I have noticed in an application I wrote, in-spite of me not specifying any permission in the manifest file, the application throws up permissions granted, such as
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.READ_PHONE_STATE
What is all that about? I was not even aware my application needs to write into external store, and I am pretty sure it doesn't need to. So why are these permission being granted when I never requested for them?
Thoose two were default in earlier API versions. Read more about it: here.
Related
We use this SDK within our app. It's imported as its own module, and is packaged as a .AAR file. Last year, our app was removed from the Play Store multiple times for uploading contact information without displaying a prominent disclosure. This SDK was to blame for some of these removals. Our response was to remove all contact-related features from our app and to remove the READ_CONTACTS permission in both our app's AndroidManifest and the SDK's AndroidManifest. However, now we're reimplementing these contact-related features, so we can't remove this permission in our app's AndroidManifest any more. We need our app to have this permission, but the SDK must not have it.
My question is this: if our app has READ_CONTACTS permission, does that also grant this permission to the SDK? Or does the SDK's AndroidManifest need to explicitly include the READ_CONTACTS permission in order to be able to use it?
We need our app to have this permission, but the SDK must not have it.
That is not a thing, sorry.
if our app has READ_CONTACTS permission, does that also grant this permission to SDK?
Yes. There is no difference between a library and code that you typed in yourself.
I have an app using this method: getLine1Number from TelephonyManager
According to Android Documentation, this method needs READ_PHONE_STATE runtime permission. When I call this api without giving this permission, my app crashes. However, If I grant this app with the signature permission READ_PRIVILEGED_PHONE_STATE and without giving the READ_PHONE_STATE permission, the api works and the app does not crash.
Why is it the case?
the reason is simple, some APIs in order to work read permission from the android system as they are trying to access user-private data. Android, designed as a secure OS, would grant permissions to expose such data to these APIs. Some permissions needs to be explicitly agreed upon by the user, while some only need to be registered to keep track of.
Not including these permissions in the Manifesto will cause a permission not granted error and the app will crash as your source code probably does not have logic to deal with that.
I am going to update an application to Android 6.0. For users who already have the application installed when an update is made, are all the permissions still active or is the user going to be asked for permissions that are in the dangerous category?
It will still ask them to allow those permissions if they are in the dangerous category, regardless if they are specified in the manifest. (i.e Writing to SD, Using the camera) See Permission Groups
If you have users who are on Android 6.0 Marshmallow and your application only specifies permissions in the manifest and not at run time then those actions will fail. For example, if you have code that writes to the external storage, it will fail and give a Permission Denied error.
Google states that permissions with dangerous as the value of protectionLevel have to be granted by the user on installation time.
One example for such a dangerous permission is android.permission.INTERNET. But although apps have declared to use this permissions, it's treated like a normal permission, thus the user won't be asked about it. This is also mentioned on How-To Geek.
Where does Google itself explain this behaviour?
Why is the INTERNET permission still dangerous, but treated like a normal one? (instead of changing it to normal in the mapping file)
Where does that happen? Is there another mapping for "dangerous, but too important to worry users" permissions? Or is it hardcoded?
Are there other dangerous permissions than INTERNET where this applies?
When Android 4.1 JellyBean (API 16) was announced at Google I/O, it introduced the following permission:
READ_EXTERNAL_STORAGE
Provides protected read access to external storage. In Android 4.1 by default all applications still have read access. This will be changed in a future release to require that applications explicitly request read access using this permission. If your application already requests write access, it will automatically get read access as well. There is a new developer option to turn on read access restriction, for developers to test their applications against how Android will behave in the future.
http://developer.android.com/about/versions/android-4.1.html#Permissions
I have an application that tagets API 16 and requires the WRITE_EXTERNAL_STORAGE permission. I am preparing to deploy an update and noticed that the READ_EXTERNAL_STORAGE permission is now listed as a required permission in the developer portal. It was not listed as a required permission in Google Play for an update deployed last week. This application does not explicitly request the READ_EXTERNAL_STORAGE permission.
Will users who have already granted the WRITE_EXTERNAL_STORAGE permission for this application be prompted to grant the additional, implicit READ_EXTERNAL_STORAGE permission when they update the application?
Update:
We have since released the app and JellyBean devices are automatically updating without requesting the READ_EXTERNAL_STORAGE permission. In a future release when I explicitly declare the requirement for READ_EXTERNAL_STORAGE, will users who have already granted the WRITE_EXTERNAL_STORAGE permission be asked to grant the READ_EXTERNAL_STORAGE permission?
Since API 19 (Android 4.4) you must explicitly specify READ_EXTERNAL_STORAGE permission. Yes, if you have WRITE_EXTERNAL_STORAGE permission you will be implicitly granted READ_EXTERNAL_STORAGE but if you need a read-only access to external storage you must specify READ_EXTERNAL_STORAGE.
Prooflink: http://developer.android.com/reference/android/Manifest.permission.html#READ_EXTERNAL_STORAGE
You won't have to explicitly declare READ_EXTERNAL_STORAGE so long as you have WRITE_EXTERNAL_STORAGE. Previously the OS didn't enforce readonly access to the external storage, that is changing and you must request it now. But if you have write access you implicitly get read access.
From http://developer.android.com/training/basics/data-storage/files.html
If your app needs to read the external storage (but not write to it), then you will need to declare the READ_EXTERNAL_STORAGE permission
...
However, if your app uses the WRITE_EXTERNAL_STORAGE permission, then
it implicitly has permission to read the external storage as well.