I am working on a software that analyzes android apps. While reviewing the results I found that several devs had mixed case in their permissions e.g. ACCESS_iNTERNET
Is the permission handling not case-senstive?
They are case sensitive. Not documented, but I tried it.
Anyway, android.permission.ACCESS_INTERNET or android.permission.ACCESS_iNTERNET won't change anything because the correct name is android.permission.INTERNET. http://developer.android.com/reference/android/Manifest.permission.html#INTERNET
Related
I'm just trying to justify the permissions that my app requires and realize that I can't remember why I needed android.permission.READ_LOGS
I can't seem to figure out which classes I use need this permission. I've commented out the permission and the app builds fine. However it builds fine if I remove all permissions. Running it crashes for some of those missing permissions, however I can't figure out which function uses the READ_LOGS permission.
Is there something in android studio that will flag missing permissions if you comment out ones you need? Or some cross reference of classes to permissions?
I really don't want to ask users for permissions that are not needed nor justified at least.
If you are using any critical Permission then android studio will definitely point out by showing error that permission is missing for function.
If you are specifically asking about android.permission.READ_LOGS so this permission allows an application to read the low-level system log files. Means for the devices when you want to read the log then this is used.
Other way is you can check the Official Doc of permission that which permission is used for which purpose so you can match it with set in your Manifest file. Keep the one you need and remove the one you dont need. But in coding it ll just point for the Critical permissions otherwise it ll give error when you are executing your app during testing.
Hope you got the answer. If any doubt then you can comment below.
TL;DR
Given an .apk file and its Manifest.xml decoded, is it possible to tell which libraries/(ad-)modules it ships bundled with – and if so, how?
Detailed question
I've checked with the Manifest specifications and saw the <uses-library /> element – but that's for shared libraries the app expects to be present on the device it shall be installed onto, and thus (AFAICT) not of relevance in this context. I've also checked several "example Manifest.xml files" to see what I would find (and yes, if one knows what to look for, one can e.g. identify AdMob by its declared <activity />). But except from "guess-work", I was unable to figure an "structured approach" valid for (mostly) all cases one might encounter in the real-world.
So what I'm looking for is to write a script which I can pass an .apk file to, and which then spits out a list of libraries and ad-modules used. I'm not asking you to provide me with that script (though I definitely wouldn't reject if offered that; I wouldn't be surprised to hear someone has done that already) – but rather for the core point of what the "identifiers" would be. General approaches are of course welcome as well. If that includes other calls to e.g. aapt, that's of course OK. And if I'm on the completely wrong track, and that information has to be looked for at another place, I'd definitely like to hear those details, too :)
In case it's relevant (e.g. for other "external tools" needed), I'm working on Linux – so Windows tools wouldn't do.
AndroidManifest file has nothing to do with libraries which used in app. And I don't think that there is a way to get list of used libraries, except to check decompiled code and try to match it by package name. But in case if that code obfuscated with Proguard, I think your goal is almost unreachable.
I am working with a project that contains imageloader through Picasso API.
When I try to add uses-permission of INTERNET through
android.permission.INTERNET
it works perfectly but when i use ANDROID.PERMISSION.INTERNET
it doesn't work.
Android is case-sensitive. android.permission.INTERNET is the proper value.
You may be encountering this code-completion bug in Android Studio.
As you have discovered, permissions are case sensitive.
In the case of the INTERNET permission, the permission is defined as android.permission.INTERNET. If your casing does not match how the permission is defined, the framework doesn't know what permission you are trying to request.
Note that application developers can define permissions however they want, but the convention is <packagename>.PERMISSION_NAME.
In a case-sensitive language, a is 97 and A is 65. They are different.
I've mentioned the following permission:
<uses-permission android:name="android.permission.NFC" />
in my manifest.xml. But NFC code is no more in use and I commented the source code. Means NFC is no more in use for my app, but while installing the app, it's still shows in installing window.
So, is it possible in android that don't ask for permissions mentioned in Manifest.xml file, if code is not in use? Thanks
No, it is not possible, because the Android system has no idea which permissions your application requires before run-time. Picture the following scenario:
You are writing an application, not specifying NFC permission as you're not using it in your code, but you ARE using a framework that in 50% of the implementations do use NFC (device manufacturer specific framework).
The Android system has no way of telling if the NFC permission is required and thus it relies on your explicit instruction for permissions
As I'm sure you've noticed, an exception will be raised if the permission does not exist for the specified action
The only way to make sure the requirement is gone is to remove the permission from the manifest (and frankly, is it that much of a deal?)
Besides commenting out the unnecessary codes, you have to remove the permission from your manifest as well.
If I wanted to research how and where permissions [requested in the Mainfest.xml] were used in an Android app for the purposes of removing them is there an easy way of doing this? Does lint or findbugs offer some sort of support for tracking permissions used/abused in a project?
I came from the future to save your lives.
Here (in the future), LINT does check for missing permissions as you can see on LINT checks.
So, go to your AndroidManifest.xml and remove all tags <uses-permission> using Android permissions (meaning, don't delete permissions that belong to your app, such as UA_DATA and C2D_MESSAGE).
Then run LINT analysis. Click on Analyze then Inspect Code...
Look under Android -> Constant and Resource Type Mismatches
You should see all missing permissions.
Then you can just right-click them and select Apply fix "Add Permission". If you select this option, Android Studio will include one permission for every error. So you'll end up with multiple copies of the same permission on your Manifest file, just delete the duplicates. You can do it manually too.
Here is the description of the LINT rule:
ID ResourceType
Description
This inspection looks at Android API calls that have been annotated with various support annotations (such as RequiresPermission or UiThread) and flags any calls that are not using the API correctly as specified by the annotations. Examples of errors flagged by this inspection:
Passing the wrong type of resource integer (such as R.string) to an API that expects a different type (such as R.dimen).
Forgetting to invoke the overridden method (via super) in methods that require it
Calling a method that requires a permission without having declared that permission in the manifest
Passing a resource color reference to a method which expects an RGB integer value.
...and many more. For more information, see the documentation at http://developer.android.com/tools/debugging/annotations.html
I'm using Android Studio 2.1.2.
In your app manifest file you should have a tab "Merged Manifest" there you can see your final manifest and the permissions you request you can click on a permission to see where it came from. (who added it - ex': sdk or what code it came from)
There is also a simple way to remove a permission by adding to manifest:
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"
tools:node="remove" />
Also remember to add the tools at the top:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="...">
The way I would do it for an app for which I didn't write the code would be to remove the permissions one by one and test the app end-to-end each time. When it fails, narrow it down. If not, that permission may not be used.
You will have to try removing them one by one and checking i fthe app still works OK. This is not checked by lint in any way (it should be).
When they come back (they are currently down), you can upload your apk to this website (if that's ok with you) and let them statically analyse the permissions you are using: http://www.android-permissions.org/
Best way is to understand what the may actually do. If it is ever going to use the camera then you know you need the camera permission.
Or you could just learn what your app does and then go through the permissions and see which ones are extra. What does your app do, what phone features does it use. There should be some documentation somewhere on what it should do and what methods are in there