I am writing an Android App and I need to request an Auth token from the account. Getting the list of accounts and the token is easy, I have that working so far.
The problem is that Jelly Bean opens a popup, asking for users permission. Now my question(s):
What are the rules for the popup dialog to appear? I had that happen once, for the first time after I updated my device to Android 4.1. It seem to happen randomly: installing and uninstalling the App I was not be able to reproduce the situation where this popup comes back.
Is there any way to reset it without doing factory reset? I need to reproduce this for testing for question 3.)
Is there a way to find out if the popup will appear before requesting the authtoken and i.e. wait until it's not required anymore (i.e, if user has the app in question installed but never used or if authtoken is expired?) and request it then?
I know that most Android users are very inexperienced and may get scared by some permission requests and I'd like to avoid requesting authtoken when it would trigger this user popup.
I Tried to revoke acces to an app engine project of mine and I was able to revoke the permission by going to google accounts setting page. There you can revoke access from android login service. After that I had to remove the google account from my phone and add it back. If you start your app again you should see the permission dialog again.
Resetting/revoking the permission generally depend on the type of token. There are two sides of this: revoking the token on the server side using your Google profile page and revoking the permission for your app to use this type of token (on Android). For the server side you can revoke OAuth and AuthSub tokens, but not ClientLogin tokens. Go to https://www.google.com/settings/security and click the 'Edit' button in the 'Authorizing applications and sites' section. For revoking the on device permission, uninstalling the your app should reset it (it removes an entry in a system database when your package is uninstalled). Apparently this doesn't work properly on some devices, but it should work. The dialog will only appear when you try to use a token, so it shouldn't appear before you request it. You should handle expiry in your app (i.e., request a fresh token), but this won't show a permission dialog.
Related
I'm creating an application which is going to be active for first 30 days and after that the user should get automatically log out from application itself (as user's account will be deactivated), or is there is any workaround for the same because I can disable accounts from Firebase Console but that doesn't affect any user if they remains logged In.
Mainly I wanted this for Android Studio, I can do the required method through Firebase Database itself but just wanted to know if there is any alternate method available.
If you are asking how to disable a Firebase Authentication user account, that's not possible from within web or mobile application code. You can instead write backend code using the Firebase Admin SDK.
You can disable the account by updating the user and setting the disabled flag to true. Or you can delete the account entirely if you are done with it.
I am trying to implement app links into my app to make sure that other malicious apps cannot register for my URL.
I read the guide on app links here https://developer.android.com/training/app-links/verify-site-associations.html and I have mostly understood it. But one thing which is not clear to me is how can I prevent malicious apps from receiving my domain links if my app is not installed.
Consider this scenario.
1. My app is not installed on the user's device
2. Some malicious app is and it knows the URL that my app handles
Wouldn't this launch the malicious app and it can intercept my URL if the user selects that app from the disambiguation dialog? Is there any way to prevent it?
I understand that android:autoVerify="true" will trigger the domain verification when the app is installed, but what if the app is not installed?
Whether the user has the app installed or not, the "illegal" app won't be able to handle your links since it has not access to your domain in order to save there the needed JSON file. Am I clear?
There is a JSON file that is required during App Link configuration, that has to be uploaded to your server (that includes your app ID), through which your web-app basically says to the Android OS 'this is my counterpart on Android devices, I authorise it to handle these URLs'. Since app IDs are unique, there is no way another app can meet those conditions.
To quote the docs:
An Android App Link is a deep link based on your website URL that has
been verified to belong to your website.
So, although an app may register an <intent-filter> it ALSO has to be verified by the website whose URL it's trying to handle. And this happens on the server, so, out of the reach of a mobile client.
See also HERE for a more detailed explanation.
I just migrated one of my apps from Google Plus signin to Google Signin and updated some achievements code, as I was using deprecated methods and Google Plus is disappearing.
To my surprise, the permissions dialog that shows up when a user signs in to Google Games has change in a scary way:
Before, it said the app could:
View your langiage preferences
View your age range
Share your Google+ profile information and view and manage your game activity
View your basic profile info
With the new version, it just says:
Create, edit, and delete your Google Play Games activity
Does anyone know where this is coming from?
In the process of migrating libraries (I also installed Firebase analytics), some new API keys were automatically created in my Google APIs dashboard, and an additional OAuth 2.0 client ID. There, under "OAuth consent screen" I can see many scopes my app is supposedly using that look unnecessary to me:
../auth/plus.circles.members.read
../auth/plus.login
../auth/plus.profile.agerange.read
profile
../auth/drive.appdata
openid
../auth/plus.login
../auth/plus.profile.agerange.read
../auth/plus.profile.language.read
../auth/games
../auth/games_lite
../auth/plus.moments.write
Can I delete the ones that I don't think I need? Will this remove the scary warning?
One of the other apps I have not yet updated shows fewer scopes (still more than I need):
../auth/plus.circles.members.read
profile
openid
../auth/plus.login
../auth/plus.profile.agerange.read
../auth/plus.profile.language.read
../auth/games
../auth/plus.moments.write
Thanks
Edit: From what I've found out so far, the auth screen depends on the way you create the client used to sign in, and I think I'm using a pretty standard way:
mGoogleSignInClient = GoogleSignIn.getClient(this,
new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_GAMES_SIGN_IN).build());
Edit 2: I went to my API console, restricted the uses and scopes of my app, resubmitted my OAuth screen for approval, GOT IT APPROVED... and the Android app keeps showing the scary auth screen.
I also contacted Google for help from the Play Dev Console. Received no reply.
I'm just following Google's advice. As stated here,
// This way you won’t get a consent screen
GoogleSignInOptions signInOption = GoogleSignInOptions.DEFAULT_GAMES_SIGN_IN;
https://developers.google.com/games/services/checklist
Edit 3:
After I got my simplified OAuth screen approved. Firebase created new api keys on its own, so I'm guessing it doesn't like the changes I made manually. I am alos getting non-fatal crash reports from users rejecting the app permissions (error 12501) after trying to access the achievements screen. Google has not responded at all.
I've faced the same problem and got it fixed using
GoogleSignInOptions.DEFAULT_SIGN_IN
instead of GoogleSignInOptions.DEFAULT_GAMES_SIGN_IN
I have integrated facebook SDK in my ANDROID app for sharing functionality,and as per facebook guidline it will asks for permissions before sharing anything if user doesn't grant it before.
so,does there any way to remove that permissions dialog or if it can handle it in background without showing it over the my android app??
Note:for FB SDK integration I am not using webview dialog or FB dialog , I have implemented my own dialog view for sharing and I am sharing with installed Native FB App.
I'm fairly certain it's against the Facebook policy to post on the user's behalf without their explicit permission to access their data.
You may use Account Information in accordance with your privacy policy and other Facebook policies. All other data may only be used outside your app after you have obtained explicit user consent.
See policy.
I've been trying to do correctly Google Plus sign in and it's all correct except that.
Once I've done google plus sign in, I cannot try to log with another account. Is this right?
Thanks!
If you want to simply allow the user to select an alternative account you can call PlusClient.clearDefaultAccount(). You probably also want to disconnect and reconnect the PlusClient to properly put the user into a signed out state in your app, as explained here:
https://developers.google.com/+/mobile/android/sign-in#sign_out_the_user
To actually disconnect the user from your app - ie. revoke permission for the app to call Google APIs on the users behalf, you need to call mPlusClient.revokeAccessAndDisconnect(), as in:
https://developers.google.com/+/mobile/android/sign-in#revoking_access_tokens_and_disconnecting_the_app