Home/ Questions/Q 6859163
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T02:14:57+00:00

Been doing some Android permission research and ran across an application that – according

  • 0

Been doing some Android permission research and ran across an application that – according to the AndroidManifest.xml file – only declares WRITE_EXTERNAL_STORAGE as a permission. The Android Market only reports this as well. Using the aapt tool to dump the uses-permission it also only reports the one permission.

However, in code running on the Android device (or emulator), doing the following:

PackageManager pm = getPackageManager();
List<PackageInfo> pkgList = pm.getInstalledPackages(PackageManager.GET_PERMISSIONS | PackageManager.GET_SIGNATURES);

...

PackageInfo p = pkgList.get(i);  // where i is the index of the apk in question
String[] perms = p.requestedPermissions;

I get 2 permissions for this APK, READ_PHONE_STATE and the one in the manifest, WRITE_EXTERNAL_STORAGE. Looking at the “Manage Apps” screen and selecting details for this also shows the additional READ_PHONE_STATE permission.

Are there cases where permissions can be/are ‘implied’ (in code, by feature use, etc) that would not be required in the Android Manifest? Or put another way, why does aapt return one set of permissions and the getPackageManager().getPackageInfo() API return a different set?

EDIT:

Searching with “more better” terms discovered the answer I was looking for: Android permissions: Phone Calls: read phone state and identity

In short, APKs compiled with earlier version of the SDK did inherit some permissions for free…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As far as I know permissions must always be explicitly set in the manifest.

    If an application needs access to a feature protected by a permission, it must declare that it requires that permission with a element in the manifest. Then, when the application is installed on the device, the installer determines whether or not to grant the requested permission by checking the authorities that signed the application’s certificates and, in some cases, asking the user. If the permission is granted, the application is able to use the protected features. If not, its attempts to access those features will simply fail without any notification to the user.

    source

    The difference you are seeing I believe is due to the protectionLevel attribute on permissions. Any permissions that are set to "normal" are not required to be OK’d by the user so they just show up in the Details section.

    • 0