opentelemetry-android icon indicating copy to clipboard operation
opentelemetry-android copied to clipboard
verified publisher icon open-telemetry

Consider removing READ_PHONE_STATE

Open breedx-splk opened this issue 1 year ago • 3 comments

So in our Splunk distro, a user raised an issue about READ_PHONE_STATE permission being a security concern. It exists in the manifest here.

I don't remember the exact details right now, but I think that maybe network detection doesn't work correctly on older versions of Android without it?

Curious if other folks know specifics, and if we should consider relaxing the requirement around this permission.

Relates to #49.

breedx-splk avatar Jan 25 '24 22:01 breedx-splk

The issue is here https://github.com/open-telemetry/opentelemetry-android/blob/1775b152a3cac5ede00815d4ac637251129144da/instrumentation/src/main/java/io/opentelemetry/android/instrumentation/network/PostApi28NetworkDetector.java#L52-L54 It checks if the permission is available, so you can technically remove the SDK implicit permission but that if will always return false. If they want that info, you can tell people via docs to add the permission directly on their app.

marandaneto avatar Jan 26 '24 09:01 marandaneto

Just to clarify, will Open telemetry as well as Splunk RUM properly handle network subtype being null?

If so, it should not be added here by default: https://github.com/open-telemetry/opentelemetry-android/blob/1775b152a3cac5ede00815d4ac637251129144da/instrumentation/src/main/AndroidManifest.xml#L6

ber4444 avatar Jan 27 '24 06:01 ber4444