[Bug]: Use of OneSignal SDK without adding Android and iOS Location Permission

[pbisku]

What happened?

We have an issue with our flutter app which uses the OneSignal Flutter SDK 5.0.4 and the handling of the location permission.

We have built a kids app and using the OneSignal SDK only for push messages.

We don't use any location services in our app but after adding the OneSignal SDK the merged AndroidManifest.xml contains this line (among other added permissions):

<uses-permission
        android:name="android.permission.ACCESS_COARSE_LOCATION" />

Our app is now rejected from Google and Apple, since we have our app targeted for kids and the store guidelines for this group prohibits the tracking of geolocation.

Google for example states now:

'You have declared that your app targets under 13 age groups, but your app asks for location permissions.'

Apple informs us about a missing purpose string in Info.plist:

The Info.plist file for the “Runner.app” bundle should contain a NSLocationWhenInUseUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required.

Would it be possible to adapt the Flutter SDK, so we as flutter developer can disable the 'ACCESS_COARSE_LOCATION' permission for Android and the permission for iOS ?

This problem is also noted in these issues:
OneSignal/OneSignal-Android-SDK#1875
OneSignal/OneSignal-Unity-SDK#670

We understand that the product feature "Send push messages depending on location" is to be introduced or distributed at OneSignal, but every customer should be able to use this feature for themselves or not. As we understand it, it is an optional feature - but here it is mandatory for all developers, regardless of whether they want to use the above-mentioned feature or not.

In Europe, this is "critical", as it implicitly allows the person to be tracked, which is a clear problem in connection with the legal regulations (GDPR) - not to mention when it comes to the store requirements for children's apps!

Many thanks,
Peter

Steps to reproduce?

1. Add OneSignal Flutter SDK to pubspec.yaml
2. Don't add any location permissions to \android\app\src\main\AndroidManifest.xml
3. Build the app
4. Check the merged AndroidManifest.xml in the apk

What did you expect to happen?

When adding the SDK and not using any location permissions in Android and iOS, no location permission should be added by the SDK,

OneSignal Flutter SDK version

Release 5.0.4

Which platform(s) are affected?

• iOS
• Android

Relevant log output

# The initial AndroidManifest.xml (Permission extract) with and without adding the OneSignal SDK:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.dierotenbullen.kidsapp">
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.READ_MEDIA_IMAGES" />
    <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
</manifest>

# The merged AndroidManifest.xml without OneSignal SDK (Permission part):

<manifest
    xmlns:android="http://schemas.android.com/apk/res/android"
    android:versionCode="231207095"
    android:versionName="1.2.0"
    android:compileSdkVersion="34"
    android:compileSdkVersionCodename="14"
    package="com.dierotenbullen.kidsapp"
    platformBuildVersionCode="34"
    platformBuildVersionName="14">

    <uses-sdk
        android:minSdkVersion="29"
        android:targetSdkVersion="33" />

    <uses-permission
        android:name="android.permission.INTERNET" />

    <uses-permission
        android:name="android.permission.ACCESS_NETWORK_STATE" />

    <uses-permission
        android:name="android.permission.READ_EXTERNAL_STORAGE" />

    <uses-permission
        android:name="android.permission.READ_MEDIA_IMAGES" />

    <uses-permission
        android:name="android.permission.FOREGROUND_SERVICE" />

    <queries>

        <intent>

            <action
                android:name="android.support.customtabs.action.CustomTabsService" />
        </intent>
    </queries>

    <uses-permission
        android:name="android.permission.CAMERA" />

    <uses-feature
        android:name="android.hardware.camera"
        android:required="false" />

    <uses-permission
        android:name="android.permission.RECORD_AUDIO" />

    <uses-permission
        android:name="android.permission.USE_BIOMETRIC" />

    <uses-permission
        android:name="android.permission.USE_FINGERPRINT" />

    <uses-permission
        android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

    <uses-permission
        android:name="android.permission.WAKE_LOCK" />
</manifest>

# The merged AndroidManifest.xml with OneSignal SDK (Permission part):

<manifest
    xmlns:android="http://schemas.android.com/apk/res/android"
    android:versionCode="231207095"
    android:versionName="1.2.0"
    android:compileSdkVersion="34"
    android:compileSdkVersionCodename="14"
    package="com.dierotenbullen.kidsapp"
    platformBuildVersionCode="34"
    platformBuildVersionName="14">

    <uses-sdk
        android:minSdkVersion="29"
        android:targetSdkVersion="33" />

    <uses-permission
        android:name="android.permission.INTERNET" />

    <uses-permission
        android:name="android.permission.ACCESS_NETWORK_STATE" />

    <uses-permission
        android:name="android.permission.READ_EXTERNAL_STORAGE" />

    <uses-permission
        android:name="android.permission.READ_MEDIA_IMAGES" />

    <uses-permission
        android:name="android.permission.FOREGROUND_SERVICE" />

    <queries>

        <intent>

            <action
                android:name="android.support.customtabs.action.CustomTabsService" />
        </intent>
    </queries>

    <uses-permission
        android:name="android.permission.CAMERA" />

    <uses-feature
        android:name="android.hardware.camera"
        android:required="false" />

    <uses-permission
        android:name="android.permission.RECORD_AUDIO" />

    <uses-permission
        android:name="android.permission.USE_BIOMETRIC" />

    <uses-permission
        android:name="android.permission.USE_FINGERPRINT" />

    <uses-permission
        android:name="android.permission.WAKE_LOCK" />        

    <uses-permission
        android:name="android.permission.POST_NOTIFICATIONS" />
    
    <uses-permission
        android:name="com.google.android.c2dm.permission.RECEIVE" />

    <uses-permission
        android:name="android.permission.VIBRATE" />

    <uses-permission
        android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

    <uses-permission
        android:name="com.sec.android.provider.badge.permission.READ" />

    <uses-permission
        android:name="com.sec.android.provider.badge.permission.WRITE" />

    <uses-permission
        android:name="com.htc.launcher.permission.READ_SETTINGS" />

    <uses-permission
        android:name="com.htc.launcher.permission.UPDATE_SHORTCUT" />

    <uses-permission
        android:name="com.sonyericsson.home.permission.BROADCAST_BADGE" />

    <uses-permission
        android:name="com.sonymobile.home.permission.PROVIDER_INSERT_BADGE" />

    <uses-permission
        android:name="com.anddoes.launcher.permission.UPDATE_COUNT" />

    <uses-permission
        android:name="com.majeur.launcher.permission.UPDATE_BADGE" />

    <uses-permission
        android:name="com.huawei.android.launcher.permission.CHANGE_BADGE" />

    <uses-permission
        android:name="com.huawei.android.launcher.permission.READ_SETTINGS" />

    <uses-permission
        android:name="com.huawei.android.launcher.permission.WRITE_SETTINGS" />

    <uses-permission
        android:name="android.permission.READ_APP_BADGE" />

    <uses-permission
        android:name="com.oppo.launcher.permission.READ_SETTINGS" />

    <uses-permission
        android:name="com.oppo.launcher.permission.WRITE_SETTINGS" />

    <uses-permission
        android:name="me.everything.badger.permission.BADGE_COUNT_READ" />

    <uses-permission
        android:name="me.everything.badger.permission.BADGE_COUNT_WRITE" />

    <uses-permission
        android:name="android.permission.ACCESS_COARSE_LOCATION" />
</manifest>

Code of Conduct

• I agree to follow this project's Code of Conduct

[emawby]

@pbisku Hello we are working on fixing this in our Android native SDK and will have it fixed in our next release. Thank you for your patience

[rasitayaz]

any updates on this? when will the new release roll out?

[shepherd-l]

Thank you for your patience. The fix is in the latest 5.1.0 Release. If you are still having issues, please tag us here!

[chedielathmnilatech]

@shepherd-l Hello, we're using release 5.1.0 in out app, and just received a warning from apple on our latest testflight version (after adding oneSignal):

Missing purpose string in Info.plist, "Runner.app" bundle should contain a NSLocationWhenInUseUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data.

Is there no way that this also gets fixed on IOS ? Thank you.

[shepherd-l]

@chedielathmnilatech
Currently our wrapper SDKs include the OneSignal location module by default. We plan to support a non-location included wrapper in the future to avoid this issue.

In the meantime you might need to provide a description indicating that you will never prompt or collect this information.

Some users have worked around this by defining the OneSignal submodules instead as described by RMatushkin here: OneSignal/OneSignal-iOS-SDK#368 (comment)
Our iOS SDK has a modular setup guide that you can also read for context: https://documentation.onesignal.com/docs/ios-sdk-setup#cocoapods