3

I'm looking for a quick way to identify missing Android permissions. According to Android Tools Project Site here: http://tools.android.com/tips/lint-checks, Android Studio 1.4 is able to check MissingPermission:

MissingPermission

Priority: 9 / 10 Severity: Error Category: Correctness

This check scans through your code and libraries and looks at the APIs being used, and checks this against the set of permissions required to access those APIs. If the code using those APIs is called at runtime, then the program will crash.

Furthermore, for permissions that are revocable (with targetSdkVersion 23), client code must also be prepared to handle the calls throwing an exception if the user rejects the request for permission at runtime.

However, when I try ./gradlew lint check MissingPermission, the output is:

Task 'MissingPermission' not found in root project 'Android'.

(I have to use the command line because AS always freezes when I use Analyze - Inspect Code from UI.)

If I run ./gradlew lint, Lint report doesn't complain missing permission even if I remove android.permission.INTERNET.

Any ideas on this Lint option?

Song
  • 504
  • 7
  • 17
  • 1
    Bear in mind that I doubt that the entire Android SDK has been instrumented with this annotation. In particular, I'd be surprised if all `INTERNET` bases are covered. This goes double when you are using libraries, as *their* APIs are not going to have the annotation in all likelihood. What specifically are you calling that you are expecting to have this Lint warning appear for a missing `INTERNET` permission? – CommonsWare Dec 03 '15 at 23:28
  • @CommonsWare Thanks for your quick reply. Actually I'm looking for all the APIs using READ_EXTERNAL_STORAGE, which is a dangerous permission in M. Since I commented it and Lint doesn't complain, that's why I tried the widely-used `INTERNET` instead. – Song Dec 03 '15 at 23:37
  • "Actually I'm looking for all the APIs using READ_EXTERNAL_STORAGE" -- well, that, by definition, isn't going to come up much. The distinction between what you can and cannot read is not at the Android SDK level, but much deeper than that. You can't just say "everything involving file I/O", as not all file I/O involves external storage (e.g., `SharedPreferences`). I would expect this Lint check to perhaps work for more tightly-scoped permissions, like `CAMERA`, but that's about it. – CommonsWare Dec 03 '15 at 23:44
  • So the best way (only way perhaps) to find all apis used in the code is manual app testing? Do you have any other suggestions? – Song Dec 03 '15 at 23:54
  • 1
    "So the best way (only way perhaps) to find all apis used in the code is manual app testing?" -- yes. Lint is there to help catch problems more quickly, but it is not a replacement for testing. – CommonsWare Dec 04 '15 at 00:01
  • I observed, that the "MissingPermission" lint check, doesn't cover all API methods, that require a permission. – sweisgerber.dev Dec 10 '15 at 11:21
  • @sebweisgerber Glad to hear that. Thank you for your confirmation. – Song Dec 10 '15 at 21:38
  • I point out that the MissingPermission lint check has Priority: 9 / 10 Severity: Error on lint-checks official docs, IMHO it shouldn't be understimated. There are other similar open questions reporting inconsistencies like http://stackoverflow.com/questions/34568909/lint-in-android-studio-1-5-1-is-not-working-for-missing-permissions-detection – Shine Feb 22 '16 at 18:39
  • I clearly remember that, back some Android Studio version, when i first updated to API 23, I had got some "new" permission errors, clearly marked to be patched with manual permission thing introduced with MM (overriding onRequestPermissionsResult etc.). I agree that relying on lint is wrong, but I'd expect to be warned when my previously working code is being broken because of permissions, and I think that MissinPermission lint check's severity confirms this – Shine Feb 22 '16 at 18:41

0 Answers0