How to find source of a permission in Unity Android

Question

Note: This question is specific to Unity3D

I have a very clean android manifest file in Unity project under Plugins/Android/ folder with no <uses-permissions/> tag at all. I believe that some permissions in final APK comes from Android Player Settings for-example READ_EXTERNAL_STORAGE. In my Gear VR project I see following lines added in final manifest which can be accessed in Temp/StagingArea/:

<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-feature android:name="android.hardware.microphone" android:required="false" />

Now this is definitely coming from one of the plugins that I have in my project (I have many plugins).

My app is getting rejected from Oculus saying

Your app is asking for excessive user permissions for using user permissions inappropriately.

I found a workaround here, but I dont want to do such a thing as this may result in app rejection once again.

So

Is there a way I can find out that where this permission is coming from?

How to find out if there is some code in my scripts which causes unity to include this permission?

Thanks

Answer 1

Easy Way

I think this easier approach applies if your Unity project is being built with gradle. If it isn't, here is one more reason to upgrade.

Also, a big shout-out to an article called, Hey, Where Did These Permissions Come From?)

1. Build Your Project
2. Open the file /path/to/my/project/Temp/gradleOut/build/outputs/logs/manifest-merger-release-report.txt
3. Profit!
4. Search the file for the name of your permission, and it'll show you where it came from.

Here is part of the file, where I'm looking for the WRITE_EXTERNAL_STORAGE permission.

uses-permission#android.permission.WRITE_EXTERNAL_STORAGE
ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:3-79
MERGED from [gradleOut:IronSource:unspecified] /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/IronSource/build/intermediates/bundles/default/AndroidManifest.xml:13:5-81
    android:name
        ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:20-76

Hard Way

There are three ways permissions get added to your project.

1. They are specified in an Android Manifest file.
2. They are specified in library (a .aar file).
3. Unity adds the permission when you use a certain feature. (Added)

My examples use command-line tools on a Mac. I don't know Windows equivalents, but it is possible to find and run unix tools there (using the linux subsystem for windows 10, cygwin, custom binaries, etc.)

1. Find all permissions used in (uncompressed) Android Manifests.

cd /path/to/my/project/Assets
grep -r "uses-permission" --include "AndroidManifest.xml" .

This will find all files named AndroidManifest in the current folder (.) or any of its subfolders (-r tells it to search recursively) and spit out any line with the words 'uses-permission'.

In my current project, I get output something like this:

./Plugins/Android/AndroidManifest.xml:  <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/AndroidManifest.xml:  <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/AndroidManifest.xml:  <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
./Plugins/Android/AndroidManifest.xml:  <uses-permission     
./Plugins/Android/IronSource/AndroidManifest.xml:    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/IronSource/AndroidManifest.xml:    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

2. Find the permissions required in Android Libraries

Your project likely contains android libraries (.aar files) and java archives (.jar files). Some android libraries contain an android manifest and specify permissions needed to use the library. (I don't think .jar files actually do this, but .aar files absolutely do). Both .aar and .jar files are .zip files, with a different extension and with specific metadata in specific places.

Find them by running:

find . -iname "*.?ar" -print -exec zipgrep "uses-permission" "{}" "AndroidManifest.xml" ";" 2> /dev/null

Here's what this does. It finds any file (in the current folder (.) and its subfolders) has an extension of (something) a r, thus .jar, or .aar (-name "*.?ar"). It outputs the archive's file name (-print). It then runs zipgrep (-exec). Zipgrep is told to search through any files in the archive ({}) named "AndroidManifest.xml", and output any line with the words "uses-permission". We then pipe the errors to the bit bucket (2> /dev/null) so we don't see lots of errors about archives that don't have android manifests in them.

An example output looks like this:

./OneSignal/Platforms/Android/onesignal-unity.aar
AndroidManifest.xml:    <uses-permission android:name="android.permission.INTERNET" />
AndroidManifest.xml:    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml:    <uses-permission android:name="android.permission.WAKE_LOCK" />
AndroidManifest.xml:    <uses-permission android:name="android.permission.VIBRATE" />
...
./Plugins/Android/android.arch.core.common-1.1.0.jar
./Plugins/Android/android.arch.core.runtime-1.1.0.aar
./Plugins/Android/android.arch.lifecycle.common-1.1.0.jar
...
./Plugins/Android/com.google.android.gms.play-services-gcm-11.8.0.aar
AndroidManifest.xml:    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml:    <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-gcm-license-11.8.0.aar
./Plugins/Android/com.google.android.gms.play-services-iid-11.8.0.aar
AndroidManifest.xml:    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml:    <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-iid-license-11.8.0.aar
...

The filenames all start with periods. I can thus see, for example, that the onesignal-unity.aar sets several permissions, several .jar files were searched with no permissions inside them, and some of the play services libraries specify permissions.

If I needed to change a library, I could rename the .aar to .zip, extract it, edit it, compress it, and rename it back. (It isn't necessarily wise to change the permissions inside a library, but possible.)

3. Unity Adds the Permission

I didn't have anything to add on this; as said above, if you use the Microphone API, Unity will add a permission for you so your app will work.

However, I've since realized that you can do the following:

• bring up the Build Settings for Android
• tick the 'Export Project' box
• Export the project, noting the location
• go to /my/project/export/src/main/AndroidManifest.xml. This is what Unity emits for the android manifest (before google's tools do all the merging).
• compare it (using your favourite diff tool) to Assets/plugins/Android/AndroidManifest.xml; the differences come from Unity.