51


I am maintaining one existing (very-huge, very-sensitive) Android Application.
The other day, I have received an email from my client that, the Application might be declaring the Permissions that are not actively being used.

For example, they wants me to remove "WRITE_EXTERNAL_STORAGE" permission.
I have removed it and compiled it and run the App. There is NO error at all.
But, just because of that, I don't think I can assume that permission is not actively being used at all.

My question is "Is there anyway I can easily and simply check the permission if it is actively being used ?"

Frankly, I don't want to go through every little detail aspect of that application just to fine out the permission is required or not.
I just don't have time.

My goal is check if the permission is actively being used. If not, remove the permission.
Hope there is an less-time consuming way for that.

Regards

Aung Pyae
  • 1,590
  • 2
  • 16
  • 25
  • 2
    There is no way to programatically prove that it is or isn't. The best way is to remove and try. I suppose you may be able to find a list somewhere of what functions require what permission, but I wouldn't trust it 100% unless published by google, and some like WRITE_EXTERNAL_STORAGE can be hard to tell (since any file function could theoretically need it, depending on how its set up). – Gabe Sechan Jul 21 '14 at 05:58
  • Yes. Totally agree. The worse thing is I just got the code-base and a brief explanation about how it is being structured. The App doesn't have any documentation on that perspective. Seems I need to check on every flow of the App to find out which permission is actively being used. – Aung Pyae Jul 21 '14 at 06:05
  • 1
    Yeah, been there. If you have the power in your org, I'd push to put anything but emergency changes on the back burner while you learn the codebase. And try to get some time on the schedule for refactoring, there will be things you don't like in there. – Gabe Sechan Jul 21 '14 at 06:08
  • http://sanddroid.xjtu.edu.cn/ – Gelldur Feb 11 '15 at 14:09

4 Answers4

24

In Android Studio 1.3 & Android Support Library v7:22.2.0, you have solution for it.

Steps:

  1. Update Android Studio to V1.3
  2. Update your Android Support Library to v7:22.2.0
  3. Run Android Lint (Analyse -> Inspect Code), In Lint Error see for Type "Android -> Constant & Resource Type MisMatch", Which shows all methods which requires permission.

Explanation

  1. Android has introduced new annotation @requirespermission.
  2. All SDK methods which requires permission are annotated with @requirespermission.
  3. When we call any sdk method which requires permission without properly checking whether we have permission or not, Android studio will through lint error.
Vasanth
  • 6,257
  • 4
  • 26
  • 19
  • 6
    I'm using Android Stugio 1.3.2 & Android Support Library v7:22.2.0 and I don't see the methods which require permissions :(. I see other stuff under "Android -> Constant & Resource Type MisMatch" – acrespo Sep 23 '15 at 19:04
  • 2
    This method does not work for all permissions. For example it ignore INTERNET and ACCESS_NETWORK_STATE. – anber Nov 04 '16 at 16:41
13

There is a group at Berkeley that wrote a paper about Android permissions. They talk about over-permissions and developed a tool called Stowaway that would analyze your APK for unused permissions. The analysis was based on the app's API calls and their own mapping of the permissions needed for each API call (see the paper for details). The tool throws a flag if there is a permission in the manifest that is not mapped to any of the API calls found in the APK.

For a while, a web-based version of the tool was available at http://www.android-permissions.org/, but it is from the Gingerbread era and was never updated. The page now suggests using PScout.

PScout does a better job than Stowaway at generating the permission maps. However, PScout does not include an APK analyzer, so you will have to manually compare the mappings they provide with API calls made by your app. Unfortunately, if you're interested in maps for versions beyond 5.1.1, you'll have to generate them yourself using the provided PScout code and your own Framework source.

You might also check out the various APK analyzers here to see if they include the functionality you are looking for.

Paul Ratazzi
  • 6,289
  • 3
  • 38
  • 50
2

I tried the method suggested by Vasanth but it doesn't work for me. In fact, because my project has flavors and Code Inspection doesn't work for the project with flavors. See https://code.google.com/p/android/issues/detail?id=210073.

But Running Lint from console works. So steps are simple:

  1. Remove permissions from your manifest.
  2. Run Lint for flavor as described here https://stackoverflow.com/a/32708435/1170154.
  3. Open Lint result and find section Correctness > Error MissingPermission: Missing Permissions. It will contain all calls that require permissions.
Community
  • 1
  • 1
Yuriy
  • 1,466
  • 2
  • 14
  • 30
2

As of Android Studio 3.3, running Analyze → Inspect Code will inform you of missing permissions under Android → Lint → Correctness → Missing Permissions

WeNeigh
  • 3,489
  • 3
  • 27
  • 40