No permission requests for GET_ACCOUNTS on Android 6

[denis-bogdanas]

Hello, I'm Denis Bogdanas, a research assistant at Oregon Stat University. I'm working on a tool that automatically introduces runtime permission checks and requests for Android 6 apps. As part of this study I analyzed this app, looking for how permissions are referred in the code.

This app uses permission GET_ACCOUNTS but there are no runtime permission checks for it. As a result, protected methods relying on this permission will return empty or incomplete results on Android 6.

Here are code locations indentified by our tools that use GET_ACCOUNTS:

<android.accounts.AccountManager: android.accounts.AccountManagerFuture getAccountsByTypeAndFeatures(java.lang.String,java.lang.String[],android.accounts.AccountManagerCallback,android.os.Handler)> from <com.github.mobile.accounts.AccountUtils: android.accounts.Account[] getAccounts(android.accounts.AccountManager)> L: 139

<android.accounts.AccountManager: android.accounts.Account[] getAccountsByType(java.lang.String)> from <com.github.mobile.accounts.AccountUtils: android.accounts.Account getAccount(android.content.Context)> L: 131 from <com.github.mobile.accounts.AccountUtils: android.accounts.Account getPasswordAccessibleAccount(android.content.Context)> L: 155 from <com.github.mobile.accounts.LoginActivity: java.util.List getEmailAddresses()> L: 460

Do you think this is a bug?

best regards, Denis