Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unused permissions #1238

Closed
abdawoud opened this issue Nov 15, 2018 · 4 comments
Closed

Unused permissions #1238

abdawoud opened this issue Nov 15, 2018 · 4 comments
Assignees
@daniele-athome
Labels
bug Something isn't working
Milestone
4.3.0

Comments

@abdawoud
Copy link

Expected behavior

An app defines a permission -> the app uses the permission

Actual behavior

The app does not use any API protected by READ_SYNC_SETTINGS and USE_CREDENTIALS permissions, and for me, they seem unnecessary to declare.

Steps to reproduce

Manual and static analysis

Environment

Kontalk version: master

Android version: Marshmallow

Device model: Emulator
@daniele-athome daniele-athome self-assigned this Nov 15, 2018
@daniele-athome daniele-athome added the pending Issue is pending further analysis label Nov 15, 2018
@daniele-athome
Copy link
Member

Hello and thanks for the heads-up. Since USE_CREDENTIALS was removed in API 23 I can't really get a straight answer from Android docs nor Google about what this permission really was for (sorry I can't remember). Current Android docs states that it's needed only (AFAICS) for getting the auth token (which we don't use: keys are stored in the account userdata and the key's password is in the account password). More unofficial docs here.
That being said, I'll do some tests in emulators on older Android versions to be sure it's not needed.

About READ_SYNC_SETTINGS I can see I only require its WRITE counterpart. I don't know, it must be a leftover.

Thank you!

@daniele-athome daniele-athome added bug Something isn't working and removed pending Issue is pending further analysis labels Nov 17, 2018
@daniele-athome
Copy link
Member

I stand corrected: READ_SYNC_SETTINGS is needed:

java.lang.SecurityException: no permission to read the sync settings: Neither user 10059 nor current process has android.permission
.READ_SYNC_SETTINGS.
    at android.os.Parcel.readException(Parcel.java:1465)
    at android.os.Parcel.readException(Parcel.java:1419)
    at android.content.IContentService$Stub$Proxy.getIsSyncable(IContentService.java:748)
    at android.content.ContentResolver.getIsSyncable(ContentResolver.java:1978)
    at android.content.AbstractThreadedSyncAdapter$ISyncAdapterImpl.startSync(AbstractThreadedSyncAdapter.java:165)
    at android.content.ISyncAdapter$Stub.onTransact(ISyncAdapter.java:70)
    at android.os.Binder.execTransact(Binder.java:404)
    at dalvik.system.NativeStart.run(Native Method)
Caught a RuntimeException from the binder stub implementation.
java.lang.SecurityException: no permission to read the sync settings: Neither user 10059 nor current process has android.permission
.READ_SYNC_SETTINGS.
    at android.os.Parcel.readException(Parcel.java:1465)
    at android.os.Parcel.readException(Parcel.java:1419)
    at android.content.IContentService$Stub$Proxy.getIsSyncable(IContentService.java:748)
    at android.content.ContentResolver.getIsSyncable(ContentResolver.java:1978)
    at android.content.AbstractThreadedSyncAdapter$ISyncAdapterImpl.startSync(AbstractThreadedSyncAdapter.java:165)
    at android.content.ISyncAdapter$Stub.onTransact(ISyncAdapter.java:70)
    at android.os.Binder.execTransact(Binder.java:404)

@daniele-athome daniele-athome added this to the Next milestone Nov 17, 2018
@abdawoud
Copy link
Author

abdawoud commented Nov 19, 2018
edited
Loading

Thank you for the information.

I am using your app for evaluating a research tool that we developed and part of my work is to identify the components and the corresponding permissions enforced on those components. We will use this information afterward to assign the least privileges to each component that are necessary for its functionality. This is called the least privilege execution. I thought you might be interested in having this information.

Please, notice that this list might not be complete or 100% accurate. So, I would appreicate if you can suggest fixes.

=============================
MessageCenterService

  • android.permission.WAKE_LOCK
  • android.permission.INTERNET
  • android.permission.AUTHENTICATE_ACCOUNTS
  • android.permission.GET_ACCOUNTS
    =============================
    AccountAuthenticatorService
  • android.permission.GET_ACCOUNTS
  • android.permission.MANAGE_ACCOUNTS
  • android.permission.AUTHENTICATE_ACCOUNTS
    =============================
    ContactsSyncAdapterService
  • android.permission.READ_SYNC_STATS
  • android.permission.WRITE_PROFILE
  • android.permission.READ_SYNC_SETTINGS
    =============================
    DownloadService
  • android.permission.INTERNET
  • android.permission.WRITE_EXTERNAL_STORAGE
    =============================
    UploadService
  • android.permission.INTERNET
  • android.permission.WRITE_EXTERNAL_STORAGE
    =============================
    KeyPairGeneratorService
  • NOTHING
    =============================
    MediaService
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WAKE_LOCK
    =============================
    DirectShareTargetService
  • NOTHING
    =============================
    MessagesImporterService
  • NOTHING
    =============================
    StartMessageCenterJob
  • NOTHING
    =============================
    MessagesProvider
  • NOTHING
    =============================
    UsersProvider
  • android.permission.GET_ACCOUNTS
    =============================
    FileProvider
  • NOTHING
    =============================
    SystemBootStartup
  • android.permission.GET_ACCOUNTS
  • android.permission.RECEIVE_BOOT_COMPLETED
    =============================
    NetworkStateReceiver
  • NOTHING
    =============================
    NotificationActionReceiver
  • NOTHING
    =============================
    ConversationsActivity
  • android.permission.GET_ACCOUNTS [getAccountsByType]
  • android.permission.READ_CONTACTS
  • android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
    =============================
    ArchivedConversationsActivity
  • NOTHING
    =============================
    SearchActivity
  • NOTHING
    =============================
    ComposeMessage
  • android.permission.CALL_PHONE
  • android.permission.READ_CONTACTS
  • android.permission.CAMERA
  • android.permission.GET_ACCOUNTS [getAccountsByType]
  • android.permission.READ_EXTERNAL_STORAGE [FileProvider.getUriForFile]
  • android.permission.WRITE_EXTERNAL_STORAGE [write recorded audio into it]
  • android.permission.RECORD_AUDIO
  • android.permission.VIBRATE
    ==============================================================================
    PreferencesActivity
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.WRITE_EXTERNAL_STORAGE
    =============================
    NotificationPreferencesActivity
  • NOTHING
    =============================
    RegisterDeviceActivity
  • android.permission.GET_ACCOUNTS [getAccountsByType]
    =============================
    ImportDeviceActivity
  • NOTHING
    =============================
    NumberValidation
  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE [getActiveNetworkInfo]
  • android.permission.AUTHENTICATE_ACCOUNTS [setUserData, addAccountExplicitly]
  • android.permission.WRITE_SYNC_SETTINGS [setIsSyncable, setSyncAutomatically]
  • android.permission.READ_PHONE_STATE [getLine1Number]
  • android.permission.WRITE_EXTERNAL_STORAGE [import backup messages]
  • **android.permission.READ_CONTACTS [requested but not used here]
  • **android.permission.WRITE_CONTACTS [requested but not used here]
    =============================
    CodeValidation
  • android.permission.INTERNET
    =============================
    ContactsListActivity
  • android.permission.GET_ACCOUNTS [getDefaultAccount]
  • android.permission.READ_SYNC_STATS [isSyncPending, isSyncActive]
  • android.permission.READ_CONTACTS
  • android.permission.WRITE_PROFILE
  • android.permission.READ_PROFILE
  • android.permission.READ_SYNC_SETTINGS
    =============================
    StatusActivity
  • NOTHING
    =============================
    AboutActivity
  • NOTHING
    =============================
    MyKeyActivity
  • NOTHING
    =============================
    GroupInfoActivity
  • NOTHING
    =============================
    GroupInfoDialog
  • NOTHING
    =============================
    PositionActivity
  • android.permission.ACCESS_COARSE_LOCATION [requestLocationUpdates, getLastKnownLocation]
  • android.permission.ACCESS_FINE_LOCATION [requestLocationUpdates, getLastKnownLocation]
  • android.permission.INTERNET
  • android.permission.WRITE_EXTERNAL_STORAGE [Write offline maps data to the storage]
  • android.permission.READ_EXTERNAL_STORAGE [Read offline maps from the storage]
    =============================
    ScanTextActivity
  • android.permission.CAMERA
    =============================
    ContactInfoActivity
  • android.permission.READ_CONTACTS
  • android.permission.READ_PROFILE
    =============================
    ContactInfoDialog
  • android.permission.READ_CONTACTS
  • android.permission.READ_PROFILE
    =============================
    QuickReplyActivity
  • NOTHING

@daniele-athome
Copy link
Member

I believe your tool considers permission requests also as permission users. I guess you already know that that isn't necessarily true. But thanks for the information!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daniele-athome daniele-athome

Labels
bug Something isn't working
Projects
None yet
Milestone
4.3.0
Development

No branches or pull requests
2 participants
@daniele-athome @abdawoud