Incorrect permissions when uploaded to PlayConsole

sja_digitalcomms · June 16, 2020, 11:52am

I’ve uploaded a React Native app built in via Expo. I’ve set permissions to none:

{
  "expo": {
   "android": {
      "permissions": []
      ... other settings
    }
    ... other settings
}

But when I upload the app-bundle to the PlayConsole it lists the app with 15 permissions:

android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.FOREGROUND_SERVICE android.permission.INTERNET
android.permission.MODIFY_AUDIO_SETTINGS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.REQUEST_INSTALL_PACKAGES android.permission.STORAGE
android.permission.SYSTEM_ALERT_WINDOW
android.permission.USE_BIOMETRIC android.permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE
com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
com.sja.firstaid.permission.C2D_MESSAGE
host.exp.exponent.permission.C2D_MESSAGE

I cannot identify a reason why the permissions setting is being ignored?

sja_digitalcomms · June 19, 2020, 1:17pm

any suggestions appreciated!

erikhellmanhellsoft · June 24, 2020, 7:42am

We’ve run into the same problems and our app got suspended because of this (we didn’t notice these permissions until later). This causes Google to consider the app harmful and deceptive, since it starts on boot and requests permission to install additional pacakges.

Is there something wrong with the Expo build service?

sja_digitalcomms · June 24, 2020, 11:52am

yeah, Expo seems to be fundamentally flawed - and that no-one from Expo was responded makes me think maybe they don’t have a fix…

erikhellmanhellsoft · June 24, 2020, 12:33pm

I submitted an issue on their GitHub repo as well.

github.com/expo/expo

Suspicious permissions added in release build for Android

opened 09:42AM - 24 Jun 20 UTC

closed 07:17PM - 30 Jul 20 UTC

ErikHellman

needs more info Android Investigating internally Device

## 🐛 Bug Report ### Summary of Issue (just a few sentences) When building a …release build for Android, suspicious permissions are added that we can't remove with a custom AndroidManifest.xml. This caused our app to be suspended by Google. ### Environment - output of `expo diagnostics` & the platform(s) you're targeting Expo CLI 3.21.9 environment info: System: OS: macOS 10.15.5 Shell: 5.7.1 - /bin/zsh Binaries: Node: 12.17.0 - ~/.nvm/versions/node/v12.17.0/bin/node npm: 6.14.4 - ~/.nvm/versions/node/v12.17.0/bin/npm IDEs: Xcode: 11.5/11E608c - /usr/bin/xcodebuild npmPackages: expo: ^37.0.0 => 37.0.7 react: 16.9.0 => 16.9.0 react-native: https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz => 0.61.4 react-navigation: ^3.11.1 => 3.11.1 ### Reproducible Demo Any build we make seem to add the following `uses-permission` tags to the manifest of the release APK: ``` <uses-permission android:name="<application ID>.permission.C2D_MESSAGE" /> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" /> <uses-permission android:name="android.permission.WAKE_LOCK" /> <uses-permission android:name="host.exp.exponent.permission.C2D_MESSAGE" /> <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" /> <uses-permission android:name="android.permission.STORAGE" /> <uses-permission android:name="android.permission.FOREGROUND_SERVICE" /> <uses-permission android:name="android.permission.USE_BIOMETRIC" /> <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" /> ``` Especially `android.permission.REQUEST_INSTALL_PACKAGES` causes the review on Google Play Store to trigger and potentially suspend the app. Major issue for us as we can't fix this ourself at the moment.

sja_digitalcomms · June 24, 2020, 12:35pm

fantastic - hanks for the link

wodin · June 25, 2020, 11:08am

Hi

There’s some info on the permissions here:

    /*
      List of additional permissions the standalone app will request upon installation,
      along with the minimum necessary for an Expo app to function.

      To use ALL permissions supported by Expo, do not specify the "permissions" key.

      To use ONLY the following minimum necessary permissions and none of the extras supported
      by Expo, set "permissions" to []. The minimum necessary permissions do not require a
      Privacy Policy when uploading to Google Play Store and are:

      • receive data from Internet
      • view network connections
      • full network access
      • change your audio settings
      • draw over other apps
      • prevent device from sleeping

      To use the minimum necessary permissions ALONG with certain additional permissions,
      specify those extras in "permissions", e.g.

      ["CAMERA", "RECORD_AUDIO"]

      ExpoKit: to change the permissions your app requests, you'll need to edit
      AndroidManifest.xml manually. To prevent your app from requesting one of the
      permissions listed below, you'll need to explicitly add it to `AndroidManifest.xml`
      along with a `tools:node="remove"` tag.
    */

As far as I know those are all required for functionality that is built in to Expo (e.g. OTA updates, etc.). I think that if you want an app that does not have the above permissions you will need to eject to the Bare workflow.

EDIT: I’m not sure what some of the permissions listed in your first message are for and at least android.permission.REQUEST_INSTALL_PACKAGES is quite surprising.

erikhellmanhellsoft · June 25, 2020, 1:37pm

Here is the support page for Play Store that talks about deceptive behaviour: Deceptive Behavior - Play Console Help

Both SYSTEM_ALERT_WINDOW and REQUEST_INSTALL_PACKAGES fall under this.

Google does not allow you to download and install new code for an app from outside Play Store. Android and Google Play actually have a feature for this called app bundles, which is what should be used here.

You can say what you want about these rules, but those are the ones that Google decided on and you might get suspended for breaking them (which is what happened to us).

bycedric · June 25, 2020, 3:31pm

Hi people, first of all I’m sorry for the issues related to permissions on Android. I wrote a reply in GitHub with some context why these permissions are added, what we are going to do next and how you can work around this issue (currently in bare only). Hope this might help some people here as well! See Suspicious permissions added in release build for Android · Issue #8942 · expo/expo · GitHub

system · July 15, 2020, 3:31pm

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Minimum permission on android Expo SDK	1	419	May 13, 2020
google play says the app has more permissions than i asked How to / Third Party Tooling	2	346	August 18, 2020
How to configure android permission after ejecting Expo SDK	1	568	February 10, 2018
no-one from Expo responding to support queries Expo Development Tools	1	383	July 14, 2020
APK build gives me permission errors on Google Play console Expo SDK	2	613	July 12, 2019

Incorrect permissions when uploaded to PlayConsole

Related Topics