A funny thing happened when I wrote my last app. This was a basic, local data-driven logging system which was entirely self contained. Some of the testers reported something odd - it asked for the permission to make phone calls on installation. Since I knew there was nothing in the app which did that, and I'd only added the android.permission.INTERNET requirement to the manifest, I knew I had to get rid of this warning. In this security-conscious climate, any app which asks for something so far out of whack with its obvious purpose probably isn't going to be installed, and all that hard work will have been for nothing. So what gives? The answer was rather subtle, and in solving it I came up with a useful tool which went beyond the original problem I was tackling, so I thought I'd document it here in case anyone else runs into it.

What goes in an About box?

Your apps About box should tell the user, well, something useful about your app. The usual entries are credits for the author, maybe a link to their site etc, and then the version number. Once I'd written a few apps which do this I soon realised there's a pattern, much of which can be automated. For the contact details a string resource could be used, and the version info can be pulled out at runtime using a system call. This is great - it just means each release all you have to do is update the version entries in the AndroidManifest.xml file once, then at runtime the About box will pull them in correctly. Except, after a little detective work, I realised that's the problem! Heres the way the About box looked:

The information here comes from a call to query the PackageManager object like this:

PackageManager pm = activity.getPackageManager();
String version = activity.getString( R.string.about_unknown );
try {
    PackageInfo pi =  pm.getPackageInfo(activity.getPackageName(), 0);

    version = activity.getString( R.string.about_version ) + " " +
        Integer.toString( pi.versionCode )+ "/" + pi.versionName;
} catch (NameNotFoundException e) {
    e.printStackTrace();
}

It turns out that to interrogate the system via the Packagexxx objects you are in fact potentially requesting sensitive information on the phones state, such as private numbers dialled etc. To handle this, Android just alerts the user with the "Make phone calls" permission request. Since this isn't what we are doing we need a way round using these objects. Note that since writing this I found out there is a way to help certain Android versions deal with it by restricting the version targets in the manifest. However, since I want to target as wide a range of versions as possible, and the solution also produced a useful bonus you can't get this way, I continue to use what I eventually came up with.