New Android Permissions Appeared from Nowhere - Yikes!

Solar2D Android
#1

Hi All;

A very disturbing thing happened today with an app that has been through 4 updates (with no problems) and, today, I went to publish a fifth update to the Google Play Store. The new update version required 11 NEW ANDROID PERMISSIONS and had 4 NEW ANDROID FEATURES that I have not actually added into the app (via build.settings or anywhere else). They just appeared when I uploaded to Google.

  1. I made NO CHANGES in my build.settings file related to Android Permissions (file snippet below).

  2. I am using the same plug-ins now as I did when I made the last update to this App (December, 2013)

  3. And the new permissions required (within Google Play) are several that SCARE USERS TO DEATH.

Here’s a rundown:

– ===========================================================
PREVIOUSLY PUBLISHED VERSION – December, 2013 with build 2013.1225

THIS IS WHAT GOOGLE PLAY SHOWED FOR FEATURES/PERMISSIONS

3 ANDROID FEATURES:
    android.hardware.screen.PORTRAIT
    android.hardware.TOUCHSCREEN
    android.hardware.WIFI

8 ANDROID PERMISSIONS:
    android.permission.ACCESS_NETWORK_STATE
    android.permission.ACCESS_WIFI_STATE
    android.permission.INTERNET
    android.permission.READ_EXTERNAL_STORAGE
    android.permission.READ_PHONE_STATE
    android.permission.WRITE_EXTERNAL_STORAGE
    com.android.vending.BILLING
    com.android.vending.CHECK_LICENSE

– ===========================================================
BUILD TODAY – Same Thing happens with Either Corona build 2013.1225 or 2014.1262

THIS IS WHAT GOOGLE PLAY SHOWED FOR FEATURES/PERMISSIONS

7 ANDROID FEATURES:
    android.hardware.LOCATION
    android.hardware.location.GPS
    android.hardware.location.NETWORK
    android.hardware.MICROPHONE
    android.hardware.screen.PORTRAIT
    android.hardware.TOUCHSCREEN
    android.hardware.WIFI

19 ANDROID PERMISSIONS:
    android.permission.ACCESS_ASSISTED_GPS
    android.permission.ACCESS_COARSE_LOCATION
    android.permission.ACCESS_FINE_LOCATION
    android.permission.ACCESS_GPS
    android.permission.ACCESS_LOCATION
    android.permission.ACCESS_NETWORK_STATE
    android.permission.ACCESS_WIFI_STATE
    android.permission.CALL_PHONE
    android.permission.CHANGE_WIFI_STATE
    android.permission.INTERNET
    android.permission.MODIFY_AUDIO_SETTINGS
    android.permission.READ_EXTERNAL_STORAGE
    android.permission.READ_LOGS
    android.permission.READ_PHONE_STATE
    android.permission.RECORD_AUDIO
    android.permission.VIBRATE
    android.permission.WRITE_EXTERNAL_STORAGE
    com.android.vending.BILLING
    com.android.vending.CHECK_LICENSE

– ============================================================

My build.settings file calls for these plugins (same now as back in December):

Flurry

AdMob

InMobi

AppRever

TapForTap

My build.settings file calls for these permissions in the “android” section (note that it is a large APK file size so usesExpansionFile = true and the app does have in-app purchasing). This is also the same now as back in my December update that resulted in the normal list of permissions.

usesPermissions =
  {
   “com.android.vending.BILLING”,
   “android.permission.INTERNET”,
   “android.permission.ACCESS_NETWORK_STATE”,
   “com.android.vending.CHECK_LICENSE”,
   “android.permission.WRITE_EXTERNAL_STORAGE”,
  }

– ============================================================

In Addition,  I made the mistake of allowing this update to go live in order to see how all of these new permissions are presented to users when they go to install the update. The messages they see on the device are:

Just 2 Words needs access to additional permissions (Marked as New).

System Tools
NEW: Change Wi-fi State

Your Location:
New: Coarse location, fine (GPS) location

Services that cost you money:
New: Directly call phone numbers

Your personal information:
New: Read sensitive log data

– ============================================================

And, of course, my App doesn’t do anything regarding location, anything regarding calling phone numbers, and anything regarding personal information.

So YIKES! Does anyone have ideas on why these new permissions appear in my manifest when I build my update today (with a build of Corona from last Fall or a more recent build (2014.1262)???

Google won’t let me back up to the earlier build (funky reasoning by them – also related to the permissions differences) so my users are stuck getting this strange update until I find a solution.

Thoughts and guidance welcome!

Steve Bullock

#2

I’m going to speculate and guess it’s an ad provider.  Plugins can get updated and not affect the core.  Let me ask the team and see if they are aware of anything requiring any additional features or permissions.

Since others haven’t complained about this, it feels more like one of the plugins.

Rob

#3

Also can you confirm what version of Corona SDK you’re using and what platform you’re building on?

Thanks

Rob

#4

Hi Rob;

Appreciate your jumping in. I was thinking that it might be a plug-in thing as well (either Flurry or one of the Ad Providers – the plug-ins are listed above).

Since this App pre-dated graphics 2.0, I haven’t moved it over yet. I tried building the App yesterday for Google Play with 2 different builds and the results were the same with the same list of undesirable new permissions added. The Corona builds were:

2013.1225

2014.1262

The latter build was the one that you folks recommended as the “last stable 1.0 build” that people should use for their 1.0 games. The earlier build was the one we used back in December, 2013 for our last update – the one where 11 FEWER permissions were required. Hence, I don’t believe it is a build version thing.

Any further insights you can provide would be wonderful and very timely.

Best;

Steve

#5

It is one of the ad plugins, not corona… Ad networks are about as bad as malware and want to know anything that they can and anything that they can get away with, the location permissions are so they can do localized advertising as far as the others I have no idea why they would need access to phone data etc. unless of course they were trying to read your contacts and send your contacts txt messages or recordings (or maybe even just recording your conversation) who knows…

#6

Hi Christopher and Rob;

It is inMobi that is causing this (obviously changes they made since my build last December). Once I narrowed it down to them, I actually found another Forum Thread from early March that raised the phone permissions issue (thread = Android “Directly Call Phone Numbers” Permission?).

So, as of today and unless it gets corrected, I am off of inMobi forever with my apps. They are COMPLETELY OUT OF LINE compared to AppRever, TapForTap and AdMob. I spent a couple of hours making builds and then examining the manifests using APKTOOL. Here is what I found:

==========================================================================
My “Base Permissions”  – Publishing for Google Play – No Advertising Plug-Ins

NO ADS
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

==========================================================================
inMobi Permissions – What happens when I just include the inMobi Ad Plug-In

WITH INMOBI PLUG-IN being my ONLY advertising Plug-In

(These 5 are the same as with no ad plug-ins)
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

(these 13 are added JUST TO SUPPORT INMOBI!)
    <uses-permission android:name=“android.permission.ACCESS_FINE_LOCATION”/>
    <uses-permission android:name=“android.permission.READ_LOGS”/>
    <uses-permission android:name=“android.permission.VIBRATE”/>
    <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTINGS”/>
    <uses-permission android:name=“android.permission.ACCESS_ASSISTED_GPS”/>
    <uses-permission android:name=“android.permission.ACCESS_GPS”/>
    <uses-permission android:name=“android.permission.CHANGE_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.RECORD_AUDIO”/>
    <uses-permission android:name=“android.permission.ACCESS_COARSE_LOCATION”/>
    <uses-permission android:name=“android.permission.CALL_PHONE”/>
    <uses-permission android:name=“android.permission.ACCESS_LOCATION”/>
    <uses-permission android:name=“android.permission.READ_PHONE_STATE”/>

==========================================================================
What happens when I drop out inMobi and add back in 3 Other Ad Plug-Ins

WITH MY OTHER THREE AD PLUG-INS: ADMOB, APPREVER and TAPFORTAP

(These 5 are the same as with “no ads”)
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

(these 2 are added to support these 3 Ad plug-Ins!)
    <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.READ_PHONE_STATE”/>

==========================================================================

So inMobi requires 14 new permissions and the other networks require only 2 new permissions (very understandable ones). And, as an aside, I just checked and inMobi’s eCPM is rather tiny as well.

I’m looking forward to exploring the NativeX advertising world (they just had a party with Corona at GDC) when that is available to us.

In conclusion, InMobi wants permission to “record audio”, “vibrate”, “read logs”, “make calls” and access every bit of GPS data. Jeesh!

Steve Bullock

#7

Hey Steve,

This is Josh Ruis, one of the Corona developers for NativeX. I am glad to hear that you are considering using us for your monetization. We are currently in a private beta stage, with a wider release coming soon. In the mean time if you would like to look into our required permissions on Android you can take a look here

Josh Ruis

#8

I’m going to speculate and guess it’s an ad provider.  Plugins can get updated and not affect the core.  Let me ask the team and see if they are aware of anything requiring any additional features or permissions.

Since others haven’t complained about this, it feels more like one of the plugins.

Rob

#9

Also can you confirm what version of Corona SDK you’re using and what platform you’re building on?

Thanks

Rob

#10

Hi Rob;

Appreciate your jumping in. I was thinking that it might be a plug-in thing as well (either Flurry or one of the Ad Providers – the plug-ins are listed above).

Since this App pre-dated graphics 2.0, I haven’t moved it over yet. I tried building the App yesterday for Google Play with 2 different builds and the results were the same with the same list of undesirable new permissions added. The Corona builds were:

2013.1225

2014.1262

The latter build was the one that you folks recommended as the “last stable 1.0 build” that people should use for their 1.0 games. The earlier build was the one we used back in December, 2013 for our last update – the one where 11 FEWER permissions were required. Hence, I don’t believe it is a build version thing.

Any further insights you can provide would be wonderful and very timely.

Best;

Steve

#11

It is one of the ad plugins, not corona… Ad networks are about as bad as malware and want to know anything that they can and anything that they can get away with, the location permissions are so they can do localized advertising as far as the others I have no idea why they would need access to phone data etc. unless of course they were trying to read your contacts and send your contacts txt messages or recordings (or maybe even just recording your conversation) who knows…

#12

Hi Christopher and Rob;

It is inMobi that is causing this (obviously changes they made since my build last December). Once I narrowed it down to them, I actually found another Forum Thread from early March that raised the phone permissions issue (thread = Android “Directly Call Phone Numbers” Permission?).

So, as of today and unless it gets corrected, I am off of inMobi forever with my apps. They are COMPLETELY OUT OF LINE compared to AppRever, TapForTap and AdMob. I spent a couple of hours making builds and then examining the manifests using APKTOOL. Here is what I found:

==========================================================================
My “Base Permissions”  – Publishing for Google Play – No Advertising Plug-Ins

NO ADS
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

==========================================================================
inMobi Permissions – What happens when I just include the inMobi Ad Plug-In

WITH INMOBI PLUG-IN being my ONLY advertising Plug-In

(These 5 are the same as with no ad plug-ins)
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

(these 13 are added JUST TO SUPPORT INMOBI!)
    <uses-permission android:name=“android.permission.ACCESS_FINE_LOCATION”/>
    <uses-permission android:name=“android.permission.READ_LOGS”/>
    <uses-permission android:name=“android.permission.VIBRATE”/>
    <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTINGS”/>
    <uses-permission android:name=“android.permission.ACCESS_ASSISTED_GPS”/>
    <uses-permission android:name=“android.permission.ACCESS_GPS”/>
    <uses-permission android:name=“android.permission.CHANGE_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.RECORD_AUDIO”/>
    <uses-permission android:name=“android.permission.ACCESS_COARSE_LOCATION”/>
    <uses-permission android:name=“android.permission.CALL_PHONE”/>
    <uses-permission android:name=“android.permission.ACCESS_LOCATION”/>
    <uses-permission android:name=“android.permission.READ_PHONE_STATE”/>

==========================================================================
What happens when I drop out inMobi and add back in 3 Other Ad Plug-Ins

WITH MY OTHER THREE AD PLUG-INS: ADMOB, APPREVER and TAPFORTAP

(These 5 are the same as with “no ads”)
    <uses-permission android:name=“com.android.vending.BILLING”/>
    <uses-permission android:name=“android.permission.WRITE_EXTERNAL_STORAGE”/>
    <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE”/>
    <uses-permission android:name=“com.android.vending.CHECK_LICENSE”/>
    <uses-permission android:name=“android.permission.INTERNET”/>

(these 2 are added to support these 3 Ad plug-Ins!)
    <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE”/>
    <uses-permission android:name=“android.permission.READ_PHONE_STATE”/>

==========================================================================

So inMobi requires 14 new permissions and the other networks require only 2 new permissions (very understandable ones). And, as an aside, I just checked and inMobi’s eCPM is rather tiny as well.

I’m looking forward to exploring the NativeX advertising world (they just had a party with Corona at GDC) when that is available to us.

In conclusion, InMobi wants permission to “record audio”, “vibrate”, “read logs”, “make calls” and access every bit of GPS data. Jeesh!

Steve Bullock

#13

Hey Steve,

This is Josh Ruis, one of the Corona developers for NativeX. I am glad to hear that you are considering using us for your monetization. We are currently in a private beta stage, with a wider release coming soon. In the mean time if you would like to look into our required permissions on Android you can take a look here

Josh Ruis