Fatal Problem: Spyware-level permissions

We’ve built a keyboard with KAB as a means to build trust with the language community and from that, to build awareness for our other products. We assure them that this app is not spyware, and as proof we tout that it requires no special permissions. As installed on my phone from the APK, it shows no permissions given.

But now that it’s in the Google Play Store, this is what I see:

Would you ever trust a keyboard app from an unknown source that required all these permissions? Here’s the technical list of the 8 permissions:

  • android.permission.ACCESS_NETWORK_STATE,
  • android.permission.INTERNET,
  • android.permission.READ_EXTERNAL_STORAGE,
  • android.permission.VIBRATE,
  • android.permission.WAKE_LOCK,
  • android.permission.WRITE_EXTERNAL_STORAGE,
  • com.google.android.c2dm.permission.RECEIVE,
  • com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE

I see that installing the app on an older version of Android tells the user during the install that the app will need access to photos/media/files.

This is a standalone app. Which of these permissions are genuinely needed? Is there a way I can remove the ones I don’t need? For example, does KAB generate the code and manifest and all that good stuff, and there’s a way to edit out those permissions and compile my bundle from there?

KMEA uses these permissions:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.VIBRATE" />

The network is used to:

The storage permissions are used for downloading keyboard and lexical model packages

Vibrate is used for keyboard rules that beep on invalid keys

Thanks, @darcy, that’s helpful to know why those are there.

In a standalone keyboard built with KAB, there is no need to download anything else or to access keyboard help. We bundle the keyboard and lexical packages. There is nothing on the Keyman server to be retrieved.

If our app could somehow remove these permission requests from the manifest, it seems it should still work fine, right? Because the KMEA should have no cause to go online. Indeed, when I look at the installed app, it shows “no permissions given”. Had it asked to go online, I’d think I’d have had to approve that.

I need to find a way to have a freestanding keyboard app with predictive text that provides the user with assurance that no special permissions will be needed, especially not Internet. Any ideas on how I can achieve this?