Say goodbye to default Android Permissions

18 February 2013

Say goodbye to default Android Permissions

In the past month, we’ve been focusing Corona daily builds on lots of small details, and in particular, what I call invisible issues. These are the kinds of things issues that don’t make sense to address in the short-term, but are vital to the long-term health of the platform.

One such invisible issue has been Android permissions, or more precisely, the default permissions. In the past, we used to turn on several default permissions on by default:

• INTERNET
• READ_PHONE_STATE
• ACCESS_NETWORK_STATE

However, this meant we were imposing certain permissions for apps that didn’t need them. And many app store reviews would unfairly penalize apps in those cases.

To remedy this, we’ve been wanting to get rid of these defaults. In fact we’ve been wanting to get rid of them for awhile, but as we looked into this more deeply, we realized this was quite a big issue to tackle — if we were to do this correctly.

Well, I’m happy to report that we have finally powered through this and starting in daily build 1030, the default permissions are gone!

Now, we could have taken the naive approach. That would have meant just removing permissions and letting you figure out what permissions to add back in. However, this has serious drawbacks. For example, if your app made a web API call and didn’t have the INTERNET permission set, it would crash and you’d be left wondering why.

So in true Corona Labs fashion, we wanted to give you more control while also preserving the experience of using Corona. That meant going through API by API and seeing which APIs were affected by these permission changes.

Now when you use an API and forget to set a permission, we trap the OS-generated exception before it kills the app. We then throw an alert up, like the one shown here, informing you of which permission is missing. That kind of feedback makes your life incredibly easy because you know exactly what went wrong.

In practice, this means you’ll need to pay more attention to the permissions you list in build.settings, as certain APIs will require Android permissions to function properly. In addition, if you use certain 3rd party services, you may be implicitly using permissions. In our samples, we try to show you which ones are needed and why.

For example, if you need to make a web API call, you would need to add the INTERNET permission:

settings =
{
android =
{
usesPermissions =
{
"android.permission.INTERNET",
},
},
}

We’ve updated the build.settings files in all our sample code to properly show you how to do this and also updated the daily build API documentation. The following events, libraries, library functions, and object methods are affected:

• heading events
• location events
• ads library
• analytics library
• display.capture()
• display.captureBounds()
• display.captureScreen()
• facebook library
• gameNetwork library
• media.newRecording()
• media.playVideo()
• media.save()
• media.show()
• native.newMapView()
• native.newWebView()
• native.showWebPopup()
• network.download()
• network.request()
• socket library
• store.init()
• system.getInfo()
• system.scheduleNotification()
• system.vibrate()
• mapView:getUserLocation()
• mapView.isLocationVisible()
• recording:startRecording()
• webView:request()