Cordova Plugins: Review Unnecessary Permissions

If you went through the article on adding social sharing feature in HTML5 game using Intel XDK, it seemed like a simple plugin which should not require any permission but after adding the plugin and few more other plugins I found that WRITE_EXTERNAL_STORAGE permission was added in my android app so I checked all plugins one by one to see which plugin is adding what permissions and found out that WRITE_EXTERNAL_STORAGE permission was being added by social sharing plugin.

Cordova Plugin Permissions

When I checked developer notes (quoted below) I found that the permission was not required in my case, since I was not fetching any remote images for sharing.

For sharing remote images (or other files) on Android, the file needs to be stored locally first, so add this permission to AndroidManifest.xml:

<uses-permission android:name=android.permission.WRITE_EXTERNAL_STORAGE />

In fact it was just a simple play store URL which I was sharing in my app so it was an unnecessary permission in my app which was going to scare a few customers who were very sensitive about permissions they had to give while installing an app so I decided to remove the permission. Intel XDK had no option is modify permissions so it went down to manual edit.

Once you have exported the build package from Intel XDK, and added the platform using cordova cli tools (check blog post for more details), look at following 3 places and remove.

Go to plugins folder, find the plugin and edit plugin.xml and remove following section

    <config-file target="AndroidManifest.xml" parent="/*">
      <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    </config-file>

Go to platforms –> android folder, find AndroidManifest.xml, edit this file and remove following line

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

Go to platforms –> android folder, find android.json, edit this file and remove the permission. Be careful and make sure edited file remains a valid json.

            "AndroidManifest.xml": {
                "parents": {
                    "/*": [
                        {
                            "xml": "<uses-permission android:name=\"android.permission.WRITE_EXTERNAL_STORAGE\" />",
                            "count": 1
                        },
                        {
                            "xml": "<uses-permission android:name=\"android.permission.INTERNET\" />",
                            "count": 1
                        },
                        {
                            "xml": "<uses-permission android:name=\"android.permission.ACCESS_NETWORK_STATE\" />",
                            "count": 1
                        }
                    ],

Now build APK and check for permissions and related functionalities. Everything works just fine so we got the learning to always go through developer notes to find out why certain permissions are required and if we are not going to use respective features, then we may just get away with removing those permissions. We do need to properly test to make sure nothing breaks after removing the permissions but unnecessary permissions are always going to scare a few customers off so it is worth risk taking.


Leave A Comment

Your email address will not be published. Required fields are marked *