Why Do 3rd Party SDKs Need Permissions?

January 24, 2012 |  Posted By : Barbara  In : Developer Community, Developer Resources

Guest Post by Steven Savage | Mobclix Project Manager

Lately, it seems a lot of mobile developers worry about the validity and integrity of 3rd party SDKs, notably what permissions are needed, and why, by the SDK. Inappropriate or unneeded permission requests confuse or anger users. And what’s worse, it might be an indication of a dishonest service or malware. You aren’t always sure what’s going into your app, no matter how many assurances are made–and when you get an alert from an app store or a fellow developer, you start to worry.

With us, people question the permissions our SDK needs. I’ve listed the most common ones I see people get worried about, below, and explanations behind why you shouldn’t be concerned:

• GPS: GPS is optional in a lot of plug-ins and SDKs, so usually you can turn it off or not use the feature.  For instance, we use GPS for ad targeting.  It’s not unusual for various SDKs and components to use GPS (but I’d see if it can be turned off if you don’t want it).

• Internet Connectivity: Another fear that comes with development is when an SDK or component needs internet connectivity–they get afraid that it means sending private information, etc.  However, as wired as most applications are, Internet connectivity is the norm for many components.

• Read Phone State: This is the permission that reads information from your phone.  A lot of SDKs read some phone data for obvious reasons–in a lot of cases to get unique information needed for unique profiles and data.
• Read Phone State is usually what people really worry about, since that’s something Malware would target.  But there’s every reason for legitimate SDKs to access that information, ad networks being one of those reasons. The Mobclix SDK, for example, partners with over 35 different ad networks, all with their own requirements. Some of our ad network partners cannot deal with the error rate of ANDROID_ID (thanks to the pre-Gingerbread days) and require getDeviceId() in order to serve ads. And since most ad networks simply do not serve ads without a unique id, in order for us to continue connecting devs to multiple ad networks, certain compromises have to be made. The Mobclix SDK itself doesn’t use the Read Phone State permission, but without our ad partners, we wouldn’t have ads to serve at all.

So to sum it up, GPS activation, Internet Connectivity and Read Phone State, when accessed, are not signs you’ve accidentally put malware into your application. They’re usually legitimately accessed–along with other data and functions we rarely think about.

The best way to avoid any angry users, confusion, and the like, is to be extremely careful about what you put into your application. That’s why Mobclix, and every other legitimate developer of tools, plug-ins and SDKs, work hard to document how their tools work and make sure they’re reliable.

If you have any other questions or permissions that keep you up at night, post them below & I’ll be sure to help explain!