Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please remove unnecessary permissions #568

Open
serrq opened this issue Dec 24, 2024 · 2 comments
Open

Please remove unnecessary permissions #568

serrq opened this issue Dec 24, 2024 · 2 comments

Comments

@serrq
Copy link

serrq commented Dec 24, 2024
edited
Loading

3.1.0 fdroid

1000133600
@serrq serrq changed the title Please remove not necessary permissions Please remove unnecessary permissions Dec 24, 2024
@IacobIonut01
Copy link
Owner

These are not used by the Gallery but some library dependencies, I will check out the Phone permission and force remove

@linuxct
Copy link
Contributor

linuxct commented Dec 25, 2024

I have been investigating why the "Read phone status and identity" permission gets added automatically to Gallery. The offending library is surprisingly Tensorflow Lite, specifically "org.tensorflow.lite.task.core" aka "org.tensorflow:tensorflow-lite-task-base", which does not declare in its AndroidManifest any targetSdkVersion:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
          package="src.java.org.tensorflow.lite.task.core">
   <application>
   </application>
</manifest>

Because of this, the Android build-system's manifest merger incorrectly assumes, according to my manifest merging log (below), that the targetSdkVersion for that package is lower than 4, and as such, it must add the android.permission.READ_PHONE_STATE permission to the manifest.

[...]
action#androidx.profileinstaller.action.BENCHMARK_OPERATION
ADDED from [androidx.profileinstaller:profileinstaller:1.4.1] /home/linuxct/.gradle/caches/8.10.2/transforms/4960eb61de97d9c80ab6df5cdd9b905a/transformed/profileinstaller-1.4.1/AndroidManifest.xml:50:17-95

uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from /home/linuxct/Android/IacobIonut-Gallery/app/src/main/AndroidManifest.xml:2:1-190:12 reason: src.java.org.tensorflow.lite.task.core has a targetSdkVersion < 4

This is because, according to Google's own documentation, in SDK versions lower than API 4, android.permission.READ_PHONE_STATE was a permission that was "[implicitly] grant[ed to] your app [...] If you don't need this permission, be sure your targetSdkVersion is 4 or higher.".

Since the problem resides in "org.tensorflow:tensorflow-lite-task-base", I suggest to:

  • Open them an issue instead, so that they fix this by explicitly adding to their AndroidManifest a given "targetSdkVersion", hopefully higher than 4, such that the permission can be removed.
  • The android.permission.READ_PHONE_STATE permission can be safely removed from Gallery's manifest using tools:node="remove".

IacobIonut01 added a commit that referenced this issue Feb 13, 2025
@IacobIonut01
Permissions: Avoid READ_PHONE_STATE from being added by tensorflow
18c5b43 
Fixes Please remove unnecessary permissions #568

Signed-off-by: IacobIonut01 <[email protected]>
IacobIonut01 added a commit that referenced this issue Feb 14, 2025
@IacobIonut01
Permissions: Avoid READ_PHONE_STATE from being added by tensorflow
edd3353 
Fixes Please remove unnecessary permissions #568

Signed-off-by: IacobIonut01 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@linuxct @IacobIonut01 @serrq