Check & request operation missing before using LocationManager.requestLocationUpdates()

[aper-project]

Issue description

Hi, in mylocation v1.3.1, we found a dangerous API usage (https://github.com/gjedeer/mylocation/blob/master/app/src/main/java/net/mypapit/mobile/myposition/GetFixService.java#L110) which requires Manifest.permission.ACCESS_COARSE_LOCATION or Manifest.permission.ACCESS_FINE_LOCATION in accordance to the Android official documentation (https://developer.android.com/reference/android/location/LocationManager).

However, it seems that it missed the “check” and “request” operation in the following call chain starting from the GetFixService.onStartCommand(Intent intent, int flags, int startId) activity if permission is not granted.

CALLCHAIN:
	net.mypapit.mobile.myposition.GetFixService.onStartCommand(android.content.Intent,int,int)int
	 android.location.LocationManager.requestLocationUpdates(java.lang.String,long,float,android.location.LocationListener)void

This may lead to a SecurityException or related functions unavailable if the user denies the location permission but still calls the API in this chain, resulting in bad user experience.

@gjedeer
Could you help me review this issue? Thx

[gjedeer]

@aper-project If you've actually tested that it's a problem, send a PR please.

[aper-project]

Hello, we have tested your application recently, and have the following information and questions, hope to get your reply and comments.

Expected behavior

My Location not crash when requests location update.

Actual behavior

My Location will crash when location permission is not granted and still requests location update.

Steps to reproduce

• Use the following steps will reproduce the bug(as shown in the video)
  Step 1: Install My Location
  Step 2: Open My Location
  Step 3: Deny location permission (Deny My Position to access this device's location)
  Step 4: Deny location permission & don't ask again My location access location
  Step 5: Click "Get Fix" to start GetFixService
  Step 6: Crash

Follow up video is start GetFixService again and crash again

Environment

My location version : v 1.3.3

Android API Level : API 29

Question

• Where to insert the API for checking and requesting permissions.

1. Dangerous API used in service , so only checkselfpermission can be inserted here . If My Location is not granted location permission , the API of requestLocationUpdates() will not be used. But unable request permission.
2. Or we can insert checkselfpermission and requestpermission before calling this service . If My Location is not granted location permission , the service will not be enabled and attempt to request location permission.
   The above two insert locations will not cause the recurrence step to crash again .

Logs

2020-08-14 20:37:23.793 9044-9044/net.mypapit.mobile.myposition E/AndroidRuntime: FATAL EXCEPTION: main
    Process: net.mypapit.mobile.myposition, PID: 9044
    java.lang.RuntimeException: Unable to start service net.mypapit.mobile.myposition.GetFixService@d47a901 with Intent { act=START_FOREGROUND_ACTION cmp=net.mypapit.mobile.myposition/.GetFixService }: java.lang.SecurityException: "gps" location provider requires ACCESS_FINE_LOCATION permission.
        at android.app.ActivityThread.handleServiceArgs(ActivityThread.java:4105)
        at android.app.ActivityThread.access$1800(ActivityThread.java:219)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1891)
        at android.os.Handler.dispatchMessage(Handler.java:107)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7356)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
     Caused by: java.lang.SecurityException: "gps" location provider requires ACCESS_FINE_LOCATION permission.
        at android.os.Parcel.createException(Parcel.java:2071)
        at android.os.Parcel.readException(Parcel.java:2039)
        at android.os.Parcel.readException(Parcel.java:1987)
        at android.location.ILocationManager$Stub$Proxy.requestLocationUpdates(ILocationManager.java:1151)
        at android.location.LocationManager.requestLocationUpdates(LocationManager.java:1019)
        at android.location.LocationManager.requestLocationUpdates(LocationManager.java:558)
        at net.mypapit.mobile.myposition.GetFixService.onStartCommand(GetFixService.java:110)
        at android.app.ActivityThread.handleServiceArgs(ActivityThread.java:4087)
        at android.app.ActivityThread.access$1800(ActivityThread.java:219) 
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1891) 
        at android.os.Handler.dispatchMessage(Handler.java:107) 
        at android.os.Looper.loop(Looper.java:214) 
        at android.app.ActivityThread.main(ActivityThread.java:7356) 
        at java.lang.reflect.Method.invoke(Native Method) 
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) 
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930) 
     Caused by: android.os.RemoteException: Remote stack trace:
        at com.android.server.LocationManagerService.checkResolutionLevelIsSufficientForProviderUseLocked(LocationManagerService.java:1937)
        at com.android.server.LocationManagerService.requestLocationUpdates(LocationManagerService.java:2500)
        at android.location.ILocationManager$Stub.onTransact(ILocationManager.java:468)
        at android.os.Binder.execTransactInternal(Binder.java:1021)
        at android.os.Binder.execTransact(Binder.java:994)

Download Logs File
Download Reproduce Video