google play warns about added permission 'android.permission.READ_CALL_LOG' - android

I've just tried to submit a new version of my app without any changes in the permissions. However, google play's upload apk tells me that I've added the permission 'android.permission.READ_CALL_LOG', which I didn't. These are currently my permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
Any ideas what the reason could be for this? (I don't want to add a new permission, my users don't like that very much)

I had this:
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="14" />
Which led to that in aapt dump badging:
uses-permission:'android.permission.READ_CALL_LOG'
uses-implied-permission:'android.permission.READ_CALL_LOG','targetSdkVersion < 16 and requested READ_CONTACTS'
Then I changed it to that:
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="16" />
Now the implied permission went away.

This just happened to me. My app has :
ACCESS_WIFI_STATE, INTERNET, and BROADCAST_STICKY
but when I upload the apk to google play I get 6 permissions:
android.permission.ACCESS_WIFI_STATE
android.permission.INTERNET
android.permission.BROADCAST_STICKY
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.READ_PHONE_STATE
android.permission.READ_EXTERNAL_STORAGE
I changed the min and target sdk versions from 3 to 4 and the extra permissions went away.

My "aapt dump badging" tells that READ_CALL_LOG is implied by READ_CONTACTS.
uses-implied-permission:'android.permission.READ_CALL_LOG','targetSdkVersion < 16 and requested READ_CONTACTS'
Still, this appears to have been changed at some time. All my previous version (last 2 weeks ago) of the same app don't imply that permission, although I did not change any permissions for months.

Change the targetSdkVersion to 16 will cause the menu key disappeared on the devices > 4.0.
For I add the sherlock project in the app.

The doc already mentions this
http://developer.android.com/reference/android/Manifest.permission.html

Related

Android studio does not compile permission in manifest

I bumped into a very strange problem, the studio compiles all the manifest permissions except one:
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
Tested in other compilers - the permissions successfully compiled.
How can you solve this truly strange problem?
My full list of permissions:
<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
If the app targets API level 23 or higher, the app user must explicitly grant this permission to the app through a permission management screen. The app requests the user's approval by sending an intent with action ACTION_MANAGE_OVERLAY_PERMISSION. The app can check whether it has this authorization by calling Settings.canDrawOverlays().
I solved this problem by modifying the build.gradle file.
I changed targetSdkVersion from 26 to 19 (any version that <19)
But I'm not sure if this is the best solution
You cannot use SYSTEM_ALERT_WINDOW permission, because it has signature protection level.
See signature protection level - clarifying
and see https://developer.android.com/guide/topics/manifest/permission-element.html
Also you cannot use BIND_ACCESSIBILITY_SERVICE permission, it has signature protection level too.

Android Marshmallow, api 23, permissions broken on a Cordova application

I inherited a Cordova hybrid application with an error in its manifest file. The targetSdkVersion is set to 24 which, as far as I am concerned doesn't exists yet.
The app wasn't tested on an Android 6 device so it was uploaded to Play Store with that error. Since the permission model on Android 6 has changed the app crashes on those devices.
03-12 21:10:05.991 24366-24475/? E/PluginManager﹕ Uncaught exception from plugin
java.lang.SecurityException: getDeviceId: Neither user 10111 nor current process has android.permission.READ_PHONE_STATE.
at android.os.Parcel.readException(Parcel.java:1620)
at android.os.Parcel.readException(Parcel.java:1573)
at com.android.internal.telephony.ITelephony$Stub$Proxy.getDeviceId(ITelephony.java:4207)
at android.telephony.TelephonyManager.getDeviceId(TelephonyManager.java:706)
at org.pgsqlite.SQLitePlugin.getAppKey(SQLitePlugin.java:783)
at org.pgsqlite.SQLitePlugin.executeSqlBatch(SQLitePlugin.java:347)
at org.pgsqlite.SQLitePlugin.executeAndPossiblyThrow(SQLitePlugin.java:195)
at org.pgsqlite.SQLitePlugin.execute(SQLitePlugin.java:93)
at org.apache.cordova.CordovaPlugin.execute(CordovaPlugin.java:95)
at org.apache.cordova.PluginManager.exec(PluginManager.java:130)
at org.apache.cordova.CordovaBridge.jsExec(CordovaBridge.java:59)
at org.apache.cordova.engine.SystemExposedJsApi.exec(SystemExposedJsApi.java:41)
at org.chromium.base.SystemMessageHandler.nativeDoRunLoopOnce(Native Method)
at org.chromium.base.SystemMessageHandler.handleMessage(SystemMessageHandler.java:39)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:148)
Thanks to this blog I found that if I change the targetSdkVersion to 22 the app works as before
http://inthecheesefactory.com/blog/things-you-need-to-know-about-android-m-permission-developer-edition/en
And the documentation shows how to ask for permissions at run time:
http://developer.android.com/intl/es/training/permissions/requesting.html
I have several questions regarding this issue.
If I downgrade the targetSdkVersion to 22 (or 23 for that matter) and upload the app to Play Store, would the app update if I increase the version? I don't really know what would happen.
How should I work with permissions on Android Marshmallow on a cordova App? Should I ask for permissions int the activity overriding the default one created by Cordova after installation?
Are there any other ideas to solve this issue?
Here is my manifest.xml file.
<?xml version='1.0' encoding='utf-8'?>
<manifest android:hardwareAccelerated="true" android:versionCode="10000" android:versionName="1.0" android:windowSoftInputMode="adjustResize" package="com.myorg.myapp" xmlns:android="http://schemas.android.com/apk/res/android">
<supports-screens android:anyDensity="true" android:largeScreens="true" android:normalScreens="true" android:resizeable="true" android:smallScreens="true" android:xlargeScreens="true" />
<uses-sdk android:minSdkVersion="14" android:targetSdkVersion="24" />
<application android:allowBackup="true" android:icon="#drawable/icon" android:label="#string/app_name">
<blablabla />
</application>
<uses-permission android:name="android.permission.READ_CALENDAR" />
<uses-permission android:name="android.permission.WRITE_CALENDAR" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />
<uses-feature android:glEsVersion="0x00020000" android:required="true" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
</manifest>
If I downgrade the targetSdkVersion to 22 (or 23 for that matter) and upload the app to Play Store, would the app update if I increase the version? I don't really know what would happen.
You can upload a new app built against API 22 to the Play Store and subsequently upload a build against API 23 - this will work fine. However (as #jcesarmobile points out in the comments), we're pretty sure Google won't let you downgrade to API 22 if you have an existing app in the Play Store that's been uploaded with API 23. So your choices here are to fix it for API 23 (best option) or otherwise change the package name and publish it as a new app built with API 22, then remove the old one (not ideal).
Currently there's nothing forcing you to build against API 23, and so in the short term you can continue to build and deploy against API 22. However, I would think at some point Google will require uploaded builds to use API 23, otherwise the type of malicious apps that runtime permissions are designed to combat will just continue building against API 22 and bypassing runtime permissions
How should I work with permissions on Android Marshmallow on a cordova App? Should I ask for permissions int the activity overriding the default one created by Cordova after installation?
Most (if not all) of the core plugins provided by Cordova (e.g. cordova-plugin-camera), and some 3rd party plugins, have been updated to request the necessary runtime permissions that they use when building/running on API 23. So the first thing is to make sure the plugins in your project are up-to-date with the most recent releases. I wrote a little tool to for managing plugin updates which makes this process a bit easier: cordova-check-plugins.
From the error message you posted, it appears that the crash is due to the READ_PHONE_STATE permission not having been requested by the plugin, which looks to be the SQLite storage plugin. Not sure if this plugin has been updated to request/step around runtime permissions, so check that first. A simple plugin update might resolve this one.
If not, or for other plugins which don't yet support requesting of API 23 runtime permissions, you have two options:
Modify the plugin source code to request the necessary runtime permissions. This will take a bit of Java surgery. The Cordova plugins make use of a re-usable Permission helper class which makes this easier. You could optionally feed back your changes to plugin authors with a pull request.
Use cordova-plugin-diagnostic to request the permissions required by the non-compliant plugins. This can be done in the Javascript layer and doesn't requiring modifying the plugin source code.
Firstly, you need to determine which permissions the plugin uses. You can look in the plugin.xml for this. If for some reason the plugin doesn't add the relevant <uses-permission/> element to the AndroidManifest.xml, you can add it explicitly to your config.xml (note that cordova-plugin-dignostic will not add <uses-permission/> elements for you).
Then wrap the Javascript call to the plugin with a call to cordova-diagnostic-plugin to check and request the relevant runtime permission as appropriate. Using READ_PHONE_STATE as an example:
function requestPermission(){
cordova.plugins.diagnostic.requestRuntimePermission(function(status){
switch(status){
case cordova.plugins.diagnostic.runtimePermissionStatus.GRANTED:
console.log("Permission granted (or already granted) - call the plugin");
// call SQLite plugin
break;
case cordova.plugins.diagnostic.runtimePermissionStatus.DENIED:
console.log("Permission denied - ask again");
alert("Come on user, we really need this. I'll ask again...");
requestPermission();
break;
case cordova.plugins.diagnostic.runtimePermissionStatus.DENIED_ALWAYS:
console.log("Permission permanently denied");
alert("Well that's it, we're dead Jim");
navigator.app.exitApp();
break;
}
}, function(error){
console.error("The following error occurred: "+error);
}, cordova.plugins.diagnostic.runtimePermission.READ_PHONE_STATE);
}
requestPermission();
Simply update your cordova-android version to 7.1.4 and it will works with targetSdkVersion > 22.
Here is the related issue on github: https://github.com/apache/cordova-android/issues/606

Why does my app has the READ_PHONE_STATE permission although it's not declared in manifest?

I noticed the READ_PHONE_STATE permission when I uploaded the apk to google play.
I have not added it and it is not written anywhere in my manifest or any other file of my project. (I looked through all libraries for this permission)
My app did not have this permission in my previous build with same libraries. Since last build I updated android studio to version 1, updated my android sdk and made a few changes (in code) to my app. I don't request the device ID in my app.
My app has minSDK 14 and no ads.
Here are my manifest permissions:
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
Here's the apk file
I was able to resolve the problem. It's similar to the solution of reneph.
I found that one library had no minSDK specified neither in the build.gradle nor in the manifest file. After adding
defaultConfig {
minSdkVersion 14
targetSdkVersion 21
}
the permission was gone. I don't know why it worked without the permission on my previous build (also no minSDK specified). Must have been either the Android Studio 1.0 or the Android SDK update.
Android developer documentation for READ_PHONE_STATE permission:
Note: If both your minSdkVersion and targetSdkVersion values are set to 3 or lower, the system implicitly grants your app this permission. If you don't need this permission, be sure your targetSdkVersion is 4 or higher.
I found the issue.
I had another library included that had minSdkVersion="4" (its not my library, but my app requires minSdkVersion="14").
I just changed the minSdkVersion of the additional library to 14 and the permission disappeared!
I declared the following permissions in my app:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="com.android.vending.BILLING" />
<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<permission-group android:name="android.permission-group.STORAGE" />
--- WORKED FOR ME!--
I tried so many things on manifest, which mentioned here and other forums.
At the last, I noticed that the error message, The apk upload error message wants to add "Privacy Policy URL" into Store listing / Privacy policy section. (which checked "Not submitting a privacy policy URL at this time").
So, I add my privacy policy URL from my website, then submit. later, I successfully uploaded my apk.
One cause could be a (transitive) dependency, i.e. a library, that declares a minimum required Android SDK level below 4. In this case the "manifest merger tool" will add those permissions implicitly.
Lower-priority manifest declares Permissions added to the merged manifest
targetSdkVersion <= 3 WRITE_EXTERNAL_STORAGE, READ_PHONE_STATE
targetSdkVersion <= 15 and using READ_CONTACTS READ_CALL_LOG
targetSdkVersion <= 15 and using WRITE_CONTACTS WRITE_CALL_LOG
Source: https://developer.android.com/studio/build/manifest-merge#implicit_system_permissions
Look into the manifest-merger-*-report.txt log, found in build/outputs/logs if this was case.

Why am I requesting "Device ID & call information" permission on Android?

Testing my Android app (made in Unity) on the live store shows that it requests "Device ID & call information". As far as I can tell, I don't request these permissions. Here are the permissions I request in my AndroidManifest.xml file. Is this a permission required for all apps? Or is it hidden under one of these other permissions?
<uses-permission android:name="com.android.vending.BILLING" />
<uses-sdk android:minSdkVersion="9" android:targetSdkVersion="19" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
Thanks!
I just spent an absurd amount of time trying to resolve this so figured I would share with anyone out there going through a similar agony.
Removing the permissions from your manifest will not necessarily remove them from the final build. Unity auto-detects required permissions from all included libraries. The libraries which are most likely causing you to have this permission included are from the Facebook sdk.
If you want to keep the Facebook sdk in the build, there's a relatively straightforward solution. Remove the Facebook SDK (completely) and install a version <= 7.80. For whatever reason, the changes to the sdk in 7.9+ prompt Unity to auto-include the READ_PHONE_STATE permission which triggers the Device ID & Call Information permission warning in google play.

How to fix HARDWARE_TEST permission error?

i'm developing an android app which uses some hardware parts like camera or Wi-Fi, and i'm using HARDWARE_TEST permission in the manifiest:
<uses-permission android:name="android.permission.HARDWARE_TEST">
I never have had any issue with that, but now suddenly when I eclipse and manifiest file, a new error is shown in this line:
"Permission is only granted to system apps"
The only way i've got to fix it is deleting this line.
Why is this error?? How can I fix it?
Thanks
Edited:
I have found the solution and answer my own question:
My problem was in android:targetSdkVersion value in manifiest which was 15 and proyect build target was checked API level 16 (Android 4.1.2)
<uses-sdk
android:minSdkVersion="2"
android:targetSdkVersion="15" />
So i have changed android:targetSdkVersion value to 16 and Proyect properties > Android > "Proyect Buid Target" checked 16 too.
There are several permission protection level for Android Permissions: Normal, Dangerous, System and signatureOrSystem.
signatureOrSystem Permission can only be granted to System applications. And For permissions in signature level:
A permission that the system grants only if the requesting application
is signed with the same certificate as the application that declared
the permission. If the certificates match, the system automatically
grants the permission without notifying the user or asking for the
user's explicit approval.
Here is the permission definition syntax.
Here is the definition of the HARDWARE_TEST permission:
<!-- Allows access to hardware peripherals. Intended only for hardware testing -->
<permission android:name="android.permission.HARDWARE_TEST"
android:permissionGroup="android.permission-group.HARDWARE_CONTROLS"
android:protectionLevel="signature"
android:label="#string/permlab_hardware_test"
android:description="#string/permdesc_hardware_test" />
It is a signature permission in Android 4.2, so it can only be granted to app with the same signature(signed by vendor). So your application cannot request that permission.
If you want to directly manipulate hardware, you may need a rooted device.

Categories

Resources