3

We use this SDK within our app. It's imported as its own module, and is packaged as a .AAR file. Last year, our app was removed from the Play Store multiple times for uploading contact information without displaying a prominent disclosure. This SDK was to blame for some of these removals. Our response was to remove all contact-related features from our app and to remove the READ_CONTACTS permission in both our app's AndroidManifest and the SDK's AndroidManifest. However, now we're reimplementing these contact-related features, so we can't remove this permission in our app's AndroidManifest any more. We need our app to have this permission, but the SDK must not have it.

My question is this: if our app has READ_CONTACTS permission, does that also grant this permission to the SDK? Or does the SDK's AndroidManifest need to explicitly include the READ_CONTACTS permission in order to be able to use it?

Gavin Wright
  • 3,124
  • 3
  • 14
  • 35
  • 1
    I'm going to say this so you think things through. You know this SDK does questionable things with contact info. You know its so bad that Google forced you off the platform, and Google is already far too lenient with such things. This SDK is basically malware. Yet you kept on using it, rather than finding a replacement or dropping the feature? Why? Even ignoring the giant moral issue there, how can you trust it to not screw you and your users in a dozen other ways? – Gabe Sechan Feb 08 '22 at 18:19
  • I appreciate the input and I share your concerns. I have been looking into other options, although the other candidates have issues of their own. I could consume the API directly rather than using an SDK, but that would be a ton of extra work to build out an entire shopping/checkout UI. Also, I don't think there was any ill intent on the part of the SDK developer, as the contact data was being used for a valid feature. Nonetheless, I agree that it's hard to trust the SDK after this. – Gavin Wright Feb 08 '22 at 20:36

1 Answers1

4

We need our app to have this permission, but the SDK must not have it.

That is not a thing, sorry.

if our app has READ_CONTACTS permission, does that also grant this permission to SDK?

Yes. There is no difference between a library and code that you typed in yourself.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491