Jump to content
Sign in to follow this  
HaSo4

Dangerous "android.permission.READ_PHONE_STATE" is set as default. Shall I remove unused permissions?

Recommended Posts

Good morning,

 

I'm a little unsure, if the Android manifest permissions are used somewhere by the system, aside the examples

<uses-permission android:name="android.permission.READ_PHONE_STATE" /> 

I assume that the whole purpose is to ease the examples, same as it seems in other development systems too.

Quote

As many React Native (abbreviated as RN for the rest of this article) developers may know, RN automatically includes a couple of permissions during the app building process, which includes (but are not limited to):

  • SYSTEM_ALERT_WINDOW
  • READ_PHONE_STATE

 

Shall I keep this as-is, if my app doesn't use it?

I have found this article and also this, as recommendation to keep the manifest permissions clean.

 

What is unclear to me, if maybe an unused (dangerous) permission may have any consequences for the app or the PlayStore.

Are there any known policy links, that clarifies what may happen when those manifest permissions were not cleaned up?

 

 

Share this post


Link to post
30 minutes ago, HaSo4 said:

Shall I keep this as-is, if my app doesn't use it?

I have found this article and also this, as recommendation to keep the manifest permissions clean.

 

What is unclear to me, if maybe an unused (dangerous) permission may have any consequences for the app or the PlayStore.

Are there any known policy links, that clarifies what may happen when those manifest permissions were not cleaned up?

You should remove any permissions you don't need for application functionality. Applications are analyzed when posted on Play Store and having more dangerous permissions defined can put your application under the magnifying glass and you may need to give additional explanations or comply to some other policies than regular applications that don't use those permissions. Some unneeded permissions can even cause your application to be rejected from Play Store until you fix your submission.

 

Official documentation is usually the best starting point for being up to date with requirements https://developer.android.com/guide/topics/permissions/overview and https://support.google.com/googleplay/android-developer/answer/9888170

 

 

Share this post


Link to post
54 minutes ago, Dalija Prasnikar said:

Some unneeded permissions can even cause your application to be rejected from Play Store until you fix your submission.

 

This is what I assume, but are there specific rules for specific permissions?

For example, the READ_PHONE_STATE permission is dangerous, but doesn't seem to directly got a strike in Play Store, if it is unused.

While other permissions might get directly attention in the review, and they will ask for a proof and explanation how it is used.

This leads to the question, if there were different sub-policies for various dangerous permissions levels ( Are some dangerous permissions more dangerous than others )?

 

Maybe this is only, because the review process works a bit randomly and by human resources, even if such permissions can be automatically retrieved.

 

 

Share this post


Link to post

It is quite simple: Only request permissions you really need. Then explaining why you need them is a peace of cake.

Share this post


Link to post
51 minutes ago, HaSo4 said:

This is what I assume, but are there specific rules for specific permissions?

Each permission affects different functionality so it is only natural that there will be different rules because the impact and the consequences of abuse can be vastly different. But guessing what the actual rules are, beyond what is written in official documentation would be just playing guessing games.

Share this post


Link to post

Thanks, that helps to clarify my decisions.

I was already moving towards a clean Uses permissions table in the IDE and to add them manually by editing the AndroidManifest.template.xml file.
This procedure seems more reliable to me, and it makes no sense to keep any permission left, in the original dialog.

 

My file looks similar to this and gives me much more flexibility, readability, GIT management and the ability to add helpful notes and conditions:

<%uses-permission%>
    <!-- Permission(s) CAMERA: Remove them from Project options permissions -->
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"  android:maxSdkVersion="32" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:maxSdkVersion="32" />
    <uses-permission android:name="android.permission.CAMERA" />
    <!-- Features(s) CAMERA:  -->
    <uses-feature android:name="android.hardware.camera.any" android:required="false" />
    <uses-feature android:name="android.hardware.camera" android:required="false" />
    <uses-feature android:name="android.hardware.camera.autofocus" android:required="false" />
    <uses-feature android:name="android.hardware.camera.flash" android:required="false" />
    <!-- Permission(s) LOCATION: Remove them from Project options permissions -->
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"   />
    <!-- Feature(s) LOCATION:  -->
    <!-- Permission(s) BLE: LOCATION needed: For <  Android 12 ( <= API30 ) -->
  ...

 

Edited by HaSo4

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×