[question]: READ_PHONE_STATE and ACCESS_COARSE_LOCATION permission in final AndroidMatifest

[gadzilka]

How can we help?

After updating OneSignal SDK to version 5.0.5, I found new permissions (READ_PHONE_STATE and ACCESS_COARSE_LOCATION) in the AndroidManifest in the AP, which were not present in the previous version (3.x) of the SDK.

1. Is it necessary to have these permissions?
2. Why does the SDK ask for them?
3. Is it possible to remove them?

I found the issue in your Android repo OneSignal/OneSignal-Android-SDK#1875 , but this workaround is not possible in Unity.

Code of Conduct

• I agree to follow this project's Code of Conduct

[shepherd-l]

Thanks for bringing this to our attention

I'm not sure where READ_PHONE_STATE is coming from, it isn't in our SDK.

1. Is it necessary to have these permissions?

It isn’t necessary to have ACCESS_COARSE_LOCATION. It is required for the location methods in our SDK (OneSignal.Location.RequestPermission()).

2. Why does the SDK ask for them?

The Unity SDK includes the location module from our Android SDK which asks for ACCESS_COARSE_LOCATION even if you aren’t using any location code in your project. This is a mistake on our end

3.
Is it possible to remove them?

We are working on a fix for the Unity SDK to remove the location permission/to not include it by default.

I believe you can also do the workaround in OneSignal/OneSignal-Android-SDK#1875 by exporting the Android build and changing the build.gradle (:unityLibrary) file

Let us know if you have any questions

[gadzilka]

I'm not sure where READ_PHONE_STATE is coming from, it isn't in our SDK.

You can easily reproduce it in an empty project by adding only your SDK. You don't even need to write any code. I tested this in Unity 2022.2.21f1.

List of permissions for OneSignal SDK v5.0.5:

    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <permission android:name="com.DefaultCompany.OneSignalTest.permission.C2D_MESSAGE" android:protectionLevel="0x2" />
    <uses-permission android:name="com.DefaultCompany.OneSignalTest.permission.C2D_MESSAGE" />
    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
    <uses-permission android:name="android.permission.VIBRATE" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="com.sec.android.provider.badge.permission.READ" />
    <uses-permission android:name="com.sec.android.provider.badge.permission.WRITE" />
    <uses-permission android:name="com.htc.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.htc.launcher.permission.UPDATE_SHORTCUT" />
    <uses-permission android:name="com.sonyericsson.home.permission.BROADCAST_BADGE" />
    <uses-permission android:name="com.sonymobile.home.permission.PROVIDER_INSERT_BADGE" />
    <uses-permission android:name="com.anddoes.launcher.permission.UPDATE_COUNT" />
    <uses-permission android:name="com.majeur.launcher.permission.UPDATE_BADGE" />
    <uses-permission android:name="com.huawei.android.launcher.permission.CHANGE_BADGE" />
    <uses-permission android:name="com.huawei.android.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.huawei.android.launcher.permission.WRITE_SETTINGS" />
    <uses-permission android:name="android.permission.READ_APP_BADGE" />
    <uses-permission android:name="com.oppo.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.oppo.launcher.permission.WRITE_SETTINGS" />
    <uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_READ" />
    <uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_WRITE" />
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />

List of permissions for OneSignal SDK v3.0.11:

    <permission android:name="com.DefaultCompany.OneSignalTest.permission.C2D_MESSAGE" android:protectionLevel="0x2" />
    <uses-permission android:name="com.DefaultCompany.OneSignalTest.permission.C2D_MESSAGE" />
    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="android.permission.VIBRATE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="com.sec.android.provider.badge.permission.READ" />
    <uses-permission android:name="com.sec.android.provider.badge.permission.WRITE" />
    <uses-permission android:name="com.htc.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.htc.launcher.permission.UPDATE_SHORTCUT" />
    <uses-permission android:name="com.sonyericsson.home.permission.BROADCAST_BADGE" />
    <uses-permission android:name="com.sonymobile.home.permission.PROVIDER_INSERT_BADGE" />
    <uses-permission android:name="com.anddoes.launcher.permission.UPDATE_COUNT" />
    <uses-permission android:name="com.majeur.launcher.permission.UPDATE_BADGE" />
    <uses-permission android:name="com.huawei.android.launcher.permission.CHANGE_BADGE" />
    <uses-permission android:name="com.huawei.android.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.huawei.android.launcher.permission.WRITE_SETTINGS" />
    <uses-permission android:name="android.permission.READ_APP_BADGE" />
    <uses-permission android:name="com.oppo.launcher.permission.READ_SETTINGS" />
    <uses-permission android:name="com.oppo.launcher.permission.WRITE_SETTINGS" />
    <uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_READ" />
    <uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_WRITE" />
    <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />

[shepherd-l]

I was able to reproduce it,
You are correct, our Unity SDK is adding the READ_PHONE_STATE permission to the AndroidManifest

The permission is being added because we didn’t specify a minSDKVersion in the OneSignalConfig.androidlib. And it defaults to a low version that adds READ_PHONE_STATE.

I am working on a fix along with ACCESS_CORASE_LOCATION and they will be added in a future release.

Thanks again for bringing this up

[pbisku]

Hello @shepherd-l - we have the same issue with our flutter app which uses the OneSignal Flutter SDK 5.0.4

Our app is now rejected from Google and Apple, since we have our app targeted for kids and the store guidelines for this group prohibits the tracking of geolocation.

Google for example states now: 'You have declared that your app targets under 13 age groups, but your app asks for location permissions.'

Apple informs us about a Missing purpose string in Info.plist and here the 'NSLocationWhenInUseUsageDescription'.

Would it also be possible to adapt the Flutter SDK, so we as flutter developer can disable the 'ACCESS_COARSE_LOCATION' permission for Android and the permission for iOS ?

[iAmWillShepherd]

@pbisku, please open an issue here.

[shepherd-l]

This has been fixed in the latest 5.0.6 release. Please open a new issue if you have any questions or are still having issues