SAB 5.0 - android.permission.READ_PHONE_STATE

When uploading a swedish app build with SAB 5.0 to Google Play, I get a warning that the app is using the android.permission.READ_PHONE_STATE. This seams to be new for SAB 5.0?

I also needed to update the secretes policy about what data is collected, not sure on what to include here. Why is the app reading the Phone State?

Anyone that have had the same issue?
Does anyone have a link to a secretes policy for a SAB app that can be used as a template?

When you followed through this thread: Google Play Ban - Privacy Policy Violation did it have enough information for you in relation to the policy? says in section Key changes that affect apps when targetSdkVersion is set to 28.:
Removal of direct access to Build.serial
Apps needing the Build.serial identifier must now request the READ_PHONE_STATE permission and then use the new Build.getSerial() method added in Android 9.

This gets technical and may relate to increased security in Android 9.

Are you using analytics?

Thanks for the links and the technical details, it is good to know the reason for the usage of READ_PHONE_STATE permission.

I’m not using analytic, but I had to add link to a policy page on the translations website that states that no data is collected in the app. This seams to allow me to upload the apk file and publish the app in the Google Play console. Right now the app is in Beta testing, but so far it looks good.

Link to the Kärnbibeln App on Google Play

Here is some more information about this issue:

  1. The Android READ_PHONE_STATE permission is needed to access the IMEI or serial number of a phone or tablet.

  2. But this will only be needed if you are using one of the restricted user modes (see App > Security) in the builder, where you can choose to restrict the use of the app to certain devices. Otherwise, if you have chosen “Allow anyone to install and use this app”, no IMEI check will be made.

  3. No IMEI or serial number information is used when sending Analytics.

  4. It looks as if Google Play is flagging up this issue because it finds some code in the app asking for the IMEI - but it does not realise that your app does not actually run this part of the code.

It would be better if the lines of IMEI checking code are omitted when your app will not call them - so as to not confuse Google’s checking program. I will make a note of this as something to look at for a future release. In the meantime, you will need to supply a privacy policy and state clearly that your app does not collect any sensitive user information.

I’m using SAB 5.1. I created a new release of a Scripture app and now get the warning that the app requires the READ_PHONE_STATE permission. Previous versions didn’t require it. I have chosen “Allow anyone to install and use this app.” When someone tries to install this app, they will have to give it permission “to determine the phone number and device IDs, whether a call is active and the remote number connected by a call.” !! In the area where I am distributing the app, this would be a huge red flag, and it’s very possible the person would choose not to install it. (I wouldn’t install it.) I think this issue needs to be fixed.

Did you first use one of the restricted modes before making it Allow anyone?

No, I’ve always used the “allow anyone” option. There are some work-arounds I’ve found on Google, but I’m not ready to jump in and try any of them–a bit risky in my opinion. If I have to go back to a previous release of SAB, I will. But that might not solve the problem.

I’d like to see your .appdef file to see what is in that. Though if you never changed the restriction that is unlikely. You can send it in a Private Message. Click on my icon and select message.

It says I’m not allowed to send a personal message to you. Also, when I tried to upload the file into the message, it wouldn’t accept the .appdef format. Is there another way I can send the file?

Just thought I’d put it out there that I’ve had this same problem as well. There’s no reason that these requirements should be in the app, but they are. I’ve never even messed with the security page, except to ‘Compress and encrypt data in the app’.

Has this been fixed? I noticed that it says in the Release Notes of SAB 5.2:

Separated out code for security modes requiring access to the device IMEI number into a separate library. The code will only be included in the app if it needs to be.

I don’t have a way to test this. We need someone who has the problem and put their app in the PlayStore to say if it has disappeared in 5.2

I think we have discovered why this is happening. The additional permission is being inserted during the build process. It has been fixed for the next version, to be released in the next few days.

1 Like

Hi - I’ve just rebuilt my app in 5.2 and have the same problem :frowning:
I’d rather not have to deal with a privacy policy so I’ll not launch my update for now.
Thanks for working on this.

Hi Phil, please try in SAB 5.3, released today.

Thanks Richard! That works fine now - well done for tracking that down!

1 Like

Thanks for letting us know.