Making default permissions on Android more restrictive

Making default permissions on Android more restrictive

[Stefan Kangas]

[I couldn't find any previous discussion about this.]

1.

a) I don't see why Emacs should be asking for these permissions on
   Android 5.1 and earlier:

    RECORD_AUDIO
    CAMERA
    ACCESS_COARSE_LOCATION

b) These permissions also make me rather uneasy:

    REQUEST_INSTALL_PACKAGES
    REQUEST_DELETE_PACKAGES

c) Finally, these seem rather dubious to me:

    READ_SMS
    RECEIVE_SMS
    SEND_SMS
    WRITE_SMS
    RECEIVE_MMS
    READ_CONTACTS
    WRITE_CONTACTS

Are there any technical reasons why we need the above permissions?  If
not, can we remove them, at least the ones in category (a) and (b)?

2.

The justification for asking for the above permissions in (info "(emacs)
Android Environment") is:

    While most of these permissions are left unused by Emacs itself,
    they are declared by Emacs as they could be useful for other
    programs; for example, the permission to access contacts may be
    useful for EUDC.

I think this criteria should be changed.  Instead of saying "one can
imagine something like EUDC to be using this", we should decide which
permissions to ask for based on criteria like "package <foo> supports
feature <bar> on Android, and it is highly useful".

3.

I don't understand why we ask for the following permissions, AFAIU on
all versions of Android:

    NFC
    TRANSMIT_IR

Are there any technical reasons to ask for them?  If not, could they be
removed as well?

Re: Making default permissions on Android more restrictive

[Po Lu]

Stefan Kangas <stefankangas@gmail.com> writes:

> 2.
>
> The justification for asking for the above permissions in (info "(emacs)
> Android Environment") is:
>
>     While most of these permissions are left unused by Emacs itself,
>     they are declared by Emacs as they could be useful for other
>     programs; for example, the permission to access contacts may be
>     useful for EUDC.
>
> I think this criteria should be changed.  Instead of saying "one can
> imagine something like EUDC to be using this", we should decide which
> permissions to ask for based on criteria like "package <foo> supports
> feature <bar> on Android, and it is highly useful".

I think that is too high a bar, given that Emacs must be recompiled
before it is capable of requesting permissions outside the set of
permissions enumerated within its manifest.  Which is to say, unless we
declare these permissions from the outset, such packages will _never_
have a fighting chance of supporting Android.

Most of our users will run Android 6.0 or later, where most of the
permissions Emacs requests by default are in fact disabled until
explicit action is taken to enable them.  Removing these permission
declarations is tantamount to impeding the development of user Lisp code
just to assauge minor security concerns on decade-old installations of
Android.  These versions collectively amount to less than 2.17% of all
Android installations.

> 3.
>
> I don't understand why we ask for the following permissions, AFAIU on
> all versions of Android:
>
>     NFC
>     TRANSMIT_IR
>
> Are there any technical reasons to ask for them?  If not, could they be
> removed as well?

NFC and IR transmission are tasks that someone might conceivably use
Emacs to perform (for example, the other day I observed a package
purporting to save ``smart cards'' into Emacs.)  They're innocuous to
such an extent that Android grants them to all requesting programs by
default.

Thanks.

Re: Making default permissions on Android more restrictive

[Stefan Kangas]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

Po Lu <luangruo@yahoo.com> writes:

> I think that is too high a bar, given that Emacs must be recompiled
> before it is capable of requesting permissions outside the set of
> permissions enumerated within its manifest.  Which is to say, unless we
> declare these permissions from the outset, such packages will _never_
> have a fighting chance of supporting Android.
>
> Most of our users will run Android 6.0 or later, where most of the
> permissions Emacs requests by default are in fact disabled until
> explicit action is taken to enable them.  Removing these permission
> declarations is tantamount to impeding the development of user Lisp code
> just to assauge minor security concerns on decade-old installations of
> Android.  These versions collectively amount to less than 2.17% of all
> Android installations.

Does this mean that if we want users to be able to enable these
capabilities on Android 6.0 or later, they must also be enabled
unconditionally on Android 5.1?  I guess we can live with that.

That said, I still see no need for these capabilities, so I suggest we
simply remove them:

    RECORD_AUDIO
    CAMERA
    ACCESS_COARSE_LOCATION
    REQUEST_INSTALL_PACKAGES
    REQUEST_DELETE_PACKAGES

[-- Attachment #2: 0001-Make-default-permissions-on-Android-more-restrictive.patch --]
[-- Type: text/x-patch, Size: 3156 bytes --]

From ed15bbdd7f1313ff80f988191d84e6c633fa9a02 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Wed, 13 Sep 2023 15:17:53 +0200
Subject: [PATCH] Make default permissions on Android more restrictive

* java/AndroidManifest.xml.in: Remove some default permissions.
* doc/emacs/android.texi (Android Environment): Document the above.
Ref: https://lists.gnu.org/r/emacs-devel/2023-09/msg00827.html
---
 doc/emacs/android.texi      | 10 ----------
 java/AndroidManifest.xml.in |  8 +-------
 2 files changed, 1 insertion(+), 17 deletions(-)

diff --git a/doc/emacs/android.texi b/doc/emacs/android.texi
index 78e63731ad1..82568e24a9a 100644
--- a/doc/emacs/android.texi
+++ b/doc/emacs/android.texi
@@ -454,8 +454,6 @@ Android Environment
 @item
 @code{android.permission.VIBRATE}
 @item
-@code{android.permission.ACCESS_COARSE_LOCATION}
-@item
 @code{android.permission.ACCESS_NETWORK_STATE}
 @item
 @code{android.permission.INTERNET}
@@ -486,16 +484,8 @@ Android Environment
 @item
 @code{android.permission.FOREGROUND_SEVICE}
 @item
-@code{android.permission.REQUEST_INSTALL_PACKAGES}
-@item
-@code{android.permission.REQUEST_DELETE_PACKAGES}
-@item
 @code{android.permission.SYSTEM_ALERT_WINDOW}
 @item
-@code{android.permission.RECORD_AUDIO}
-@item
-@code{android.permission.CAMERA}
-@item
 @code{android.permission.POST_NOTIFICATIONS}
 @end itemize
 
diff --git a/java/AndroidManifest.xml.in b/java/AndroidManifest.xml.in
index 21bb2af2530..9d8d73f4dc5 100644
--- a/java/AndroidManifest.xml.in
+++ b/java/AndroidManifest.xml.in
@@ -30,13 +30,11 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>. -->
 	  android:versionCode="@emacs_major_version@"
 	  android:versionName="@version@">
 
-  <!-- Paste in every permission in existence so Emacs can do
-       anything.  -->
+  <!-- Add permissions needed for Emacs to do typical tasks.  -->
 
   <uses-permission android:name="android.permission.READ_CONTACTS" />
   <uses-permission android:name="android.permission.WRITE_CONTACTS" />
   <uses-permission android:name="android.permission.VIBRATE" />
-  <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
   <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
   <uses-permission android:name="android.permission.INTERNET" />
   <uses-permission android:name="android.permission.SET_WALLPAPER" />
@@ -56,11 +54,7 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>. -->
   <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
   <uses-permission android:name="android.permission.WAKE_LOCK"/>
   <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
-  <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
-  <uses-permission android:name="android.permission.REQUEST_DELETE_PACKAGES"/>
   <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
-  <uses-permission android:name="android.permission.RECORD_AUDIO" />
-  <uses-permission android:name="android.permission.CAMERA" />
 
   <!-- This is required on Android 11 or later to access /sdcard.  -->
 
-- 
2.42.0

Re: Making default permissions on Android more restrictive

[Stefan Kangas]

Po Lu <luangruo@yahoo.com> writes:

> I think that is too high a bar, given that Emacs must be recompiled
> before it is capable of requesting permissions outside the set of
> permissions enumerated within its manifest.  Which is to say, unless we
> declare these permissions from the outset, such packages will _never_
> have a fighting chance of supporting Android.
>
> Most of our users will run Android 6.0 or later, where most of the
> permissions Emacs requests by default are in fact disabled until
> explicit action is taken to enable them.  Removing these permission
> declarations is tantamount to impeding the development of user Lisp code
> just to assauge minor security concerns on decade-old installations of
> Android.  These versions collectively amount to less than 2.17% of all
> Android installations.

BTW, I think the documentation should be rewritten to focus on recent
Android first, and only then mention what happens for legacy versions.

Assuming I'm understand this right, perhaps something like:

   • On reasonably recent versions of Android (6.0 and later), Emacs
     only receives the following permissions upon installation:

        − ‘android.permission.VIBRATE’
        − ‘android.permission.ACCESS_NETWORK_STATE’
        − ‘android.permission.INTERNET’
        − ‘android.permission.SET_WALLPAPER’
        − ‘android.permission.NFC’
        − ‘android.permission.TRANSMIT_IR’
        − ‘android.permission.WAKE_LOCK’

     Other permissions must be granted by the user through the system
     settings application.  This is the list of capabilities:

     [long list of capabilities elided]

   • On Android 5.1 and earlier, Emacs automatically gets the
     above list of permissions when it is installed.

Re: Making default permissions on Android more restrictive

[Po Lu]

Stefan Kangas <stefankangas@gmail.com> writes:

> Does this mean that if we want users to be able to enable these
> capabilities on Android 6.0 or later, they must also be enabled
> unconditionally on Android 5.1?  I guess we can live with that.

Yes.

> That said, I still see no need for these capabilities, so I suggest we
> simply remove them:
>
>     RECORD_AUDIO
>     CAMERA
>     ACCESS_COARSE_LOCATION

ACCESS_COARSE_LOCATION, RECORD_AUDIO and CAMERA are in fact useful.  I
am aware of one package which refers to location, microphone and camera
data, the Telegram client:

  https://github.com/zevlg/telega.el/

>     REQUEST_INSTALL_PACKAGES
>     REQUEST_DELETE_PACKAGES

These are harmless from a security perspective, as they only entitle
Emacs to display an installation dialog from the package manager itself.
They're also useful for debugging and perhaps updating Emacs from within
itself, if we eventually get to that.

Re: Making default permissions on Android more restrictive

[Po Lu]

Stefan Kangas <stefankangas@gmail.com> writes:

> BTW, I think the documentation should be rewritten to focus on recent
> Android first, and only then mention what happens for legacy versions.
>
> Assuming I'm understand this right, perhaps something like:
>
>    • On reasonably recent versions of Android (6.0 and later), Emacs
>      only receives the following permissions upon installation:
>
>         − ‘android.permission.VIBRATE’
>         − ‘android.permission.ACCESS_NETWORK_STATE’
>         − ‘android.permission.INTERNET’
>         − ‘android.permission.SET_WALLPAPER’
>         − ‘android.permission.NFC’
>         − ‘android.permission.TRANSMIT_IR’
>         − ‘android.permission.WAKE_LOCK’
>
>      Other permissions must be granted by the user through the system
>      settings application.  This is the list of capabilities:
>
>      [long list of capabilities elided]
>
>    • On Android 5.1 and earlier, Emacs automatically gets the
>      above list of permissions when it is installed.

Fine by me, I'll make this change.

Re: Making default permissions on Android more restrictive

[Stefan Kangas]

Po Lu <luangruo@yahoo.com> writes:

> Fine by me, I'll make this change.

Thanks, LGTM.

Re: Making default permissions on Android more restrictive

[Jean Louis]

* Stefan Kangas <stefankangas@gmail.com> [2023-09-13 15:10]:
> [I couldn't find any previous discussion about this.]
> 
> 1.
> 
> a) I don't see why Emacs should be asking for these permissions on
>    Android 5.1 and earlier:
> 
>     RECORD_AUDIO
>     CAMERA
>     ACCESS_COARSE_LOCATION
>     REQUEST_INSTALL_PACKAGES
>     REQUEST_DELETE_PACKAGES
>     READ_SMS
>     RECEIVE_SMS
>     SEND_SMS
>     WRITE_SMS
>     RECEIVE_MMS
>     READ_CONTACTS
>     WRITE_CONTACTS

I hope to see Emacs being able to do use all of the permissions on Android. 

> Are there any technical reasons why we need the above permissions?  If
> not, can we remove them, at least the ones in category (a) and (b)?

Emacs has Emacs Lisp, I use it for running programs and Emacs on
Android will hopefully get functions to use above permissions.

1. RECORD_AUDIO: Emacs could use this permission to enable voice commands or voice-controlled editing features within the editor.

2. CAMERA: Emacs could utilize the camera permission for functionalities such as capturing and inserting images directly into documents, visual recognition features, or scanning QR codes.

3. ACCESS_COARSE_LOCATION: Emacs could leverage this permission to provide location-based information or contextual features, such as displaying weather information or adjusting settings based on the user's location.

4. REQUEST_INSTALL_PACKAGES: Emacs may need this permission to facilitate the installation of additional packages or plugins from external sources to enhance its functionality.

5. REQUEST_DELETE_PACKAGES: This permission could be used by Emacs to uninstall packages or plugins when requested by the user.

6. READ_SMS, RECEIVE_SMS, SEND_SMS, WRITE_SMS, RECEIVE_MMS: Emacs could utilize these permissions to integrate SMS or MMS-based features, such as sending code snippets via SMS, receiving notifications or alerts through SMS, or extracting relevant information from received messages.

7. READ_CONTACTS, WRITE_CONTACTS: Emacs could use these permissions to access and modify the user's contact information, enabling features like autocomplete or inserting contact details into documents.

>     NFC
>     TRANSMIT_IR

1. NFC: Emacs could use the NFC permission to interact with Near Field Communication (NFC) tags or devices. For example, Emacs could read data from NFC tags containing programming instructions or use NFC for authentication purposes.

2. TRANSMIT_IR: Emacs could utilize the TRANSMIT_IR permission to control infrared (IR) devices. This could include using Emacs as a remote control for TVs, air conditioners, or other IR-enabled devices directly from within the editor.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/

Re: Making default permissions on Android more restrictive

[Ant]

 > I think that is too high a bar, given that Emacs must be recompiled
 > before it is capable of requesting permissions outside the set of
 > permissions enumerated within its manifest.  Which is to say, unless we
 > declare these permissions from the outset, such packages will _never_
 > have a fighting chance of supporting Android.

Is any of these permissions already usable without modifying the Emacs 
C/Java core?

Re: Making default permissions on Android more restrictive

[Po Lu]

Ant <n58r@pm.me> writes:

> Is any of these permissions already usable without modifying the Emacs
> C/Java core?

Any process running under Emacs's user is granted these permissions, so
yes.