Android 13 has a new feature known as “Granular Media Permissions” (https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions).
My team and I are trying to make sure we request the right permissions for an android app that can (in two different workflows) utilize a user’s photos or a user’s videos. So we’ve written some code to request the new READ_MEDIA_VIDEO permission for the video workflow and code to request the new READ_MEDIA_IMAGES permission for the photo workflow.
What I am confused about is why does the app’s settings page still show only one permission under “App permissions” (Photos and videos)? Shouldn’t it show two permissions — one for photos and one for videos?
Similarly when the user actually sees a permission dialog when we request one of the two permissions, the dialog simply gives the user the option to grant the “Photos and videos” permission. If the permissions are supposed to be granular but they both grant the same privilege to the app I am not clear on what the benefit is of this new feature.
So far Google’s docs on this have not be very clear on this either. Although the page linked does indicate that if the READ_MEDIA_IMAGES and READ_MEDIA_VIDEO permissions are requested at the same time only one dialog appears we are not actually doing this. We request one of the two permissions, not both. However both permissions ARE listed in the android manifest. Could this be a factor?
Thank you in advance
Related
So we've developed a Facebook App (and similar apps on Twitter and Instagram) that allow users to post and read content using an external system. We'll sell this integration directly to our clients, so it's a private application.
Basically the user will see a very simple page with a button "Log in to Facebook" and a disclaimer regarding the authorization (we'll use some query params fixed in the url, depending on the client). The client authorize us and we capture the access tokens.
To submit the app review, though, we have to explicitly give a test user to the reviewers, but that's not really possible because the real "action" happens within the integrated systems, NOT within the app itself. And those systems are not public (they shouldn't be).
So just to be clear: our app is basically a very simple "Facebook login" that we use to get tokens, generated by specific clients authorization. It's not going to be published anywhere.
Until we have around 5 to 10 clients we can add the specific users in our app as Testers/Admins/etc, but what if we scale up? Say we have 20 clients. How are we supposed to get our app to be "live"?
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
(btw I'm asking this because our app review was rejected twice and I want to make sure I'm submitting everything they ask this time).
Thanks :)
I think the Login Review FAQ answers most of your questions. The key point:
Our review team will actually test how your app uses each permission on every platform you have listed in the settings section of your app.... You'll need to explain exactly how to test each permission or feature in your app so that we can make sure it works and follows our policies. We can't approve your app if we can't fully test how it integrates with Facebook.
In other words, it's not enough to just allow them to log in to your app, you have to expose all Facebook-related features to the reviewer.
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
Yes, though I'm not sure what you mean by "open them to the internet". You should be able to create a test user on your local system and link that account to a test Facebook user. Then you can have the Facebook reviewer use that test account for their review. (From the FAQ: "In the Items in Review section, you'll see a Test User (optional) section that allows you to type the name of the user you wish to be used in your review.")
I created an fb application which uses the following permissions: manage_pages,publish_pages, and read_insights.
The main purpose of the application is to give to the authenticated user reports and statics about the popularity of his own fb page.
I noticed that I can't use those permissions until I submit the app for review.
In the facebook developer account, I noticed that for each of the above permissions I have to complete some notes:
1. How a person logs in with Facebook
2. How a person sees the permission used in your app.
Also they want me to upload a video to show them that I use the permission correctly.
The problem is that I'm not sure what should the video contain in order to clarify the point 1 and 2.
Right now my application is only doing the authentication phase (signup), and in the next release we are going to create and display analytics for each user who joined the platform.
I would be grateful, If you could give me some suggestions regarding what facebook would like to know in order to approve the permissions.
Thanks,
Your App needs to be working before you can send it in for review. Meaning, you need to have at least a working prototype. For development, you do not need to go through the review process, every permission works for everyone with a role in the App without review.
In other words, you can´t go through review with permissions you don´t even use right now.
Hello I've read the docs and am having trouble getting a definitive answer for the following questions:
Can our app detect if another app is used by a given user. What about if we are admin of, or have the id of both apps.
If one of the apps is removed from FB is there a way to tell if a user had it installed before it was removed? A sort of history of past apps, I guess.
Here:
FB Connect: is there a way to see the logged in user's facebook apps?
Best answer is "I think the most you can do..." but I'd like to know for sure.
Thanks for any help.
If you request the permission user_actions:APP_NAMESPACE you can see the open graph actions that the user has performed in that app.
http://developers.facebook.com/docs/authentication/permissions/#open_graph_perms
In my apps I generally store the user ID of all authorized users in a database, and when I get a call via the "Deauthorize Callback URL" I don't delete the user from the database, but instead only flag the user as deauthorized.
This way I can easily get an overview of users that are using (or have used) any of my apps. This allows me to present special features for users who are using several of my apps.
For example, let's say I made a photo app (like Instagram) and a GPS running app (like Endomondo). If the user takes a photo with Instagram while running with Endomondo, I could present the option to GPS-tag the photo, or add the photo to Endomondo.
This is something that I think we developers should use more. Perhaps present an open API to other apps, to let the apps work together.
I have a basic question about a facebook app I am building. In the first phase, we are building the app so that it doesn't collect any user information, thus keeping the user from having to click the "allow" button to use the app. However, we are considering adding features to the app later on that would require user information. I am just curious if it is a good idea to build it like this, or if we should just collect user information from the start. Would users think it is strange for an app to start collecting data after the app is already live? Any advice is appreciated. Thanks!
No it's not a bad idea. Actually Facebook recommends only asking for a permission when needed:
As a best practice, you should only request extended permissions at
reasonable times when the user engages with features that would
require their use. For example, if you are asking the user for the
publish_stream permission in order to create a custom share UI, the
user will better understand the context behind your request if
presented with the permission while interacting with the app's share
functionality.
Please DO visit the document I linked to.
I have a button in my iOS app to share the currently viewed content on facebook. I'm deciding on the permissions needed for the app, it only needs to write links to the stream, and I don't want to access any of the user information, including the Basic Information, that seems enabled by default. How do I disable this?
You can't, connecting through Facebook Connect implies the user allows you're app to access minimal informations
http://developers.facebook.com/docs/authentication/permissions