18

I am working on an application for pre-Marshmallow devices. The source code was not written by me and the project itself is quite big. I am currently making the app to request permissions when needed.

The question is: How to find all places in code where permission should be requested? I am using Android Studio.

EDIT
Some people suggest to change api to 23 and just run the app and see the places where it crashes. The problem is that the app does not crash in every place.

For example, running this code without a permission will crash the app:

TelephonyManager manager = (TelephonyManager) context
            .getSystemService(Context.TELEPHONY_SERVICE);

While this one just returns an empty array, instead of crashing.

final String[] SELF_PROJECTION = new String[]{
    ContactsContract.CommonDataKinds.Phone.DISPLAY_NAME,};
Cursor cursor = context.getContentResolver()
    .query(ContactsContract.Profile.CONTENT_URI, SELF_PROJECTION, null, null, null);

Also, Android Lint does not show these places. I'm not sure if it should be.

geNia
  • 985
  • 9
  • 20
  • 1
    That's impossible to answer in the abstract. You have to request permissions from your UI. So, you need to determine where in your app you are using the secured APIs, then determine whether that is a permission that you should ask for up front (e.g., on first run of your app) or only when the user taps on some UI element (e.g., action bar item) requesting to use the code that needs the secured APIs. – CommonsWare Feb 19 '16 at 20:03
  • 1
    @CommonsWare, I am asking for an easy way to determine those locations when you're not familiar with the project. I know what to do after that. – geNia Feb 19 '16 at 22:11
  • 2
    Maybe you compile against sdk 23. you can run inspection in android studio. – blay Feb 22 '16 at 14:40
  • @blay, It just doesn't show these places, while other errors and warnings are shown. – geNia Feb 22 '16 at 14:45
  • 1
    http://stackoverflow.com/a/34681480/794088 – petey Feb 22 '16 at 16:11
  • did you check @petey comment. that really shows Permission under Inspection tab – Bharatesh Feb 27 '16 at 09:34
  • https://code.google.com/p/android/issues/detail?id=182165 – Ahmed Hegazy Feb 29 '16 at 11:56
  • Write some instrumentation tests and cover most of the code. – S.D. Feb 29 '16 at 12:13
  • Also had this problem http://stackoverflow.com/questions/35965770/android-sdk23-find-places-to-update-and-request-permission – fersarr Mar 25 '16 at 21:33

5 Answers5

5

According to the developer page regarding security permissions :

In almost all cases, however, a permission failure will be printed to the system log.

So run the app and search the log for "permissions" or similar.

Use unit testing to ensure coverage of all the places in the code where permissions may be required.

rothloup
  • 1,220
  • 11
  • 29
2

Add 

lintOptions {
    enable 'MissingPermission'
}

in your build.gradle. This will show warnings after you build your application.

Jared Rummler
  • 37,824
  • 19
  • 133
  • 148
Joe
  • 81
  • 1
  • 2
1

Sure, compile targeting api 23, do not add in permissions code, run the app and see where it crashes.

Once you start pinpointing the locations then flip permissions on (via app settings) so you can get past that screen and then turn them back off so you can see if it crashes.

Logcat is pretty descriptive in letting you know that permissions are denied...

Shmuel
  • 3,916
  • 2
  • 27
  • 45
  • Yeah, forgot to mention that I've already tried that. See my edit. – geNia Feb 22 '16 at 14:44
  • Yah, I see you wrote " The problem is that the app does not crash in every place." But if you look at logcat you'll see when a permission is denied. I'd suggest filtering by error logs and watching that as you play with the app – Shmuel Feb 22 '16 at 16:40
  • Btw, I had to do this on a project also. And this is how I solved it – Shmuel Feb 22 '16 at 16:41
  • Very tedious and error prone - how do you know you tested all the places in your app the need a permission? A comprehensive tool is needed. – Peri Hartman May 26 '16 at 23:05
0

You can do this trick: delete the dangerous permissions from the manifest. This way, you can test on pretty much any device, you'll be sure it will crash and you'll find the exact places where you need those permissions. This is how I did it anyway.

DDsix
  • 1,966
  • 1
  • 18
  • 23
-4

Request all permissions you want at the first startup of your app.

It's not a Best Practices, but it is an answer of this question.

Swing
  • 858
  • 1
  • 8
  • 21
  • 3
    Don't Overwhelm the User If the user is running Android 6.0 (API level 23) or later, the user has to grant your app its permissions while they are running the app. If you confront the user with a lot of requests for permissions at once, you may overwhelm the user and cause them to quit your app. Instead, you should ask for permissions as you need them. [Link](http://developer.android.com/intl/es/training/permissions/best-practices.html) – Gustavo Morales Feb 26 '16 at 15:57