Dangerous "android.permission.READ_PHONE_STATE" is set as default. Shall I remove unused permissions?

[HaSo4 0]

Good morning,

 

I'm a little unsure, if the Android manifest permissions are used somewhere by the system, aside the examples

<uses-permission android:name="android.permission.READ_PHONE_STATE" /> 

I assume that the whole purpose is to ease the examples, same as it seems in other development systems too.

Quote

As many React Native (abbreviated as RN for the rest of this article) developers may know, RN automatically includes a couple of permissions during the app building process, which includes (but are not limited to):

• SYSTEM_ALERT_WINDOW
• READ_PHONE_STATE

 

Shall I keep this as-is, if my app doesn't use it?

I have found this article and also this, as recommendation to keep the manifest permissions clean.

 

What is unclear to me, if maybe an unused (dangerous) permission may have any consequences for the app or the PlayStore.

Are there any known policy links, that clarifies what may happen when those manifest permissions were not cleaned up?

 

 

[Dalija Prasnikar 1341]

30 minutes ago, HaSo4 said:

Shall I keep this as-is, if my app doesn't use it?

I have found this article and also this, as recommendation to keep the manifest permissions clean.

 

What is unclear to me, if maybe an unused (dangerous) permission may have any consequences for the app or the PlayStore.

Are there any known policy links, that clarifies what may happen when those manifest permissions were not cleaned up?

You should remove any permissions you don't need for application functionality. Applications are analyzed when posted on Play Store and having more dangerous permissions defined can put your application under the magnifying glass and you may need to give additional explanations or comply to some other policies than regular applications that don't use those permissions. Some unneeded permissions can even cause your application to be rejected from Play Store until you fix your submission.

 

Official documentation is usually the best starting point for being up to date with requirements https://developer.android.com/guide/topics/permissions/overview and https://support.google.com/googleplay/android-developer/answer/9888170

 

 

[HaSo4 0]

54 minutes ago, Dalija Prasnikar said:

Some unneeded permissions can even cause your application to be rejected from Play Store until you fix your submission.

 

This is what I assume, but are there specific rules for specific permissions?

For example, the READ_PHONE_STATE permission is dangerous, but doesn't seem to directly got a strike in Play Store, if it is unused.

While other permissions might get directly attention in the review, and they will ask for a proof and explanation how it is used.

This leads to the question, if there were different sub-policies for various dangerous permissions levels ( Are some dangerous permissions more dangerous than others )?

 

Maybe this is only, because the review process works a bit randomly and by human resources, even if such permissions can be automatically retrieved.

 

 

[Sherlock 632]

It is quite simple: Only request permissions you really need. Then explaining why you need them is a peace of cake.

[Dalija Prasnikar 1341]

51 minutes ago, HaSo4 said:

This is what I assume, but are there specific rules for specific permissions?

Each permission affects different functionality so it is only natural that there will be different rules because the impact and the consequences of abuse can be vastly different. But guessing what the actual rules are, beyond what is written in official documentation would be just playing guessing games.

[HaSo4 0]

Thanks, that helps to clarify my decisions.

I was already moving towards a clean Uses permissions table in the IDE and to add them manually by editing the AndroidManifest.template.xml file.
This procedure seems more reliable to me, and it makes no sense to keep any permission left, in the original dialog.

 

My file looks similar to this and gives me much more flexibility, readability, GIT management and the ability to add helpful notes and conditions:

<%uses-permission%>
    <!-- Permission(s) CAMERA: Remove them from Project options permissions -->
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"  android:maxSdkVersion="32" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:maxSdkVersion="32" />
    <uses-permission android:name="android.permission.CAMERA" />
    <!-- Features(s) CAMERA:  -->
    <uses-feature android:name="android.hardware.camera.any" android:required="false" />
    <uses-feature android:name="android.hardware.camera" android:required="false" />
    <uses-feature android:name="android.hardware.camera.autofocus" android:required="false" />
    <uses-feature android:name="android.hardware.camera.flash" android:required="false" />
    <!-- Permission(s) LOCATION: Remove them from Project options permissions -->
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"   />
    <!-- Feature(s) LOCATION:  -->
    <!-- Permission(s) BLE: LOCATION needed: For <  Android 12 ( <= API30 ) -->
  ...

 

Edited February 22 by HaSo4