photos
photos copied to clipboard
Try to reduce a few of the permissions in Android
one odd one for example is, "draw over other apps"
but a user reported also, Querying running apps and Phone information. not certain where each of those is requested, but would be good to eliminate any we don't actually have a requirement for.
Sounds like someone that is running an old version that includes that permissions lib we had at one point?
I've never seen any of those you mention.
you can see those here actually,
https://play.google.com/store/apps/details?id=com.textile
in 'view details' of permissions
Report of which underlying libs are requiring specific Android permissions. Most of this was obtained by combing through the build/outputs/logs/manifest-merger-debug-report.txt
-
Device & app history
- [x] retrieve running apps
-
android.permission.GET_TASKS
required bytsbackgroundfetch
(we should try to drop this one!)
-
- [x] retrieve running apps
-
Location
- [x] precise location (GPS and network-based)
-
android.permission.ACCESS_FINE_LOCATION
required bytextile-mobile
-
- [x] precise location (GPS and network-based)
-
Phone
- [x] read phone status and identity
-
android.permission.READ_PHONE_STATE
required bylifecycle
andcrashlytics
-
- [x] read phone status and identity
-
Photos/Media/Files
- [x] read the contents of your USB storage
-
android.permission.READ_EXTERNAL_STORAGE
required byreact-native-image-picker
anduploadservice
-
- [x] modify or delete the contents of your USB storage
-
android.permission.WRITE_EXTERNAL_STORAGE
required bytextile-mobile
,uploadservice
,react-native-fs
-
- [x] read the contents of your USB storage
-
Storage
- [x] read the contents of your USB storage
-
android.permission.READ_EXTERNAL_STORAGE
required byuploadservice
andreact-native-fs
,react-native-background-fetch
,
-
- [x] modify or delete the contents of your USB storage
-
android.permission.WRITE_EXTERNAL_STORAGE
required byuploadservice
andreact-native-fs
-
- [x] read the contents of your USB storage
-
Camera
- [x] take pictures and videos
-
android.permission.CAMERA
required bytextile-mobile
in general
-
- [x] take pictures and videos
-
Device ID & call information
- [x] read phone status and identity
-
android.permission.READ_PHONE_STATE
required bylifecycle
andcrashlytics
-
- [x] read phone status and identity
-
Other
- [x] receive data from Internet
-
android.permission.INTERNET
required bytextile-mobile
in general
-
- [x] view network connections
-
android.permission.ACCESS_NETWORK_STATE
required bytextile-mobile
,firebase
,android-job
-
- [x] full network access
-
android.permission.INTERNET
required bytextile-mobile
in general
-
- [x] run at startup
-
android.permission.RECEIVE_BOOT_COMPLETED
required byreact-native-background-fetch
-
- [x] draw over other apps
-
android.permission.SYSTEM_ALERT_WINDOW
required byreact-native
(also requested bytextile-mobile
)
-
- [x] prevent device from sleeping
-
android.permission.WAKE_LOCK
requested byfirebase
,uploadservice
,android-job
-
- [x] receive data from Internet
Note that ShortcutBadger
seems to require a lot of device specific permissions
Now the question becomes, can we remove any of these libs?
- We should really try to avoid
android.permission.GET_TASKS
, as This permission was deprecated in API level 21. - I don't think we can remove
android.permission.SYSTEM_ALERT_WINDOW
(because we're usingreact-native
) even though the docs say: "Very few apps should use this permission; [...]" - Seems like we could not require
android.permission.RECEIVE_BOOT_COMPLETED
if we tweakreact-native-background-fetch
? - Seems like
android.permission.READ_PHONE_STATE
might make some people nervous? Do we really need this forlifecycle
andcrashlytics
(as in, can we tweak this one while still using them)? - I could also see folks nervous about
android.permission.ACCESS_FINE_LOCATION
especially if they are using Textile Photos for security/privacy reasons... but not sure there's a way around this unless we don't use background wakeups?
We have documented the required permissions here on the wiki: https://github.com/textileio/textile-mobile/wiki/Android-Permissions as issues are created to remove and/or modify a given permission, we can update the wiki to reflect this. Users should be linked to the wiki article to give some guidance on why and where permissions are required.
I'm going to close this given the above wiki page. Please reopen if you think this needs to be discussed further. The TL;DR here is that this will have to be an ongoing 'chore' to slowly eliminate permissions that are no longer required.
@carsonfarmer @andrewxhill Can this be left open as a summary/overview "tracking issue"? Or if not, can you create particular fine-grained issues for each of the permissions separately? Or do you want me to create them, for the ones I'm concerned about? (edit: I think the last one would probably make most sense — this way I'd be able to easily monitor if/when you resolve them, and also not bother you with permissions I don't care so much about?)
As much as I respect your last comment as an expression of intention to fix those, this also leaves me with no good way to track progress on this, and it's important to me exactly because I'm interested in using Textile because of "privacy reasons". (Otherwise, I could just go with Google Drive for backup, isn't that so?) In particular, on the wiki page, I currently see only one link to one "ticket" for one of the "sub-issues", so that's the only thing I can easily track now. How will I know when the permissions will get simplified and I'll be able to stop feeling uneasy and start using Textile? Can you please help me with this?
(Also, apparently GitHub doesn't let me reopen this ticket even if I wanted, just so you'd know.)
just re-opening this for now as per @akavel's request
Okay, just saw similar permissions in the Textile Notes app and realized it must be from React Native. Found this,
https://facebook.github.io/react-native/docs/removing-default-permissions
Looks like we should be able to get rid of a bunch of them.