How do I determine why my Android app requires certain permissions?

Question

Let's say I have taken over development of an Android app, and my boss asks me why our app requires certain permissions to be displayed to users who buy the app on the Android Market.

Are there any tools or tricks I can use to determine what code triggers each permission, so I can figure out why our app functionally needs those permissions? In particular, I am interested in these permissions:

• Phone Calls - Read phone status and identity

• System Tools - Retrieve running applications - Allows app to retrieve information about currently and recently running tasks, May allow malicious apps to discover private information about other apps.

The app is a GPS tracking app, and it's not obvious why this permission might be needed.

It would also be helpful to get any tips on why this permission might be needed, even if you can't tell me how to directly analyze the code to find out.

Answer 1

Here is how I would track these down.

Step 1 - Find the manifest permissions declared in your AndroidManifest.xml

Basically everything inside the <uses-permission /> tags e.g.:

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>

Step 2 - Search developer.android.com for classes that use these permissions

Let's take the case of READ_PHONE_STATE, the goal is to find which packages require this permission. A simple search on the dev portal for "READ_PHONE_STATE" starts our search, we are looking for classes here, in the top 5 search results I see the following classes:

• TelephonyManager
• PhoneStateListener

Click on the classes and get their package names:

• android.telephony.TelephonyManager
• android.telephony.PhoneStateListener

Step 3 Find classes in your project that import these packages

A simple grep will do, or a Ctrl-H in eclipse, File Search -> Containing text

Step 4 Comment out the import and see what breaks

These are likely candidates for why the permission is required. Confirm the methods in question by looking at the dev portal to validate that the permission is indeed required by that method.

Finally you should be able to tell your boss, READ_PHONE_STATE is required because we call function XYZ which gives us UVW.

Answer 2

Remove a permission and see where the app fails. The answer will be in the logcat output.

That's not an ideal solution though, since you might not know what you need to do in the app to trigger that permission.

I suspect "Read phone status and identity" means that the app is using the device IMEI or similar identifying information to uniquely identify the device to ensure that the app is only being run on a registered device. Or it might just be used as a sort of cookie to track the owner. Look for that code. And remove it, because that's the wrong way to do it. If you need to identify a specific android device, use ANDROID_ID from the Settings.Secure class. http://developer.android.com/reference/android/provider/Settings.Secure.html

As for "Retrieve running applications", I find that one somewhat suspicious. A very common way to implement GPS tracking is to launch a separate service in its own process. This way, if the app should crash, the service will keep going and can be re-attached. In this case, it's possible that the app is using the "Retrieve running applications" to identify and kill the service process. But if so, it's a clumsy way to do it.