How do I determine why my Android app requires certain permissions?

Question

Let\'s say I have taken over development of an Android app, and my boss asks me why our app requires certain permissions to be displayed to users who buy the app on the Andr

Answer 1

Remove a permission and see where the app fails. The answer will be in the logcat output.

That's not an ideal solution though, since you might not know what you need to do in the app to trigger that permission.

I suspect "Read phone status and identity" means that the app is using the device IMEI or similar identifying information to uniquely identify the device to ensure that the app is only being run on a registered device. Or it might just be used as a sort of cookie to track the owner. Look for that code. And remove it, because that's the wrong way to do it. If you need to identify a specific android device, use ANDROID_ID from the Settings.Secure class. http://developer.android.com/reference/android/provider/Settings.Secure.html

As for "Retrieve running applications", I find that one somewhat suspicious. A very common way to implement GPS tracking is to launch a separate service in its own process. This way, if the app should crash, the service will keep going and can be re-attached. In this case, it's possible that the app is using the "Retrieve running applications" to identify and kill the service process. But if so, it's a clumsy way to do it.

Answer 2

Here is how I would track these down.

Step 1 - Find the manifest permissions declared in your AndroidManifest.xml

Basically everything inside the <uses-permission /> tags e.g.:

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>

Step 2 - Search developer.android.com for classes that use these permissions

Let's take the case of READ_PHONE_STATE, the goal is to find which packages require this permission. A simple search on the dev portal for "READ_PHONE_STATE" starts our search, we are looking for classes here, in the top 5 search results I see the following classes:

• TelephonyManager
• PhoneStateListener

Click on the classes and get their package names:

• android.telephony.TelephonyManager
• android.telephony.PhoneStateListener

Step 3 Find classes in your project that import these packages

A simple grep will do, or a Ctrl-H in eclipse, File Search -> Containing text

Step 4 Comment out the import and see what breaks

These are likely candidates for why the permission is required. Confirm the methods in question by looking at the dev portal to validate that the permission is indeed required by that method.

Finally you should be able to tell your boss, READ_PHONE_STATE is required because we call function XYZ which gives us UVW.

Answer 3

With the latest build tools, you can run lint check which will highlight for you all the android SDK method calls which are requiring permissions.

See announcement here http://android-developers.blogspot.com/2015/07/get-your-hands-on-android-studio-13.html and documentation here https://developer.android.com/tools/debugging/annotations.html#permissions .

This is based on android annotations and after some adoption time 3rd party libraries can integrate permission annotations also

Answer 4

The answer for your boss is "because certain API features/calls/methods we use in our app require calee to hold certain permissions. It is for security reasons, and that's the way Android works". As for mentioned permissions - you have to check the code to see if these permissions are really required. Read phone status and identity may indicate your app try to get IMEI or something like this to uniquely identify device. Retrieve running applications - see no reason for GPS tracking app to hold this. But maybe you use 3rd party lib/code that uses this.