0

Whenever I look for an app in Play Store, the description states the list of required permissions.

  1. Is that list (taken from the Manifest?) up to what the developer declares, or is it automatically generated in some way?
    In other words, can that list be not representative of what actually happens?

  2. If so, is there an alternative way to get a reliable such list?

sancho.s ReinstateMonicaCellio
  • 837
  • 9
  • 16
  • 30
  • 1
    Have you read the link in beeshyams comment on one of your previous questions? https://android.stackexchange.com/questions/242692/permissions-categories-do-they-have-any-practical-implication The linked post answers more or less your question. For the rest feel free to check the Android developer documentation on permissions – Robert Nov 12 '21 at 20:49
  • @Robert - I just entered the site (and I actually had done it before), but I did not read it in full. Thanks for the (refreshed) pointer. – sancho.s ReinstateMonicaCellio Nov 12 '21 at 21:18
  • @Robert - My question #1 is a YES-or-NO question, and I don't see it answered in the link... did I miss it? (Besides, I guess a YES/NO posted here would be very much aligned with the spirit of SE). Plus, question #2 is also YES/NO (with extra info also useful). – sancho.s ReinstateMonicaCellio Nov 13 '21 at 11:43
  • The permission list shown to the user bases on the data in AndroidManifest.xml, which has to be built by the developer and also is extended automatically if the app uses certain libraries. But that is irrelevant for you as Android enforces the permissions, which means if the developer forgot to ad a permission to AndroidManifest.xml the app will fail to use methods that require this permission. – Robert Nov 13 '21 at 11:46
  • @Robert - I put together an answer based on your comment. Would you mind correcting it if I misunderstood anything? – sancho.s ReinstateMonicaCellio Nov 13 '21 at 12:17
  • 1
    List of app's permissions in the Play Store description is not a one-to-one mapping with the actual permissions an app is using. It's just a high level description in layman's terms. So is the description of a permission shown to the user when asking to grant a revocable permission. The actual permissions are in the manifest file. But technically speaking, only manifest permissions are not a comprehensive list of an app's privileges. There are other ways to analyze and control what an app can do. URI permissions (for storage access) and AppOps are two examples. – Irfan Latif Nov 13 '21 at 18:08
  • @IrfanLatif - Still more to learn. A few questions:
    1. Would you mind posting as an answer?
    2. I tried to understand the comment/answer by Robert, then rephrase it in my answer in a more obvious way for beginners like me. Would you mind pointing out whether that answer is accurate, where it is wrong, etc.? I usually find that, for beginners (and for not-so-much as well), questions of the type YES/NO help a lot... and yet the answers often do not state that clearly.
    3. I posted a separate follow-up question here.
     – sancho.s ReinstateMonicaCellio Nov 14 '21 at 13:06

2 Answers2

1

The permission list shown to the user on installation time bases on the data in AndroidManifest.xml. Apps like App Inspector can display what apps request what permission.

Permissions in AndroidManifest.xml have to be added by the developer. But Android development systems also all libraries to define permissions and if the app includes the library the permissions are automatically added to AndroidManifest.xml when the developer builds the app.

But from user perspective it is irrelevant how the permissions are added to AndroidManifest.xml as Android enforces the permissions. This means if the developer forgot to add a permission to AndroidManifest.xml the app will fail to use methods that require this permission.

Robert
  • 20,025
  • 6
  • 47
  • 66
1

Is that list up to what the developer declares? Yes. That list is in AndroidManifest.xml, and it is edited by hand by the developer.

Is it automatically generated in some way? No. Part of it is not, which implies that, overall, no.

Can that list be not representative of what actually happens? Yes, but only for "false positives". I.e., a permission listed in AndroidManifest.xml, but not actually used by the code, will be granted by the OS to the app (with no use). "False negatives" would not happen. I.e., a permission not listed in AndroidManifest.xml, but required by the code, will not be granted by the OS to the app. So it will probably not perform as intended.

TL;DR

The permission list shown to the user, e.g. under View details

enter image description here

bases on the data in file AndroidManifest.xml included in each apk installer.

That file contains a list of required permissions, which is composed of:

  1. A hand-edited part by the developer.
  2. An automatically added part from the list of permissions required by each linked libraries. (Each of these lists follow "recursively" the same criteria here).

The OS will give the App the permissions in this list, and nothing else.

sancho.s ReinstateMonicaCellio
  • 837
  • 9
  • 16
  • 30