popular.
UPDATE 2019-06-15: Note that Android Q bans services popping up activities frmo the background. Please use a notification instead.
in MVC a model shouldn't have any knowledge of the Vs and Cs and yet now either it has to in order to know which Activity to use with the permission API
Do not touch the models until you have requested the permission, and gracefully fail if the permission is revoked. You already have to gracefully fail in other circumstances (out of disk space, no Internet connection, etc.), so a revoked permission should be handled in much the same way.
using this new 6.0 API seems like an recipe for bad design and tight coupling
You are welcome to your opinion. Based on what I have read, the Android engineers believe that asking the user for permissions is part of the user experience and is best handled at the UI layer as a result.
Again: the vast majority of Android apps will not have a problem with this, as they have a user interface. Apps that do not have a user interface and need dangerous permissions are in for some amount of rework.
this is code that is pre-installed (our company provides code that device manufacture's place in rom) and often may be run at device boot time
First, please understand that this is so far from normal that you can't even see normal from where you are due to the curvature of the Earth. :-) You can't really complain that Google did not optimize this particular scenario.
As I understand it, even system apps should be asking for runtime permissions. The Camera app did, for example, on the 6.0 preview. That being said, there's gotta be some database on the device somewhere that is tracking what has been granted, and presumably there is some way to pre-populate it. However, the user could still revoke it from Settings, presumably. But, the manufacturer could pull some stunts (e.g., messing with the Settings app) to possibly even preclude that scenario. I'd be looking in the same area as "how do I get it so my app cannot be force-stopped?" that device manufacturers can do.
Your alternatives would be to get rid of the dangerous permissions or to migrate your app off the SDK and into a standard Linux binary that would be run as part of the boot process and be put into a Linux user group that has access to the stuff that you need.
Ask for it when the user enables whatever feature your service provides. They'll be in one of your activities at the time. Yes, it means that your activities need knowledge of what permissions your services will require.
The service can always check for the permission by itself, though, since checkSelfPermission() is available in all Context instances. So you don't need an activity for that.
I guess an alternative would be to have your service post a notification saying "feature X requires you to approve more permissions". Actually, that may be a good idea regardless, in case the user goes into settings and revokes any permissions after the fact. That notification would then take the user to some activity with an "enable feature X" button/checkbox -- ask for the permission when that is selected.
You can send a notification. Look this library to manage the permissions: permission library

Categories

Resources