Play Install Referrer Library Adding WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions

Question

We are trying to update Google Play Install Referrer Library and

Internally it's adding some external read write permissions.

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />

Do we really need to stick with the permissions ?

dependency implementation 'com.android.installreferrer:installreferrer:1.1

Source https://developer.android.com/google/play/installreferrer/library.html

Answer 1

Edit: Solution: Version 1.1.2 (and above) solves this issue.

From this answer:

This is because they have added a dependency to

com.google.android.gms:play-services-measurement:17.2.1

Which adds those permissions.

You can find it on the file: manifest-merger-blame-debug-report.txt which is under "yourApp/build/intermediates/manifest_merge_blame_file/debug"

It's a bug. Also, installreferrer 1.1.1 doesn't solve it.

Solution: Update to installreferrer 1.1.2 or any version above (current version is 2.1`)

Obsolete:

Easiest solution is to downgrade installreferrer back to 1.0 for now.

But if you need this version, you can add:

<uses-permission android:name="<permission_name>" tools:node="remove" />

To disable it. But know that if you'll use any API which needs it inside the library, it could lead to a crash, so I won't recommend doing so.

Answer 2

Quoting from this answer (and completing):

Version 1.1 and 1.1.1 are missing "minSdkVersion". This would automatically add those permissions (because the default SDK < 4 as said by @thiagolr). See similar issue here: Google Play Services 12.0.1.

Solution

Version 1.1.2 solves this issue.

Details

Manifest.xml for v1.0 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.0)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer" >

    <uses-sdk
        android:minSdkVersion="8"
        android:targetSdkVersion="22" />

    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />

    <application />

</manifest>

Manifest.xml for v1.1 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.1)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer">

    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />

    <application />

</manifest>

Answer 3

1.1.2 is released, it adds minSdkVersion correctly.

<uses-sdk
    android:minSdkVersion="8"
    android:targetSdkVersion="22" />

Answer 4

These permissions are added because com.android.installreferrer has a targetSdkVersion < 4. You can see it on the manifest-merger-release-report.txt file located on Temp\gradleOut\build\outputs\logs folder inside your project. This is a bug and it will probably be fixed on a newer version.

In order to fix this, you need to find out which plugin is adding com.android.installreferrer as dependency.

---

In my project, the culprit was the Facebook plugin. It uses the com.facebook.android:facebook-core:5.15.x package which is responsible for adding the com.android.installreferrer:installreferrer:1.1 dependency.

The solution was to rollback to com.facebook.android:facebook-core:5.13.0, which doesn't have a com.android.installreferrer dependency.

Edit the file FacebookSDK/Plugins/Editor/Dependencies.xml and change these packages to:

<androidPackage spec="com.facebook.android:facebook-core:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-applinks:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-login:[5,5.13.0)" />
<androidPackage spec="com.facebook.android:facebook-share:[5,5.13.0)" />

Next, don't forget to resolve the dependencies again: Assets > Play Services Resolver > Android Resolver > Force Resolve

Answer 5

Install referrer adds this permission due to the fact that the targetSdkVersion is a value lower than the version in which the restriction was added. If you take a look at generated manifest-merger-report in the build folder of your app, you can see this information:

uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from android/app/src/main/AndroidManifest.xml:1:1-130:12 reason: com.android.installreferrer has a targetSdkVersion < 4

Information on how this implicit system permission works on Android can be found in this documentation : https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts

Answer 6

One could theoretically remove them altogether with the manifest-merger:

<manifest
    xmlns:tools="http://schemas.android.com/tools">

    <uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" tools:node="remove" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" tools:node="remove" />

</manifest>

But if the library will then still work as expected is another story -

it's rather an exception, that a Google library requires unnecessary permissions.

The release notes and the documentation do not mention permissions.

Answer 7

I've also come across this issue.

But in my case, the 1.1 version is also adding the READ_PHONE_STATE permission

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>

I've decompiled the .aar file for installreferrer:1.1 and checked the manifest and pom file, there is nothing in those files to indicate that these permissions should be added.
The library manifest file only adds this permission (which is always has in previous versions):

<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>

I haven't been able to find any official information regarding this.
But other Google libraries have had issues in the past with adding additional, unneeded, permissions, which have then been removed in a hotfix version shortly after.
For example, this:
Why has the READ_PHONE_STATE permission been added?

So i hope the same is gonna happen here.