[Android SDK] Migrating from rx:0.5.4 to 0.6.0@aar adds new permissions


#1

I’ve noticed that after migrating to the new 0.6.0@aar version, there are two new permissions added to the manifest file:

<!-- Enable the permissions below for getting users geographical location. --> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

This is causing some distress on our users who think they’re being spied on. Is there any way we can make these optional?

Thanks!


#2

Hi @beetlebum there are no new permissions between the 0.5.4 and 0.6.0. These have been there for a while as way to grab the geolocation context. If you do not wish to grab the geolocation context then you do not need to include these permissions.

From the 0.5.4 core gradle: https://github.com/snowplow/snowplow-android-tracker/blob/0.5.4/snowplow-android-core/src/main/AndroidManifest.xml#L6-L8

Hope that helps,
Josh


#3

Hi Josh,

The fact of the matter is we migrated from rx 0.5.4 to core 0.6.0 and got the new permissions added.

From 0.5.4 rx: https://github.com/snowplow/snowplow-android-tracker/blob/0.5.4/snowplow-android-tracker-rx/src/main/AndroidManifest.xml

We’re not including the permissions, they are being merged into the manifest from the aar dependency. We can try to remove them in our manifest using tools:remove but it feels hacky.

Thanks again,
Diego.


#4

Ahh yes perhaps due to the fact that these were included from the core in the past they were not dragged along with the 0.5.4 install.

I will make a ticket to address this in a bug fix, thanks for raising!


#5

Thanks Josh.

As a workaround, I’ve done the following:

<uses-permission
      android:name="android.permission.ACCESS_COARSE_LOCATION"
      tools:node="remove"/>
  <uses-permission
      android:name="android.permission.ACCESS_FINE_LOCATION"
      tools:node="remove"/>

It will remove the permissions from the merged manifest.
I would suggest having the geolocation components as a separate aar with the required permissions.

Cheers,
Diego.


#6

Hi @beetlebum,

Thanks for the workaround! I will publish a version of the library which does not contain these permissions - akin to the manifest from 0.5.4.

Cheers,
Josh


#7

Hi @beetlebum,

I have published an 0.6.1-M1 to JCenter. Would you be able to have an attempt at consuming the library now and letting me know whether or not the problem is resolved?

Cheers,
Josh