Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I determine why my Android app requires certain permissions?

Tags:

android

Let's say I have taken over development of an Android app, and my boss asks me why our app requires certain permissions to be displayed to users who buy the app on the Android Market.

Are there any tools or tricks I can use to determine what code triggers each permission, so I can figure out why our app functionally needs those permissions? In particular, I am interested in these permissions:

  • Phone Calls - Read phone status and identity

  • System Tools - Retrieve running applications - Allows app to retrieve information about currently and recently running tasks, May allow malicious apps to discover private information about other apps.

The app is a GPS tracking app, and it's not obvious why this permission might be needed.

It would also be helpful to get any tips on why this permission might be needed, even if you can't tell me how to directly analyze the code to find out.

like image 444
Andrew Johnson Avatar asked Oct 24 '12 23:10

Andrew Johnson


People also ask

Why do Android apps need so many permissions?

Apps require access to different components and data on our Android devices to work as intended, and in most cases, we have to grant them permission to do so. In theory, Android app permissions are a great way to ensure our safety and protect our privacy.

What permissions do apps really need?

Android app permissions can give apps control of your phone and access to your camera, microphone, private messages, conversations, photos, and more. App permission requests pop up the first time an app needs access to sensitive hardware or data on your phone or tablet and are usually privacy-related.

Why do apps ask for unnecessary permissions?

Android does that for security reasons; if permissions have potential for abuse, it's better if an app doesn't have them by default. Apps actually need some permissions to do their jobs. For example, AR games really do require access to the camera. But even legitimate apps often want more than they really need.


2 Answers

Here is how I would track these down.

Step 1 - Find the manifest permissions declared in your AndroidManifest.xml

Basically everything inside the <uses-permission /> tags e.g.:

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>

Step 2 - Search developer.android.com for classes that use these permissions

Let's take the case of READ_PHONE_STATE, the goal is to find which packages require this permission. A simple search on the dev portal for "READ_PHONE_STATE" starts our search, we are looking for classes here, in the top 5 search results I see the following classes:

  • TelephonyManager
  • PhoneStateListener

Click on the classes and get their package names:

  • android.telephony.TelephonyManager
  • android.telephony.PhoneStateListener

Step 3 Find classes in your project that import these packages

A simple grep will do, or a Ctrl-H in eclipse, File Search -> Containing text

Step 4 Comment out the import and see what breaks

These are likely candidates for why the permission is required. Confirm the methods in question by looking at the dev portal to validate that the permission is indeed required by that method.

Finally you should be able to tell your boss, READ_PHONE_STATE is required because we call function XYZ which gives us UVW.

like image 193
Error 454 Avatar answered Oct 19 '22 09:10

Error 454


Remove a permission and see where the app fails. The answer will be in the logcat output.

That's not an ideal solution though, since you might not know what you need to do in the app to trigger that permission.

I suspect "Read phone status and identity" means that the app is using the device IMEI or similar identifying information to uniquely identify the device to ensure that the app is only being run on a registered device. Or it might just be used as a sort of cookie to track the owner. Look for that code. And remove it, because that's the wrong way to do it. If you need to identify a specific android device, use ANDROID_ID from the Settings.Secure class. http://developer.android.com/reference/android/provider/Settings.Secure.html

As for "Retrieve running applications", I find that one somewhat suspicious. A very common way to implement GPS tracking is to launch a separate service in its own process. This way, if the app should crash, the service will keep going and can be re-attached. In this case, it's possible that the app is using the "Retrieve running applications" to identify and kill the service process. But if so, it's a clumsy way to do it.

like image 32
Edward Falk Avatar answered Oct 19 '22 09:10

Edward Falk