PhoneGap Permissions SCAM?

  • 1
  • Question
  • Updated 3 years ago
Why are ALL the permissions enabled for ALL builds? Why can't they be shut off in config.xml? Why do I have to edit the APK to get PhoneGap to shut off required permission? Is this some kind of scam that PhoneGap is pulling?
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes
  • PISSED OFF

Posted 4 years ago

  • 1
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
welcome to Phonegap.

You want to add the follow line to your config.xml

<preference name="permissions" value="none"/>

This FAQ should also help. Read the bold sentences.
Top Mistakes by Developers new to Cordova/Phonegap

Jesse
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes
Dear Champ,
If you had ever attempted to make a Phonegap app you would know that this does not work. To forestall any further simpleminded replies, I have also tried the pathetic "ConfiGap" tool so often recommended on Phonegap forums. I have read the FAQ (it mentions nothing about Permissions). I have read ALL the complaints (many from years ago) on ALL the forums about the inability to disable these unnecessary permissions.

To make myself extra clear, I am speaking about the 17 unnecessary permissions required foisted upon Cordova users for unknown reasons. To wit:
Required permissions 17 permissions
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
android.permission.ACCESS_NETWORK_STATE
android.permission.CAMERA
android.permission.GET_ACCOUNTS
android.permission.INTERNET
android.permission.MODIFY_AUDIO_SETTINGS
android.permission.READ_CALL_LOG
android.permission.READ_CONTACTS
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECORD_AUDIO
android.permission.RECORD_VIDEO
android.permission.VIBRATE
android.permission.WRITE_CALL_LOG
android.permission.WRITE_CONTACTS
android.permission.WRITE_EXTERNAL_STORAGE

If you do not perform the following ridiculous procedure, your apps will also have all 17 "required permissions":

java -jar apktool.jar decode MyAwesome.apk
notepad MyAwesome\AndroidManifest.xml
erase MyAwesome.apk
java -jar apktool.jar build MyAwesome MyAwesome.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore MyAwesome.apk myalias
zipalign -f -v 4 MyAwesome.apk

My question is, WHY does Phonegap force its apps to leave all these scammy backdoors open? Is this some kind of collaboration with the NSA?
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
CHILL.
Jesse
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes
Very helpful! Keep up the good work Champ.
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
all my apps build with correct permissions. I have NO extra permissions. Please post your config.xml.

I would appreciate a civil tone. I do not get paid to do this. And I understand your frustration. We will resolve your issue.

Jesse

When posting code, please use some HTML (like <code></code>). (see attached image)
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes


SIMPLE APP
SIMPLE APP
phonegapscam

Creates

Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes

<widget xmlns="http://www.w3.org/ns/widgets" xmlns:gap="http://phonegap.com/ns/1.0" id="com.phonegapscam.simpleapp" version="1.1.0">
<name>SIMPLE APP</name>
<description>SIMPLE APP</description>
<author href="http://phonegapscam.com" email="support@phonegapscam.com">phonegapscam</author>
<content src="index.html"/>
<preference name="permissions" value="none"/>
</widget>

creates

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:installLocation="internalOnly" android:windowSoftInputMode="adjustPan" package="com.phonegapscam.simpleapp" platformBuildVersionCode="22" platformBuildVersionName="5.1.1-1819727">
<supports-screens android:anyDensity="true" android:largeScreens="true" android:normalScreens="true" android:resizeable="true" android:smallScreens="true" android:xlargeScreens="true"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.GET_ACCOUNTS"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.RECORD_VIDEO"/>
<uses-permission android:name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.WRITE_CONTACTS"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-feature android:name="android.hardware.camera" android:required="false"/>
<application android:hardwareAccelerated="true" android:icon="@drawable/icon" android:label="@string/app_name">
<activity android:configChanges="locale|keyboard|keyboardHidden|orientation|screenSize" android:label="@string/app_name" android:name=".SIMPLEAPP" android:screenOrientation="unspecified" android:windowSoftInputMode="adjustUnspecified|stateUnspecified">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
</application>
</manifest>

Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
I'll have an answer for you soon.
Jesse
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
I used your config.xml with NO CHANGES.

Source code:
try-base-build

Downloadable Android App:
SIMPLE APP 1.1.0

INSTALL SCREEN



RUNNING APP



If you drink, have a beer and respond.

Jesse
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes
So are you calling me a liar? Or is this a "neener neener I can do it" response?

How does that help? Are you saying that no one has to physically remove the unwanted permissions from the manifest?

How do you think I learned how to solve the problem? The answer: other frustrated victims of the Phonegap "community".

I just removed the unwanted permissions the hard way. I had to download jarsigner and zipalign to do it.

This is the problem with software excreted from monsters like adobe. There's no one who knows what is going on. Some people get it to work the first time and they dance for joy. The rest are ignored.

You are not a problem solver, you are a lucky dog.
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
So are you calling me a liar?
Not calling you a liar.

Or is this a "neener neener I can do it" response?
No.

How does that help? Are you saying that no one has to physically remove the unwanted permissions from the manifest?
Yes. You do not to physically remove the permission. Sometimes Phonegap Build gets stuck when doing a build ---- AND sometimes the permissions are not correct at install time. However, this can be fixed.

How do you think I learned how to solve the problem? The answer: other frustrated victims of the Phonegap "community".
There are no victims.

I just removed the unwanted permissions the hard way. I had to download jarsigner and zipalign to do it.
Awesome. I'm glad you have that skill. However, I accomplished the same, but I did not do what you did.

This is the problem with software excreted from monsters like adobe. There's no one who knows what is going on. Some people get it to work the first time and they dance for joy. The rest are ignored.
The software is Open Source. You are welcome to download all the pieces and reproduce what everyone else has.

Those that are ignored, are doing so because they have given up. AND yes there are many, many developers who have given up.

You are not a problem solver, you are a lucky dog.
If I am a lucky dog - as you say, then I should buy a lottery ticket.

What would you like to do?
Have you tested my source code?
Were you able to reproduce my results? This is why I gave you a link to the source code.

Jesse
Photo of Paul Bennett

Paul Bennett

  • 9 Posts
  • 0 Reply Likes
OK, I created another app and made sure the config file was correct the first time and everything went smooth. The problem crops up when the config file has unneeded permissions when first loaded. The root of the problem is the fact that Phonegap's config mode="delete" does not work.

The docs say "delete will search for elements matching the specifed name and attributes and delete them." It does not. In fact, the build fails if the following code is added:


<uses-permission android:name="android.permission.INTERNET" mode="delete"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" mode="delete"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" mode="delete"/>
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" mode="delete"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" mode="delete"/>
<uses-permission android:name="android.permission.CAMERA" mode="delete"/>
<uses-permission android:name="android.permission.GET_ACCOUNTS" mode="delete"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" mode="delete"/>
<uses-permission android:name="android.permission.READ_CONTACTS" mode="delete"/>
<uses-permission android:name="android.permission.RECORD_AUDIO" mode="delete"/>
<uses-permission android:name="android.permission.RECORD_VIDEO" mode="delete"/>
<uses-permission android:name="android.permission.VIBRATE" mode="delete"/>
<uses-permission android:name="android.permission.WRITE_CONTACTS" mode="delete"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" mode="delete"/>
<uses-feature android:name="android.hardware.camera" android:required="false" mode="delete"/>


http://docs.build.phonegap.com/en_US/...

However, sometime during the battle I somehow changed the APK build name and at that point the manifests began coming up free of all those unwanted permissions.

So the end the result was this:
1. Don't add permissions you don't need
2. You can remove the permissions by editing the manifest (a pain in the ass, and you have to do it again every rebuild)
3. Renaming the APK seemed to solve the problem permanently. No, I don't know how I did it.

Finally, I admire the way you held up to my childish rants.
Photo of jcesarmobile

jcesarmobile

  • 283 Posts
  • 40 Reply Likes
good finding, I think you should file an issue to make sure phonegap build team can fix this https://github.com/phonegap/build/issues
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Paul,
it is okay. I'm sure that when I started I felt similar. I've been working with Open Source the late 80s. At this point, very few things tweak me. The only thing that gets to me is when someone does not really speak English, but pretends to. In this forum there is no way to tell.

Anyway. Have a beer, if you drink. Don't sweat it. Go on to the next frustrating thing. ;-)

This FAQ should also help. Read the bold sentences.
Top Mistakes by Developers new to Cordova/Phonegap

Best of Luck
Jesse
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
There's just one more strange thing that struck me while reading this thread with my first cup of coffee this morning:

platformBuildVersionName="5.1.1-1819727"

Why would PGB present itself as 'version 5.1.1', although the default version (with which the above demo app was built) is 'cli-5.2.0' and not 'cli-5.1.1' anymore?
Did they merely forget to change the generated version value, or is 'cli-5.2.0' a hoax?

The only thing that gets to me is when someone does not really speak English, but pretends to.
Yeah. Non-native speakers....pain in the rear end!
SCNR
Photo of jcesarmobile

jcesarmobile

  • 283 Posts
  • 40 Reply Likes
Sorry for that, I'll ask adobe for a non-native forum where we don't disturb native speakers with our mistakes.

Oh, wait, they created new forums with a translate function,< sarcasm> I'm sure this will make communication simpler </ sarcasm>
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Petra,
yep. my stress for the day was with this thread. All done now. Developer not so pissed off.

310 days till Donald Trump destorys the world. ;-)

Have a good day. It's 1:50am in El Paso, Texas.
Jesse
Photo of Kevin Holloway

Kevin Holloway

  • 1 Post
  • 0 Reply Likes
for what it's worth I found this thread when trying to delete the GET_ACCOUNTS permission from a build

my final solution which does now build is:
  <config-file platform="android" parent="/manifest" mode="delete">
    <uses-permission android:name="android.permission.GET_ACCOUNTS" />
  </config-file>

but you need the following addtional line within <widget>
xmlns:android="http://schemas.android.com/apk/res/android";

kevin