Why does Firebase add Cloud Messaging Permissions to the Manifest even though I don't use FCM?

[Steffen Mayer]

Hi,

I'm using:

compile 'com.google.firebase:firebase-core:9.0.1'
compile 'com.google.firebase:firebase-ads:9.0.1'
compile "com.google.firebase:firebase-database:9.0.1"
compile 'com.google.firebase:firebase-auth:9.0.1'
compile 'com.google.firebase:firebase-invites:9.0.1'

Which require the following new permissions:
android.permission.WAKE_LOCK, com.google.android.c2dm.permission.RECEIVE and my.package.permission.C2D_MESSAGE

I don't use Cloud Messaging or any other feature I can think of which would rely on those permissions so I removed them via:

<uses-permission
    android:name="android.permission.WAKE_LOCK"
    tools:node="remove" />
<uses-permission
    android:name="com.google.android.c2dm.permission.RECEIVE"
    tools:node="remove" />
<uses-permission
    android:name="my.package.permission.C2D_MESSAGE"
    tools:node="remove" />

Now everything still seems to be working as it should.

Is it really safe to remove those permissions in my case?

Best regards,
Steffen

[Doug Stevenson]

Steffen,

I agree.  Those two messaging permissions do not belong in an app that doesn't use them.  I'm going to open a bug report on that internally.  Feel free to force them out of your build.

However, the wake lock permission still applies since it's used by Firebase Analytics.  That component is active by default for Android apps, so don't remove that.

Doug

[b0b]

Isn't WAKE_LOCK only necessary if Google Play Services is not available ?

[Doug Stevenson]

I was told directly by the tech lead for Analytics that the wake lock permission is required for that component.

On Thu, Jun 2, 2016 at 4:10 AM, b0b <pujos....@gmail.com> wrote:

Isn't WAKE_LOCK only necessary if Google Play Services is not available ?

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/CXgecSxgsRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/60e5a71d-c38d-4cdb-bb01-2d6db38efc2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Steffen Mayer]

Hi Doug,

Thanks for your reply.

I already have an Firebase App up and running without FCM and WAKE_LOCK permissions.

(Btw. Google Analytics also didn't need that permission.)

The Analytics seems to be running fine and reporting everything to my Firebase Console.

Can you tell me which feature of Firebase Analytics relies on WAKE_LOCK?

Best regards,

Steffen

[Doug Stevenson]

Steffen,

Without wake locks in Analytics, you run the risk of losing data in the face of Android killing off your app's process before it's able to transmit collected data.  You won't be able to measure this loss or even know that it happened, but you will notice it if you're looking carefully.

Doug

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e4d38ea6-373a-4516-ae58-034502ca6005%40googlegroups.com.

[Doug Stevenson]

So, it turns out that those other permissions that appear to be only relevant for messaging are actually used indirectly by analytics and other Firebase components.  The reason is that they need to generate secure tokens that need to be rotated periodically.  This is handled by the instance ID library, which you can read about here: https://developers.google.com/instance-id/

Doug

[Steffen Mayer]

Thanks for the additional info Doug!

If I understood you correctly I can remove those other two permissions (RECEIVE and C2D_MESSAGE) if I don't want to use cloud messaging.

But your link says that one of the key features of instance ID is to provide unique IDs for authentication.

So I guess that Firebase Authentication and Database don't rely on that instance ID for user authentication (with Google Sign-In), is that right?

Steffen

[Doug Stevenson]

The team here is recommending that you treat those permissions as an implementation detail (that is, you don't really need to know about them, but they are important for making sure Firebase components work correctly).  I'm told that Analytics, Crash Reporting, and Remote Config all make use of these tokens today.  Since they are seen internally as an implementation detail that we control, we don't recommend changing the default behavior, because we may expect those permissions to be present for other reasons in the future.

If you're having active problems with those permissions being present, that's something we definitely need to know.  Otherwise, I would suggest leaving them alone.

Doug

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/CXgecSxgsRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/90e231eb-1543-48e6-b72e-46660f224374%40googlegroups.com.

[Steffen Mayer]

I'm asking because I already have an app in production with the mentioned Firebase SDKs and the removed permissions.

Now I wonder if I should immediately update the app again to allow those permissions or if it's safe to wait for my next regular app update in the next few days. (Without risking my Firebase Auth/Database setup to fail.) 

Steffen

[Doug Stevenson]

Well, if you're using Firebase Auth, you should be upgrading to today's 9.0.2 client library release ASAP because 9.0.1 had a fairly significant problem.  We were actually recommending people hold off on publishing apps with auth until the problems were fixed. https://developers.google.com/android/guides/releases

I don't know offhand if the missing permissions are going to cause you problems, but it sounds like if it's been working OK so far, a couple days may not be a problem.  I'd still be more concerned about the auth problem.

Doug

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4575ebbe-64ce-4b6f-9771-b76129d0c18a%40googlegroups.com.

[Jeremy Reynaud]

Hi Doug, thanks for these information.

As an Admob / Google Analytics user I've been recently invited to transition to Firebase.

At this time I do not use other Firebase feature. I always try to limit required permissions and adding 3 new ones for the same analytic features can be a big deal for existing and new users...

I put an app in production for more than a week now with removed permissions and I do not have any (visible) issue for now.

So far I can tell I only experienced some app crashes (sorry I didn't keep the logs) with old google play services versions (linked to firebase and missing com.google.android.c2dm.permission.RECEIVE permission).