[Bug]: Use of OneSignal SDK without adding Android and iOS Location Permission #803
Description
What happened?
We have an issue with our flutter app which uses the OneSignal Flutter SDK 5.0.4 and the handling of the location permission.
We have built a kids app and using the OneSignal SDK only for push messages.
We don't use any location services in our app but after adding the OneSignal SDK the merged AndroidManifest.xml contains this line (among other added permissions):
<uses-permission
android:name="android.permission.ACCESS_COARSE_LOCATION" />
Our app is now rejected from Google and Apple, since we have our app targeted for kids and the store guidelines for this group prohibits the tracking of geolocation.
Google for example states now:
'You have declared that your app targets under 13 age groups, but your app asks for location permissions.'
Apple informs us about a missing purpose string in Info.plist:
The Info.plist file for the “Runner.app” bundle should contain a NSLocationWhenInUseUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required.
Would it be possible to adapt the Flutter SDK, so we as flutter developer can disable the 'ACCESS_COARSE_LOCATION' permission for Android and the permission for iOS ?
This problem is also noted in these issues:
OneSignal/OneSignal-Android-SDK#1875
OneSignal/OneSignal-Unity-SDK#670
We understand that the product feature "Send push messages depending on location" is to be introduced or distributed at OneSignal, but every customer should be able to use this feature for themselves or not. As we understand it, it is an optional feature - but here it is mandatory for all developers, regardless of whether they want to use the above-mentioned feature or not.
In Europe, this is "critical", as it implicitly allows the person to be tracked, which is a clear problem in connection with the legal regulations (GDPR) - not to mention when it comes to the store requirements for children's apps!
Many thanks,
Peter
Steps to reproduce?
1. Add OneSignal Flutter SDK to pubspec.yaml
2. Don't add any location permissions to \android\app\src\main\AndroidManifest.xml
3. Build the app
4. Check the merged AndroidManifest.xml in the apkWhat did you expect to happen?
When adding the SDK and not using any location permissions in Android and iOS, no location permission should be added by the SDK,
OneSignal Flutter SDK version
Release 5.0.4
Which platform(s) are affected?
- iOS
- Android
Relevant log output
# The initial AndroidManifest.xml (Permission extract) with and without adding the OneSignal SDK:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.dierotenbullen.kidsapp">
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_MEDIA_IMAGES" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
</manifest>
# The merged AndroidManifest.xml without OneSignal SDK (Permission part):
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="231207095"
android:versionName="1.2.0"
android:compileSdkVersion="34"
android:compileSdkVersionCodename="14"
package="com.dierotenbullen.kidsapp"
platformBuildVersionCode="34"
platformBuildVersionName="14">
<uses-sdk
android:minSdkVersion="29"
android:targetSdkVersion="33" />
<uses-permission
android:name="android.permission.INTERNET" />
<uses-permission
android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission
android:name="android.permission.READ_MEDIA_IMAGES" />
<uses-permission
android:name="android.permission.FOREGROUND_SERVICE" />
<queries>
<intent>
<action
android:name="android.support.customtabs.action.CustomTabsService" />
</intent>
</queries>
<uses-permission
android:name="android.permission.CAMERA" />
<uses-feature
android:name="android.hardware.camera"
android:required="false" />
<uses-permission
android:name="android.permission.RECORD_AUDIO" />
<uses-permission
android:name="android.permission.USE_BIOMETRIC" />
<uses-permission
android:name="android.permission.USE_FINGERPRINT" />
<uses-permission
android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission
android:name="android.permission.WAKE_LOCK" />
</manifest>
# The merged AndroidManifest.xml with OneSignal SDK (Permission part):
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="231207095"
android:versionName="1.2.0"
android:compileSdkVersion="34"
android:compileSdkVersionCodename="14"
package="com.dierotenbullen.kidsapp"
platformBuildVersionCode="34"
platformBuildVersionName="14">
<uses-sdk
android:minSdkVersion="29"
android:targetSdkVersion="33" />
<uses-permission
android:name="android.permission.INTERNET" />
<uses-permission
android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission
android:name="android.permission.READ_MEDIA_IMAGES" />
<uses-permission
android:name="android.permission.FOREGROUND_SERVICE" />
<queries>
<intent>
<action
android:name="android.support.customtabs.action.CustomTabsService" />
</intent>
</queries>
<uses-permission
android:name="android.permission.CAMERA" />
<uses-feature
android:name="android.hardware.camera"
android:required="false" />
<uses-permission
android:name="android.permission.RECORD_AUDIO" />
<uses-permission
android:name="android.permission.USE_BIOMETRIC" />
<uses-permission
android:name="android.permission.USE_FINGERPRINT" />
<uses-permission
android:name="android.permission.WAKE_LOCK" />
<uses-permission
android:name="android.permission.POST_NOTIFICATIONS" />
<uses-permission
android:name="com.google.android.c2dm.permission.RECEIVE" />
<uses-permission
android:name="android.permission.VIBRATE" />
<uses-permission
android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission
android:name="com.sec.android.provider.badge.permission.READ" />
<uses-permission
android:name="com.sec.android.provider.badge.permission.WRITE" />
<uses-permission
android:name="com.htc.launcher.permission.READ_SETTINGS" />
<uses-permission
android:name="com.htc.launcher.permission.UPDATE_SHORTCUT" />
<uses-permission
android:name="com.sonyericsson.home.permission.BROADCAST_BADGE" />
<uses-permission
android:name="com.sonymobile.home.permission.PROVIDER_INSERT_BADGE" />
<uses-permission
android:name="com.anddoes.launcher.permission.UPDATE_COUNT" />
<uses-permission
android:name="com.majeur.launcher.permission.UPDATE_BADGE" />
<uses-permission
android:name="com.huawei.android.launcher.permission.CHANGE_BADGE" />
<uses-permission
android:name="com.huawei.android.launcher.permission.READ_SETTINGS" />
<uses-permission
android:name="com.huawei.android.launcher.permission.WRITE_SETTINGS" />
<uses-permission
android:name="android.permission.READ_APP_BADGE" />
<uses-permission
android:name="com.oppo.launcher.permission.READ_SETTINGS" />
<uses-permission
android:name="com.oppo.launcher.permission.WRITE_SETTINGS" />
<uses-permission
android:name="me.everything.badger.permission.BADGE_COUNT_READ" />
<uses-permission
android:name="me.everything.badger.permission.BADGE_COUNT_WRITE" />
<uses-permission
android:name="android.permission.ACCESS_COARSE_LOCATION" />
</manifest>Code of Conduct
- I agree to follow this project's Code of Conduct