Release APK Permissions

#1

I’m looking for a way to remove some permissions requested in the release apk generated from expo.
It seems to ask for a lot of permissions. Is there a way I can avoid the release build from requiring some of those permissions?

6 Likes
"Permit drawing over other apps" pop up - how to disable it?
APK Permissions Update by Google
#2

Hi there!

The build we generate for you contains the Expo SDK, so it still needs those permissions by default. This is part of what allows you to publish JS updates over-the-air to your users without changing the android apk.

You do have the option to detach to ExpoKit, which allows you to control all the settings on the native Android project. I don’t really recommend this because it will introduce a lot more work for you, but it is available.

In the longer term we hope to offer some middle ground solution for this, but right now we just haven’t built that yet.

1 Like
Removing Android Permissions But Keeping The Ones Relevant for JS over-the-air Expo Updates
#3

Thank you so much for your quick response.

#4

Would be nice if the Expo team can prioritize this feature, because I (and many others) are skeptical about excessive permissions. I am creating an app to show where people can find city bikes, and I am never going to need to get access to camera, phone book, mic., contacts, file access etc.

6 Likes
#5

Yes, this feature would be helpful. :thumbsup:

1 Like
#6

Google is warning me that the new Expo version of my app is going to request additional permissions that I don’t need:

ACCESS_FINE_LOCATION
CAMERA
READ_CONTACTS
RECORD_AUDIO
INSTALL_SHORTCUT

#7

I have detached Expo. How do I reduce permissions?

#8

I have the same problem, any help would be much appreciated.

Thanks

#9

Agreed, this a dealbreaker. I’m holding off an android release as all of these permission requirement promots when none are needed are going to bomb my app ratings.

#10

I think you can try to modify the AndroidManifest in the detached android directory (android/app/src/main/AndroidManifest.xml).
Use tools:node=“remove” in the permission element that you want to exclude in your release build.
Ex: <uses-permission tools:node=“remove” android:name=“android.permission.RECORD_AUDIO” />
It works for me with the regular react-native app. :slight_smile:

2 Likes
#11

Thanks. this seems to work fine. When I detached the app, I am running “gradlew assembleRelease” to build the Android app.

Btw need to add " xmlns:tools=“http://schemas.android.com/tools” " at the top of the file as well.

2 Likes
#12

@toupilsner once you detached app and modified manifest file, how do you bundle it apk file?
Could you also paste here you sample manifest file?

Thanks

#13

From my understanding of the detach process is that when the app is detached it works just like a regular react-native app. You need to get signing keys etc.

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest package="com.a.a"
          xmlns:tools="http://schemas.android.com/tools"
          xmlns:android="http://schemas.android.com/apk/res/android">

  <application
    android:name=".MainApplication"
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:supportsRtl="true">
    <activity android:name=".MainActivity"
              android:configChanges="keyboard|keyboardHidden|orientation|screenSize"
              android:theme="@style/Theme.Exponent.Light"
              android:windowSoftInputMode="adjustResize">
      <intent-filter>
        <action android:name="android.intent.action.MAIN"/>

        <category android:name="android.intent.category.LAUNCHER"/>
      </intent-filter>

      <intent-filter>
        <data android:scheme="expeb9fc5e9b3bb46518ab440b9cb015f5c"/>

        <action android:name="android.intent.action.VIEW"/>

        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
      </intent-filter>
    </activity>
    <meta-data
      android:name="com.google.android.geo.API_KEY"
      android:value="XXXXXXXXXXXXX"/>
  </application>
  <uses-permission tools:node="remove" android:name="android.permission.READ_CALENDAR" />
  <uses-permission tools:node="remove" android:name="android.permission.WRITE_CALENDAR" />
  <uses-permission tools:node="remove" android:name="android.permission.CAMERA" />
  <uses-permission tools:node="remove" android:name="android.permission.READ_CONTACTS" />
  <uses-permission tools:node="remove" android:name="android.permission.WRITE_CONTACTS" />
  <uses-permission tools:node="remove" android:name="android.permission.GET_ACCOUNTS" />
  <uses-permission tools:node="remove" android:name="android.permission.RECORD_AUDIO" />
  <uses-permission tools:node="remove" android:name="android.permission.READ_PHONE_STATE" />
  <uses-permission tools:node="remove" android:name="android.permission.CALL_PHONE" />
  <uses-permission tools:node="remove" android:name="android.permission.READ_CALL_LOG" />
  <uses-permission tools:node="remove" android:name="android.permission.WRITE_CALL_LOG" />
  <uses-permission tools:node="remove" android:name="android.permission.ADD_VOICEMAIL" />
  <uses-permission tools:node="remove" android:name="android.permission.USE_SIP" />
  <uses-permission tools:node="remove" android:name="android.permission.PROCESS_OUTGOING_CALLS" />
  <uses-permission tools:node="remove" android:name="android.permission.BODY_SENSORS" />
  <uses-permission tools:node="remove" android:name="android.permission.SEND_SMS" />
  <uses-permission tools:node="remove" android:name="android.permission.RECEIVE_SMS" />
  <uses-permission tools:node="remove" android:name="android.permission.READ_SMS" />
  <uses-permission tools:node="remove" android:name="android.permission.RECEIVE_WAP_PUSH" />
  <uses-permission tools:node="remove" android:name="android.permission.RECEIVE_MMS" />
  <uses-permission tools:node="remove" android:name="android.permission.READ_EXTERNAL_STORAGE" />
  <uses-permission tools:node="remove" android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
</manifest>

I am removing more permissions that is necessary, but this is not a problem. Only thing I need is geolocation

Disclaimer: This is my first React-native/Expo app, so it is a bit “touch and go” at my part to get this working :slight_smile:

1 Like
#14

It is very usefull feature. My Expo app is released in Google Play with big list of permissions. I want to reduce list of permissions. If i will detach it with ExpoKit (i don’t want to do this) i will lost my certificate (that was generated by Expo) because i have builded app through exp build:android and i will need to create new app in google play.

#15

Vote it up here:

https://expo.canny.io/feature-requests/p/customize-android-permissions

2 Likes
#16

What about the same permissions reduction in iOS? I have a detached app and need to get it through the Apple approval process.

#17

iOS permissions aren’t required in advance like on Android, they are requested at runtime. So your iOS detached app will only ask for the permissions that you tell it to with your code.

If you do need to ask for permissions in an iOS detached app, make sure you add the corresponding *UsageDescription key to your Info.plist (see Apple docs). We do not provide it for you by default.

#18

I am OK to have these permissions even if I don’t need them, but the Play Store refuses to publish my app because of these permissions. I get this message :

Why can’t I publish?
You need to complete the points below before you can publish your application.
Your app has an apk with version code 1 that requests the following permission(s): android.permission.CAMERA,android.permission.RECORD_AUDIO,android.permission.READ_PHONE_STATE,android.permission.READ_CONTACTS. Apps using these permissions in an APK are required to have a privacy policy set.

So how do I set this privacy policy set in the APK without detaching ?

#19

Replying to myself : you can set the privacy policy on the play store at the end of the Store listing page.

#21

This outweighs almost all the good things I found yet with Expo.
I would personally never install an app which requires access to my contacts; unless I was absolutely sure this was a necessary.
Yes you can detach, but then you lose all the benefits from “separate js-downloads”.
This is as bryanmanio have pointed out, a dealbreaker!