Android has many SDKs for various usages, from remote API handling to animations. Adding an SDK to your application, such as Retrofit 2.0, is a no-brainer and is even a recommendation. What about less familiar SDKs? What power can an unfamiliar SDK have over your application? Can an SDK add permissions to your application without you knowing about it?

Having a successful application suddenly displaying permission not related at all to the app, can be disastrous and result in users abandoning it.

Can any SDK insert permission stealthily into our application?

Manifest Permissions

I am using location permission in this article, but any other permission is relatable to this article.

I have created an application and inside it a library module. All the library module contains is a manifest with location permission.

Assembling the APK and analyzing it reveals to us that our application indeed has a location permission, thanks to our innocent SDK.

How did our application receive new permission?

When an APK file is generated, it merges all the manifest files of all the modules and libraries with the application manifest into a single big manifest file.

Our library’s manifest, containing location permission, and our application manifest merged into a single manifest file that contains the data of both.

The solution is quite simple. We can add a single line to our application manifest that states: do not merge this permission to the assembled manifest.

<uses-permission android:name="ANY_PERMISSION" tools:node="remove"/>

Runtime Permissions

Android has further complications when the application is running on an API 23+ device, and the permission is of the dangerous kind.

How can the SDK ask for runtime permissions?

ActivityCompat.requestPermissions(

activity,

new String[]{Manifest.permission.ACCESS_FINE_LOCATION},

REQUEST_CODE);

It’s evident from the documentation that an Activity instance is required to activate runtime permissions.

Can an SDK activate a runtime-permission if it does not have an activity instance? It actually can, by asking for an application instance. All it has to do is have a class that implements Application.ActivityLifecycleCallbacks and register to the callbacks. On each event in which the activity is visible, it can request permission.

Knowing all this and implementing the line of code in the previous section, if the SDK asks for a runtime-permission, the behavior is unknown due to the fragmentation issues of Android. I had an application crash on one device, and nothing happened on another.

Conclusion

SDKs have the power to add permissions. However, with some caution, such as checking an app manifest (via the analyze tool or the Merged Manifest tab), you can prevent unnecessary complications. So, the next time you add a suspicious SDK, be aware that it can add an unwanted secret passenger to your manifest.