If I wanted to research how and where permissions [requested in the Mainfest.xml] were used in an Android app for the purposes of removing them is there an easy way of doing this? Does lint or findbugs offer some sort of support for tracking permissions used/abused in a project?
Asked
Active
Viewed 7,810 times
41
-
2Not an easy straight-forward-way, I don't think. There was a [discussion on Google Groups](https://groups.google.com/forum/#!topic/android-developers/YVT33Vn7qFg) about this topic, and a potential solution, but the website linked appears to be down. – Jason Robinson Aug 21 '13 at 16:21
-
1Current answer on the [security stackexchange](http://security.stackexchange.com/questions/41887/static-analysis-of-android-applications-using-androguard) says apkinspector can detect permission use. – HairyFotr Sep 06 '13 at 11:45
-
See this SO questions as well http://stackoverflow.com/questions/8257412/remove-extra-unwanted-permissions-from-manifest-android – Adrian Aug 08 '14 at 11:18
-
The potential solution from the Google Groups discussion is still down. I also haven't been able to get apkinspector to work either (too many Python errors). Disappointing that Google doesn't provide a tool to help developers. – GrandAdmiral Jan 12 '15 at 17:42
-
Maybe it is time to select the correct answer :D – GabrielOshiro Oct 16 '18 at 19:45
-
1I have come from the past to accept a correct answer... – Cliff Oct 17 '18 at 20:58
6 Answers
12
I came from the future to save your lives.
Here (in the future), LINT does check for missing permissions as you can see on LINT checks.
- So, go to your
AndroidManifest.xmland remove all tags<uses-permission>using Android permissions (meaning, don't delete permissions that belong to your app, such asUA_DATAandC2D_MESSAGE). - Then run LINT analysis. Click on
AnalyzethenInspect Code... - Look under
Android -> Constant and Resource Type Mismatches - You should see all missing permissions.
- Then you can just right-click them and select
Apply fix "Add Permission". If you select this option, Android Studio will include one permission for every error. So you'll end up with multiple copies of the same permission on your Manifest file, just delete the duplicates. You can do it manually too.
Here is the description of the LINT rule:
ID ResourceType
Description
This inspection looks at Android API calls that have been annotated with various support annotations (such as RequiresPermission or UiThread) and flags any calls that are not using the API correctly as specified by the annotations. Examples of errors flagged by this inspection:
- Passing the wrong type of resource integer (such as R.string) to an API that expects a different type (such as R.dimen).
- Forgetting to invoke the overridden method (via super) in methods that require it
- Calling a method that requires a permission without having declared that permission in the manifest
- Passing a resource color reference to a method which expects an RGB integer value.
...and many more. For more information, see the documentation at http://developer.android.com/tools/debugging/annotations.html
I'm using Android Studio 2.1.2.
GabrielOshiro
- 7,986
- 4
- 45
- 57
-
1Indeed I was sure Lint does check for permissions. It is not performed in the basic checks of Lint, however it can be easily done by including more checks in the settings for Lint. – Michele La Ferla Jul 08 '16 at 08:04
-
2
2
In your app manifest file you should have a tab "Merged Manifest" there you can see your final manifest and the permissions you request you can click on a permission to see where it came from. (who added it - ex': sdk or what code it came from)
There is also a simple way to remove a permission by adding to manifest:
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"
tools:node="remove" />
Also remember to add the tools at the top:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="...">
beee
- 442
- 5
- 9
-
The following link explains it more: [link](https://developer.android.com/studio/build/manifest-merge.html#inspect_the_merged_manifest_and_find_conflicts) – beee Aug 23 '17 at 06:38
0
The way I would do it for an app for which I didn't write the code would be to remove the permissions one by one and test the app end-to-end each time. When it fails, narrow it down. If not, that permission may not be used.
Corneliu Dascălu
- 3,900
- 1
- 28
- 38
-
6
-
I know, but I don't see a better solution. If you have automated tests it may take much less time. If you don't, it may be worth your time writing the tests anyway, if you are going to continue development on that code. – Corneliu Dascălu Jul 01 '14 at 17:16
-
if its the standard permissions you might as well search the code for the few methods that require it (according to developer.android.com search) – NikkyD Jul 01 '14 at 17:17
-
That goes without question. It's easy to figure out which parts of the code are using the internet permission, but removing every piece of code that writes to external storage may be trickier. – Corneliu Dascălu Jul 01 '14 at 17:20
0
You will have to try removing them one by one and checking i fthe app still works OK. This is not checked by lint in any way (it should be).
When they come back (they are currently down), you can upload your apk to this website (if that's ok with you) and let them statically analyse the permissions you are using: http://www.android-permissions.org/
Mikel Pascual
- 2,202
- 18
- 27
0
Best way is to understand what the may actually do. If it is ever going to use the camera then you know you need the camera permission.
Steven K
- 393
- 3
- 12
0
Or you could just learn what your app does and then go through the permissions and see which ones are extra. What does your app do, what phone features does it use. There should be some documentation somewhere on what it should do and what methods are in there
MNM
- 2,673
- 6
- 38
- 73
-
1You assume that OP is the author who put the permissions there in the first place, and not the inheritor of some bad code. – tir38 Oct 24 '17 at 03:59