Question on permissions

[IzzySoft]

The scanners at IzzyOnDroid just reported:

! repo/io.sanford.wormhole_william_18.apk declares sensitive permission(s):
  android.permission.READ_PHONE_STATE android.permission.READ_EXTERNAL_STORAGE
  android.permission.CAMERA

Could you please clarify what those permissions are needed for? Thanks in advance!

[psanford]

I don't know what IzzyOnDroid is but it doesn't seem to be a very competent scanner. You can see the declared permissions here:

wormhole-william-mobile/android/src/main/AndroidManifest.xml

Line 5 in 1c13ab4

<uses-permission android:name="android.permission.INTERNET"/>

  <uses-permission android:name="android.permission.INTERNET"/>
  <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>

Internet is needed for doing the transfer and write external storage for saving the result.

There is an optional runtime permission for the camera if you want to scan a QR code instead of typing in the wormhole code.

[psanford]

I looked a bit more and it does appear that there is a runtime optional permission for phone state. That is presumably coming from one of the libraries we use but is not required for any functionality. My apologies for my earlier response.

[IzzySoft]

I don't know what IzzyOnDroid is

Apologies, I should have included a link to the IzzyOnDroid repo (and the scanners kicked in as your app is listed there – so you're welcome to link that from your readme as alternative to PlayStore and "manual install").

but it doesn't seem to be a very competent scanner

Ah, thanks! What is missing there in your opinion? We're always open to suggestions (also see: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo) Sure it does see the AndroidManifest and all, and that the permissions are declared there. But it cannot detect their intended use. Must be the missing AI stuff 🙈

Back to the "serious" part: as quoted, it warned about sensitive permissions in the logs. I can provide you with a more complete output of all findings of course, but I didn't want to a) distract or b) bore 😉

My apologies for my earlier response.

Accepted – my bad, I should have been more precise. But caring for more than 1,200 apps and filing/processing multiple issues each day too often leads to thinking some details being obvious…

a runtime optional permission for phone state

Now we get to it 😃

That is presumably coming from one of the libraries we use but is not required for any functionality.

Would be good if we could figure out, to make it transparent. To give you some visuals of what I mean:

I'd like to have those "chocolate warnings" turned blue again by explaining what those are needed/used for. E.g., making a good guess here:

android.permission.CAMERA: used for QR code scanning

Of course this could be made more precise, including what the QR code is needed for.

So thanks for your help – and for your swift response!

[IzzySoft]

@psanford any chance to fill the gaps? ^^

[psanford]

Sorry, I have limited time and this is fairly low priority for me so I'm not sure when I will be able to get to it.

[IzzySoft]

Ah, OK – totally fine of course. I just wasn't sure if you might have missed it. I'll be patient then – and not ping again this year 😜 Thanks!

[psanford]

I've tracked this down to something related to gio and building the go code as an aar. I've asked in the gopher slack gio channel to see if anyone there knows why those permissions are being added.

Worse case we can force remove them with:

<uses-permission
    android:name="android.permission.READ_PHONE_STATE"
    tools:node="remove" />
<uses-permission
    android:name="android.permission.READ_EXTERNAL_STORAGE"
    tools:node="remove" />

[IzzySoft]

Thanks! And yes, tools:node-remove would have been my suggestion then, too. Just note that removing READ_EXTERNAL_STORAGE won't have effect unless you also remove WRITE_EXTERNAL_STORAGE (as otherwise it's granted implicitly).