Permissions for Android
Permissions for Android – REL-ID SDK
The REL-ID API SDK and Mobile Threat Detection (MTD) modules require a predefined set of Android permissions to operate securely and effectively. These permissions are already embedded in the SDK’s internalAndroidManifest.xml, and developers should not declare them again unless modifying behavior or removing unused features like MTD.
✅ Permission Declarations
<!-- 🔁 Common permissions required for both API SDK and MTD module -->
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<!-- 🔐 API SDK module specific permissions -->
<uses-permission android:name="android.permission.READ_PHONE_STATE"
android:maxSdkVersion="28"/>
<uses-permission android:name="android.permission.BLUETOOTH"/>
<!-- 🚨 MTD module-specific permission -->
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/>
These permissions are already included inside the SDK’s manifest. Developers do not need to declare them again in the app-level manifest.
Do not remove any of these permissions unless explicitly disabling MTD features — doing so may impact device fingerprinting and threat detection capabilities.
📂 Permission Categories
| Type | Permission | Requires Runtime Consent? | Module Used By |
|---|---|---|---|
| Normal | INTERNET | ❌ No | API SDK, MTD |
ACCESS_NETWORK_STATE | ❌ No | API SDK, MTD | |
ACCESS_WIFI_STATE | ❌ No | API SDK, MTD | |
BLUETOOTH | ❌ No | API SDK | |
QUERY_ALL_PACKAGES | ❌ No | MTD | |
| Runtime | ACCESS_FINE_LOCATION | ✅ Yes | API SDK, MTD |
ACCESS_COARSE_LOCATION | ✅ Yes | API SDK, MTD | |
READ_PHONE_STATE (≤ SDK 28 only) | ✅ Yes | API SDK |
📌 Detailed Permission Impact
🔧 API SDK
-
READ_PHONE_STATE
Required for obtaining unique device identifiers. Helps in session tracking and binding identity to the device. -
BLUETOOTH
Used for passive device fingerprinting, not for active BLE operations.
🔐 Mobile Threat Detection (MTD)
-
INTERNET
Required to communicate with REL-ID Gateway and fetch threat policies. -
ACCESS_NETWORK_STATE,ACCESS_WIFI_STATE
Used to detect network threats (e.g., MITM, captive portal, proxy injection). Without these, network-based threat detection is degraded. -
QUERY_ALL_PACKAGES
Allows the SDK to scan the list of installed apps and detect malware, repackaged apps, and those installed from unknown sources. ➤ Note: This permission must be justified in your Play Store submission if publishing to production. -
ACCESS_FINE_LOCATION/ACCESS_COARSE_LOCATION
Required to read SSID/BSSID of the connected WiFi for location-bound risk detection. ➤ User Consent Required: Android shows a dialog box, and developers must handle runtime permission request logic. If denied, WiFi/router-based threat detection will be non-functional.
⚠️ Removing Permissions (Optional for MTD)
If your application does not use MTD functionality, you may remove the associated permissions in your app-level AndroidManifest.xml using tools:node="remove":
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"
tools:node="remove"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"
tools:node="remove"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"
tools:node="remove"/>📝 Be sure to include xmlns:tools="http://schemas.android.com/tools" in the <manifest> tag.
📝 Notes on READ_PHONE_STATE for Android 10 and Above
READ_PHONE_STATE for Android 10 and AboveThe
READ_PHONE_STATEpermission will no longer appear on Android 10 (API level 29) and above by default due to theandroid:maxSdkVersion="28"setting.
If your app needs to use its own version of the READ_PHONE_STATE permission, you can override the SDK-provided setting using merge rules in your app’s AndroidManifest.xml.
✅ Option 1: Use app’s permission with maxSdkVersion
maxSdkVersion<uses-permission android:name="android.permission.READ_PHONE_STATE"
tools:replace="android:maxSdkVersion"
android:maxSdkVersion="30"/>✅ Option 2: Use app’s permission without maxSdkVersion
maxSdkVersion<uses-permission android:name="android.permission.READ_PHONE_STATE"
tools:remove="android:maxSdkVersion"/>Google Play Console Compliance
Since QUERY_ALL_PACKAGES is considered a high-risk permission by Google, its usage must be justified during app submission:
✅ Recommended Use Case Justification (for REL-ID MTD)
“The app uses QUERY_ALL_PACKAGES to perform mobile threat detection and application threat analysis to secure user identity and prevent fraud. It detects known malware, repackaged apps, and apps from untrusted sources to protect identity-related workflows.”
📤 Where to provide this:
In your Play Console submission form, under the section for Permissions Declaration.
Clearly state that your app uses this permission for security or fraud prevention purposes under an approved use case.
Updated 2 months ago