App Permissions which are not in the Manifest (FDroid)

App Permissions which are not in the Manifest (FDroid)

2014-10-14

Yesterday, I noticed a small program on fdroid with some strange permission settings:

Dotty [1] is an app to visualize the pressed locations in parallel (multitouch). By common sense, this should not require any permissions. However, to my surprise, it seems to require three permissions:

I thought it would be interesting to find out, what the simple program is up to and I analyzed the source code: the git repository [2] and the tar ball [3]. None of the sources contained the said permissions in the AndroidManifest.xml. For further investigation, I used Androguard [4] which allows insight in a downloaded *.apk-file. Trying the following command unveiled, that no permissions were required by the manifest:

androapkinfo.py -i ./steele.gerry.dotty_2.apk

After further investigation, i noticed that the minimum required android version is set to 1. Apparently these three permissions are automatically added to the permission system, if the minimum android sdk version is three or lower (this equals Android 1.5 or lower). However, the android documentation [5] states, that it requires both, the minimum and the target android sdk version to be three or lower. In case of dotty, the target was set to android apk version 7 (?!).

However, I have to conclude, that thankfully the permission is displayed by my Android (4.4.4) device. Fdroid has (until now) not disappointed me :-)