4

There is an app called bodyweight fitness on the play store without any permissions. It is available on git hub as well: https://github.com/mazurio/bodyweight-fitness-android

I used the files from git hub and compiled the apk myself with Android Studio (without changing the files). When I try to install the self compiled app apk, it tells me that it will use the INTERNET though the play store app did not. There is no reason why this app should need any internet connection. Thus I removed this line from the AndroidManifest.xml

<uses-permission android:name="android.permission.INTERNET" />

After compiling and installing the app, it still tells me that it will use INTERNET. Does someone know why and how I can remove this permission?

PS: I asked the developer as well, but I got no response yet.

update:

  • You are right, it is added from another part aswell: crashlytics.
  • And you are right aswell about the hidden permission. It is shown in the app details when the app is installed and it is shown in the play store when you click on the "permissions" button.
Welcor
  • 2,431
  • 21
  • 32
  • 2
    At least one of the libraries in your gradle file also has that permission like the craslytics – tyczj Feb 13 '18 at 20:29
  • "When I try to install the self compiled app apk, it tells me that it will use the INTERNET though the play store app did not" -- the Play Store has not reported the `INTERNET` permission in years, as most apps request it. – CommonsWare Feb 13 '18 at 20:54

3 Answers3

8

Each android lib contains manifest file with package, permissions, acitivities etc so your app will show all permissions from dependencies. You may check final manifest creation log at {projectDir}/{moduleDir}/build/outputs/logs/manifest-merger-*-report.txt

This log will contain something like that

uses-permission#android.permission.INTERNET
ADDED from {myModulePath}/app/src/main/AndroidManifest.xml:6:5-67
MERGED from [net.hockeyapp.android:HockeySDK:4.1.1] /Users/devindi/.android/build-cache/ce70c6f87efc05633a59a88fccdb712db509e22d/output/AndroidManifest.xml:12:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics:2.6.8] /Users/devindi/.android/build-cache/424d420499b90aec0a26ab1b5f575e318d0342b9/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:beta:1.2.5] /Users/devindi/.android/build-cache/be2498e53f6aa976b3927954da943b23f0a800f6/output/AndroidManifest.xml:9:5-67
MERGED from [com.crashlytics.sdk.android:crashlytics-core:2.3.17] /Users/devindi/.android/build-cache/e5b1b150113ac2f0789b76a886f379cdafa8af2b/output/AndroidManifest.xml:52:5-67
MERGED from [com.crashlytics.sdk.android:answers:1.3.13] /Users/devindi/.android/build-cache/c86f3a3daec296cb6a32deb0b3d0c3f1370a024f/output/AndroidManifest.xml:9:5-67
MERGED from [io.fabric.sdk.android:fabric:1.3.17] /Users/devindi/.android/build-cache/0a51b13dbc46dc870c598edab9d128bf8f26a8d4/output/AndroidManifest.xml:29:5-67

As you see I requested network permission at my manifest and hockeyapp, crashlytics, fabric libs requested same permission also. https://developer.android.com/studio/build/manifest-merge.html

To force permission remove just add tools:node=”remove” to your permission declaration like that:

<uses-permission android:name=”android.permission.INTERNET” tools:node=”remove” />
Andrew
  • 1,383
  • 7
  • 21
  • 1
    Also final manifest located here {modulePath}/build/intermediates/manifests/full/{flavor/buildType}/AndroidManifest.xml – Andrew Feb 13 '18 at 20:32
  • 1
    Note that blocking the permission may cause the app to crash, when it uses something that itself uses the Internet (e.g., Crashlytics). – CommonsWare Feb 13 '18 at 20:54
  • Sure, android will throw security exception when some code will try to perform network request. So it's a good tool to research which library adds network permission to your app. – Andrew Feb 13 '18 at 20:59
  • Yeah, thanks. It is readded by crashlytics. The tools:node part is not working for me. It causes a error about 'tools' not being bound. But I think i will simply ignore this permission. Crashlytics seems to be activated in the debug build variant only – Welcor Feb 14 '18 at 22:53
  • Usually IDEA/android Studio suggest to add tools definition. https://developer.android.com/studio/write/tool-attributes.html `xmlns:tools="http://schemas.android.com/tools"` add this to root tag at manifest – Andrew Feb 15 '18 at 07:28
1

This is because the INTERNET permission is a "harmless" permission. This means that you don't have to ask the user for permission, and that it will not show in the Google Play Store

Since Android 5.0, permissions have a "protection level". Some are dangerous, and some are normal. Normal means that you as an app developer do not have to ask the user for permission, and that it will not show in Google Play. Dangerous means that Google Play displays it and that you have to ask the User for permission.

Source and further reading: Android Developers

Twometer
  • 1,561
  • 2
  • 16
  • 24
1

There is a difference between apps installed during development via your Android Studio, apps installed from an APK and apps installed from Google Play Store. Some permissions are granted automatically in the latter case, like for example the Internet or drawing on top of other apps. You need to take this into account while planning your deployment strategy.

Matt from vision.app
  • 478
  • 4
  • 14
  • Drawing on top of apps is not granted automatically, and neither is Internet. Both need to be declared in manifest (and the first one actually even needs the user to explicitly grant permission), but one is harmless, and the other "dangerous". – Twometer Feb 13 '18 at 20:19
  • Ah yes, you are correct. What I meant to say is that an app installed from Google Play, which has permissions declared correctly in the manifest (some may be harmless and some dangerous) will behave differently from the very same app installed from an APK or via Android Studio. – Matt from vision.app Feb 13 '18 at 20:23