WearSquare
WearSquare copied to clipboard
Check & request operation missing before using LocationManager.getLastKnownLocation()
Issue description
Hi, in WearSquare, we found a dangerous API usage (https://github.com/davidvavra/WearSquare/blob/master/mobile/src/main/java/cz/destil/wearsquare/util/LocationUtils.java#L71) which requires Manifest.permission.ACCESS_COARSE_LOCATION or Manifest.permission.ACCESS_FINE_LOCATION in accordance to the Android official documentation (https://developer.android.com/reference/android/location/LocationManager#getLastKnownLocation(java.lang.String)).
However, it seems that it missed the API level check and request operation in the following call chain starting from the onReceive() activity.
CALLCHAIN:
cz.destil.wearsquare.util.LocationUtils$1.onReceive(android.content.Context,android.content.Intent)void
cz.destil.wearsquare.service.FoursquareService$4.onLocationUpdate(java.lang.String)void
cz.destil.wearsquare.util.LocationUtils.getLastAltitude()int
android.location.LocationManager.getLastKnownLocation(java.lang.String)android.location.Location
This may lead to a SecurityException or related functions unavailable if the user denies the location permission but still calls the API in this chain, resulting in bad user experience.
@davidvavra Could you help me review this issue? Thx