set permission GET_ACCOUNTS required only upto android 5.1

[parneet-guraya]

App showed permission Contact which we never ask and the app do not even have the use of it. This PR aims to fix that.

Fixes #4740

What changes did you make and why?

Issue:

We had Contacts permission showing in the permission settings our app. Though we don't ask it at runtime but still it is sensitive permission and could be concerning for user.

We don't have this permission defined in the manifest but it still shows why? because android maps permissions to their permission-group. So, every permission comes under a defined permission group. Now, in the settings page of applications android shows the permission by their group's name.

We can check what permissions comes under a certain group using getPlatformPermissionsForGroup() . You can see below the permission we defined in our manifest android.permission.GET_ACCOUNTS was the reason we had this Contacts group showing in settings.

Solution:

We know the reason is this android.permission.GET_ACCOUNTS permission. Fortunately there's an easy fix. In the docs of this permission there's a note

Note: Beginning with Android 6.0 (API level 23), if an app shares the signature of the authenticator that manages an account, it does not need "GET_ACCOUNTS" permission to read information about that account. On Android 5.1 and lower, all apps need "GET_ACCOUNTS" permission to read information about any account.

Since, our authenticator implementation is only for our own defined account (wikimedia) so they share the same signature with the app itself. That means we have full control over an account (onwards Android 6) without the need for permission as long as signature is same.

Permission is only required below Android 5.1. That is why I set the permission to be used on Android 5.1 and below. Now, we won't see Contacts permission in these versions because permission are only categorized by groups from Android 6 onwards.

link

It's important to understand that revoking a single permission may not be reflected in the settings UI, which treats permissions by group.

So, we see something like this on Android 5.1 and below.

Also, it should be noted that we were not asking permission at runtime anyways. This also shows that application runs fine without this permission. On Android 5.1 and below there was no concept of runtime permission but they were granted while installation so we didn't see any crashes due to permission not being granted. We can safely remove this permission onwards Android 6

Tests performed (required)

Tested: Login, Logout works fine.

Emulator (Android 5.1 & 5) (permission required)

Emulator (Android 7.1, 13, 14) (without permission)
Oneplus 9RT 5G (Android 14)

[nicolas-raoul]

Very elegant change and great explanation in the pull request description!

For readability by future developers, would you mind adding an XML comment after android:maxSdkVersion="22"/> saying something like <!-- Permission needed up to Android 5.1, see https://github.com/commons-app/apps-android-commons/pull/5863 -->

Thanks a lot!

[parneet-guraya]

@nicolas-raoul , I added the requested change 👍 . Also, thanks, appreciate your kind words. I try to do my best work to my best abilities :)

[nicolas-raoul]

Sorry I did not realize that the comment would not fit on the same line.
In that case, would you mind moving the comment line to just above the <uses-permission android:name="android.permission.GET_ACCOUNTS" line?
Thanks a lot!

[parneet-guraya]

Done 👍