I am actually preparing to release an app using the device google account to authenticate on Google App Engine server.
To do that, I need those permissions :
USE_CREDENTIALS : obviously
INTERNET : obviously
GET_ACCOUNTS : to ask the user to select one of the google accounts registered on his phone.
My problem is with GET_ACCOUNTS : I think it's quite intrusive to ask this permission along with INTERNET : I would be able to get all his accounts (google, facebook, etc...) and send them to my server (I won't do that of course !). But I fear this permission may scare users, and they may not download my app...
I had the idea to report this permission to an other app, which wouldn't have INTERNET permission. This app would be called with an intent, and return only the account chosen by the user. And then, my main app don't need GET_ACCOUNTS anymore.
The source code is there : http://code.google.com/p/account-chooser/
It's quite simple (only one screen)
To send an intent to this app I use a utility library like IntentIntegrator from ZXing. If my "account chooser" app is not present on the device, it asks the user to download it from market.
What do you think about that ? Is it a good idea ? Am I right to bother the user with downloading a mysterious app he may not understand the usefulness ? Or should I just use GET_ACCOUNTS permission in my main app without questionning myself about privacy ?
So instead of just asking for the GET_ACCOUNTS permission within your app, you plan to request it in another app and in turn expose that information to any other app on the device (via an intent).
Stick with asking for the GET_ACCOUNTS permission within your app and be done with it. Speaking from experience, if an app I downloaded forced me to install yet another app just to get some functionality out of it, well.. you know what happens next :)
Related
Now that Android 6.0 becomes more popular among users, I've asked myself what the consequences of the selective permission granting are.
Let's assume I had a free ad-supported version of an app. It will obviously need internet permission to query ads. Now the user is able to deny that permission and apps could not be queried. The consequence I am thinking of is to deny app function if not all the permissions are granted. But this would make the permission model pointless for my app. It would be an "all or nothing" scenario. Is that thinking correct? I am interested in your thoughts.
Another thought I had was: Is the permission of internet access granted to AdMob automatically, by any chance? This would prevent users from disablings ads simply by takingvaway the internet permission. As AdMob is a Google company and this functionality is implemented in the Google Play Services, I guess that could be possible?! Any thoughts on this?
Let me know what you think.
Update: Admob also wants to have Location Info. So even though Internet does not need permission, the question still is interesting.
#mad: in android 6.0, your app never ask your to allow internet permission. because internet not part of user's privacy in android 6.0
(in sort user not able to deny internet permission) only on/off internet from device!
so don't worry about it. you app work same in android 6.0 as previous version of android.
you have to ask user for permission only if you are using, CAMERA, CONTACTS, LOCATION, MICROPHONE, Phone, STORAGE ...etc..
LOCATION: when you fetch location from your app and pass to any 3rd party app. in this case you must have to ask user to allow location permission. otherwise its not needed like Google Play service or In-App Purchease.(both fetch user location where app installed or product purchase but when we use both library in our app we must not have to ask location permission).
I have an Android app that uses the 'publish_actions' and 'user_photos' permissions to create photo albums on Facebook. I have already applied and been approved for 'publish_actions'. However, it will not let me apply for the 'user_photos' permission, because it says my app has not used this permission in the last thirty days.
My app does in fact use this permission. I have successfully published albums repeatedly from developer accounts and test user accounts. This only works if I use the 'user_photos' permission. If I try to create an album when I haven't requested 'user_photos', it doesn't work
Yet it still says I'm not using this permission. And I didn't have this problem with the 'publish_actions' permission; it was able to recognize that I was using it.
What do I need to do to make this permission available for applying? It almost seems like creating an album "requires" the permission, but does not "use" it.
I've heard some suggest that you need to be using the app owner's account, but again, this was not necessary for 'publish_actions'.
I solved this problem by changing the functionality of my app. Now my app reads in a user's albums, and appends photos to the album if it already exists. Doing so results in Facebook recognizing the use of the permission, which allows me to apply for it.
Overall, this still seems like a bug on Facebook's end.
You don't need the user_photos permission to publish photos, only publish_actions. You do need user_photos to be able to read (and get) the photos that a user has uploaded.
You, as an admin on the app, is allowed to grant any permissions you want to your app (since you'd need to be able to do that for development). Users who are not in an admin/dev/test role in your app will not be able to use any features that require additional permissions until your app is approved.
When I add the permissions
"INTERNET"
"ACCESS_NETWORK_STATE"
to my app and upload it to Google Play, people who download the app see the message "this app doesn't require any special permissions".
Are the following permissions "special" for Google Play?
"ACCESS_WIFI_STATE"
"READ_PHONE_STATE"
I'm using a mobile ad SDK that claims to perform better if it is granted all four permissions. But I don't want to scare off some users by asking for too many permissions.
The permission READ_PHONE_STATE has to be accepted by users, ACCESS_WIFI_STATE doesn't.
Somebody asked already about the link between Android Permissions and Permission Groups - the selected answer links to the actual mapping file for the permissions of Android.
So the permissions you mentioned are belonging into the following groups and protection levels:
INTERNET: NETWORK (dangerous)
ACCESS_NETWORK_STATE: NETWORK (normal)
ACCESS_WIFI_STATE: NETWORK (normal)
READ_PHONE_STATE: PHONE_CALLS (dangerous)
Based on Google's explanation about the protectionLevel, "special permissions" (as you call it) are permissions marked as "dangerous" (as Google calls it).
But hey, INTERNET is dangerous! Why aren't users asked about this permission? Because.
Google has also given each app Internet access, effectively removing
the Internet access permission. Oh, sure, Android developers still
have to declare they want Internet access when putting together the
app. But users can no longer see the Internet access permission when
installing an app and current apps that don’t have Internet access can
now gain Internet access with an automatic update without prompting
you.
I am trying to control permission grant based on user choice. So if say user walks out in public and doesn't want to share his/her location with facebook app, he/she should revoke that pemission grant and system should send some fake data to facebook. Android 4.3 have this feature with permission manager, but it doesn't send fake data, rather block permission altogether rendering app not work at all.
Check out XPrivacyLua. Requires ROOT, though.
I have few doubts.
Is it possible for Android application after installation, to ask user for permission for accessing certain functions? Like say the app A wants to read contacts for a specific purpose. If the user grants permission, then the activity will take place. Else it wont. Is it possible?
Is there a way of allowing user to select/de-select permissions during installation time?
I have read that using CyanogenMod grants user these kind of priveleges. Is there any solution for non-rooted user, apart from take-it-or-leave-it approach?
It would be great, but not, all permission must be granted during installation :-(
Only exception is access to the google profile, this will be authorized during first access.
I hope that a future android version will can do that.
Cyanogen can do opposite. You must grant all permissions during install, but you can explicitly remove them later. But it result in application crash very often. This is only for advanced users.