Undeclaring Permissions on Android
24 Aug 2017Android apps declare what permissions they want with uses-permission
in AndroidManifest.xml
. That’s cool because you can see all the permissions your app wants, but it gets more complicated when you add external libraries to your code. If they have manifest files, those manifests will get merged with yours at build time. This means you can unknowingly add permissions to your app, which is bad because your customers can be sensitive about adding new permissions and, more importantly, it can break auto-updating for you app.
Enter undeclaring permissions! Want to ensure your app never requests location? You can explicitly flag those permissions to always be removed during manifest merging:
It might seem like a good idea to explicitly “undeclare” dangerous permissions your app does not want to ensure those don’t get merged in, but the libraries that are including those permissions may not be checking if the permission has been granted. If code runs that needs those permissions you’ll get a SecurityException
and a crash. Yikes! The best course of action here is to validate the permissions in the final output from your build process like this process Square uses.