diff --git a/fastlane/metadata/android/en-US/full_description.txt b/fastlane/metadata/android/en-US/full_description.txt
index 2da3b6c..3b904ee 100644
--- a/fastlane/metadata/android/en-US/full_description.txt
+++ b/fastlane/metadata/android/en-US/full_description.txt
@@ -5,6 +5,6 @@
When you reinstall an app, or change your device, or upgrade your ROM, it's a time-taking process to review all installed apps for granted permissions and revoke the unnecessary ones (after all privacy matters). PMX provides you the solution. Set reference states of permissions, which can be quickly backed up and restored, and colored bars at left make it quite easy to review packages and permissions at a glance.
Confused? We are here to explain. Please start with:
-Paid version (available as Play Store and Pro flavors) offers extra features including Permission Watcher and Scheduled Checks.
+Paid version (available as Play Store and Pro flavors) offers extra features including Permission Watcher, Scheduled Checks, Permission View and Batch Operations / Profiles.
Beta builds are released in Telegram channel.
Guide: https://mirfatif.github.io/PermissionManagerX/help
\ No newline at end of file
diff --git a/help/en/img/perm_profiles.webp b/help/en/img/perm_profiles.webp
new file mode 100644
index 0000000..79b6335
Binary files /dev/null and b/help/en/img/perm_profiles.webp differ
diff --git a/help/en/img/set_refs.webp b/help/en/img/set_refs.webp
new file mode 100644
index 0000000..d7f70bc
Binary files /dev/null and b/help/en/img/set_refs.webp differ
diff --git a/help/en/index.html b/help/en/index.html
index 6ad53b4..ab728c0 100644
--- a/help/en/index.html
+++ b/help/en/index.html
@@ -47,12 +47,19 @@ Contents
Permission Watcher
Permission View
+
+ Batch Operations
+
+
Integration with WhatsRunning
Using PMX with ADB
@@ -66,7 +73,7 @@ Contents
PMX Versions
FAQs
@@ -132,7 +139,7 @@ What is PMX?
Using PMX you can:
- View / grant / revoke all the manifest permissions which can or cannot be set using app's settings screen. The list of permissions which cannot be set from GUI is very long.
- - View all the AppOp permissions which usually don't have any GUI setting. E.g. VIBRATE and READ_CLIPBOARD AppOp permissions. You can set the desired AppOps mode e.g. Foreground.
+ - View all the AppOp permissions which usually don't have any GUI setting. E.g. VIBRATE and READ_CLIPBOARD AppOp permissions. You can set the desired AppOps mode e.g. Foreground.
- View all permissions requested by an app which are not changeable.
- View last used time for many AppOp permissions.
- Change System-Fixed permissions which cannot be changed by any other means.
@@ -160,9 +167,7 @@ Permission References
- Or you granted a few permissions, as requested by the apps.
Will you go through the whole hassle once again?
- No you don't need to. You can make PMX remember your desired permission states. Set a permission, make it GREEN, and done. It will take only a few moments to look at all installed packages and figure out which permissions aren't correctly set e.g. by making a quick search: ":RED|:ORANGE" or "!:GREEN". See Search for more details.
- Reference states can be backed up and restored conveniently.
- Long press a permission to set or clear its reference state.
+ No you don't need to. You can make PMX remember your desired permission states. Set a permission, make it GREEN, and done. It will take only a few moments to look at all installed packages and figure out which permissions aren't correctly set e.g. by making a quick search: :RED|:ORANGE or !:GREEN. See Search for more details.
Three reference states are:
-
@@ -181,6 +186,9 @@
Permission References
+
+ Reference states can be backed up and restored conveniently. After a restore, there's a convenient way to set all permissions according to restored references. See Batch Operations.
+ Long press a permission to set or clear its reference state. There's also a top menu option on every app's permission list screen to set or clear all references. Or set references in bulk with Batch Operations.
@@ -236,32 +244,32 @@
Search
-
App state:
- :Critical :Framework :System :User :Disabled
+ :Critical :Framework :System :User :Disabled
-
Reference state:
- :ORANGE :GREEN :RED
+ :ORANGE :GREEN :RED
-
Permissions protection level:
- :Normal :Dangerous :Signature :Internal :Development :Privileged :Fixed :AppOps :Unknown
+ :Normal :Dangerous :Signature :Internal :Development :Privileged :Fixed :AppOps :Unknown
-
Per UID AppOps:
- :UID
+ :UID
-
AppOps with last access time:
- :TIME
+ :TIME
-
Extra AppOps (never excluded in filter settings):
- :EXTRA
+ :EXTRA
-
-
& (AND), | (OR) and ! (NOT) operators:
- Foo|Bar&Baz
- Foo&!Bar&!Baz
+ & (AND), | (OR) and ! (NOT) operators:
+ Foo|Bar&Baz
+ Foo&!Bar&!Baz
Paid version also shows search suggestions (if set in preferences) to ease the search process.
@@ -272,7 +280,7 @@
Scheduled Checker (Pro only)
Do you want to keep track of any unwanted changes to the permissions for all the installed apps? Scheduled Check can do this for you at regular intervals (in minutes, hour or days).
-
Set Permission References to GREEN and leave the rest to PMX. If any permission is found changed (with RED state) or when a new app is found installed (with ORANGE state permissions), PMX reminds you that something needs your attention.
+
Set Permission References to GREEN and leave the rest to PMX. If any permission is found changed (with RED state) or when a new app is found installed (with ORANGE state permissions), PMX reminds you that something needs your attention.
Additionally, if configured in preferences, Scheduled Check can auto-revoke granted permissions with an informatory notification.
Permission Watcher (Pro only)
Note:
-
-
Only the permissions with "RED" reference state are revoked, not those with the "ORANGE" state. So you MUST first set the reference states. See Permission References.
+ Only the permissions with RED reference state are revoked, not those with the ORANGE state. So you MUST first set the reference states. See Permission References.
-
Manifest permissions only with Dangerous protection level are watched. Those are the ones usually changed. Permissions with Signature|Development protection level or those with System-Fixed flag set are not watched, though they are changeable.
@@ -302,7 +310,7 @@ Permission Watcher (Pro only)
Why starting Permission Watcher fails?
- Are you using ADB? Some OEMs remove permission OBSERVE_GRANT_REVOKE_PERMISSIONS or SET_ACTIVITY_WATCHER from Shell package. If this is the case with you, we are sorry. This is something we cannot fix. On such devices Permission Watcher can work only with root. See the note at the start of Using PMX with ADB.
+ Are you using ADB? Some OEMs remove permission OBSERVE_GRANT_REVOKE_PERMISSIONS or SET_ACTIVITY_WATCHER from Shell package. If this is the case with you, we are sorry. This is something we cannot fix. On such devices Permission Watcher can work only with root. See the note at the start of Using PMX with ADB.
@@ -335,6 +343,46 @@
Permission View (Pro only)
When you select an app, the permission list opens where you can change the permission state.
+
Batch Operations (Pro only)
+
+
+
Permission Profiles
+
+ - Create and edit permission profiles (templates).
+ - Apply a profile to a selected list of apps.
+ - Select a Default Profile to apply on newly installed apps (if Permission Watcher is enabled).
+
+
+
+
+
Operations with References
+
+ -
+
Set Permissions
+ Go through a list of selected apps and make RED permissions GREEN by setting their states according to the reference values. Permissions with Green and Orange states are ignored.
+ This option is usually helpful when you have just restored a backup and there are many permissions with RED state.
+
+ -
+
Set References
+ Go through a list of selected apps and make RED and ORANGE permissions GREEN by setting their reference values according to the permission states.
+ This option is usually helpful during an initial setup. You have just installed the PMX app and spent a few hours setting permissions. This option will make them all GREEN in a single tap.
+
+ -
+
Cleanup References
+ Cleanup permissions references database. Unused references will be removed.
+ If there's a huge list of unused references, a cleanup may improve loading of app list.
+
+ -
+
Reset References
+ Reset permissions references database. All references will be removed.
+ Not meant to be used normally. But in case if you want to start from scratch.
+
+
+
+
+
Integration with WhatsRunning
@@ -344,7 +392,7 @@
Integration with WhatsRunning
So from PMX you can switch to WhatsRunning to find out if an app with restricted permissions is still running. If yes, in what state it is and how much resources it is using.
Similarly, from WhatsRunning you can switch to PMX to find out what permissions a running (or dead) app is granted.
-
This is particularly helpful when analyzing the effect of permissions like RUN_IN_BACKGROUND.
+
This is particularly helpful when analyzing the effect of permissions like RUN_IN_BACKGROUND.
@@ -391,8 +439,8 @@
Android 10 and below
On PC open a terminal window (or command prompt on Windows) and run:
- adb tcpip 5555
- You must have adb executable available on your PC to run the above command. If not, here's the download link.
+ adb tcpip 5555
+ You must have adb executable available on your PC to run the above command. If not, here's the download link.
@@ -406,16 +454,16 @@
Android 10 and below
Connect your device and PC to a common Wi-Fi network.
- Get the IP address of the device (usually in Wi-Fi settings or in Settings -> About), say it's 192.168.1.1.
+ Get the IP address of the device (usually in Wi-Fi settings or in Settings -> About), say it's 192.168.1.1.
On PC run:
- adb connect 192.168.1.1
+ adb connect 192.168.1.1
Run again:
- adb shell id -u
- It should print 2000 (or 0).
+ adb shell id -u
+ It should print 2000 (or 0).
@@ -423,7 +471,7 @@
Android 10 and below
-
-
Run PMX app and check ADB Shell in drawer. Enter port 5555 and tap connect.
+ Run PMX app and check ADB Shell in drawer. Enter port 5555 and tap connect.
-
@@ -474,11 +522,11 @@
Android 11 and above
ADB Connect Service
If Permission Watcher or Scheduled Checks are enabled, PMX connects to ADB on device boot. But if ADB has not been enabled by then, PMX will no more try to connect to ADB unless explicitly done by opening the app.
- But if you enable ADB on boot in an automated way, you can notify PMX by sending the following Intent that ADB has been enabled:
+ But if you enable ADB on boot in an automated way, you can notify PMX by sending the following Intent that ADB has been enabled:
- am startservice -n com.mirfatif.permissionmanagerx/.fwk.AdbConnectSvcM --ei "com.mirfatif.pmx.extra.ADB_PORT" 5555
+ am startservice -n com.mirfatif.permissionmanagerx/.fwk.AdbConnectSvcM --ei "com.mirfatif.pmx.extra.ADB_PORT" 5555
- Make sure to use the correct package name depending on the app version. Read here how to use am tool to start an app's service.
+ Make sure to use the correct package name depending on the app version. Read here how to use am tool to start an app's service.
@@ -502,7 +550,7 @@
PMX Versions
One can purchase the paid version just to make a donation and/or to use the paid-only features. Other methods of making a donation are available in the Free / Pro version under Donate section. Developers can also support the app development by contributing to the source code e.g. by fixing a bug. Users can help us make the app better by testing the beta releases, reporting any crashes or glitches, suggesting improvements and new features, or translating the app to their native language.
Paid Features
-
Paid version includes everything that's in the Free version, plus the following extra features which are also listed in the app under About section and in the Play Store description:
+
Paid version includes everything that's in the Free version, plus the following extra features which are also listed in the Play Store description:
- Sort apps and permissions by different parameters
- Scheduled check to notify bad reference states
@@ -511,11 +559,11 @@ Paid Features
- Make changes to critical apps and permissions
- Multiple users / work profile support
- Auto create backup file on changes
+ - Batch Operations (Profiles)
- Permissions description
- Search suggestions
- Theming options
- - Permission Summary View
- - Batch operations (profiles) (upcoming)
+ - Permissions View
FAQs
Why PMX requires root or ADB access?
Android won't allow a normal user app to change other apps' manifest or AppOp permissions, even its own. Only reading AppOps without root or ADB is possible provided that hidden APIs are not blacklisted on your device, which is very unlikely on Android 9+.
That's why we run a separate process with high privileges to circumvent the restrictions.
- By default, the background process (daemon) is run with ADB UID (2000) or (if rooted) System UID (1000). On rooted devices UID can be changed in Advanced Settings.
+ By default, the background process (daemon) is run with ADB UID (2000) or (if rooted) System UID (1000). On rooted devices UID can be changed in Advanced Settings.
@@ -585,8 +633,8 @@ FAQs
Why do some AppOps cannot be changed?
Sometimes you see "AppOp mode not changed". It means that Android rejected the request to change the AppOp mode. You cannot change it no matter what method or app you use. There could be multiple possible reasons.
- - Some AppOps are dependent on their corresponding manifest permissions. So they cannot be changed independently. For instance you may not be able to deny
READ_CONTACTS AppOp if android.permission.READ_CONTACTS manifest permission is granted.
- - Some AppOps are only used by Android for compatibility (e.g.
LEGACY_STORAGE) and they don't actually control anything. If we explore their underlying working it's revealed that granting / revoking such permissions doesn't make sense.
+ - Some AppOps are dependent on their corresponding manifest permissions. So they cannot be changed independently. For instance you may not be able to deny READ_CONTACTS AppOp if android.permission.READ_CONTACTS manifest permission is granted.
+ - Some AppOps are only used by Android for compatibility (e.g. LEGACY_STORAGE) and they don't actually control anything. If we explore their underlying working it's revealed that granting / revoking such permissions doesn't make sense.
- Some permissions cannot be changed if the app is targeting old Android version.
- Some OEM ROMs behave weird when it comes to AppOps. We do not know exactly what changes your OEM has made to the stock AOSP code. That's why the statement on Github and Play Store: "The app is tested on stock Android 7-11. Some highly customized ROMs may behave unexpectedly."
@@ -612,19 +660,19 @@ FAQs
Why don't I see XYZ AppOp in ABC package?
Please check Exclusion Filters if XYZ AppOp is excluded from the visible list. Or ABC package might not be using XYZ operation. You don't need to be worried about this.
But if you want to see the XYZ AppOp for all apps, go to Exclusion Filters -> Extra AppOps, never excluded and check XYZ AppOp in the list.
- For instance, write _CLIPBOARD in search box (with Deep Search box checked) and you'll get all apps which used (or tried to use) READ_CLIPBOARD or WRITE_CLIPBOARD permission. Timestamp is also shown (but not for all AppOps).
+ For instance, write _CLIPBOARD in search box (with Deep Search box checked) and you'll get all apps which used (or tried to use) READ_CLIPBOARD or WRITE_CLIPBOARD permission. Timestamp is also shown (but not for all AppOps).
So if the app you are concerned about isn't in the search results, check both AppOps in the Exclusion Filters list mentioned above.
What should I select for Privileged Daemon UID in Advanced Settings? System or ADB?
It matters only if you are using root, or ADBD on your device is running with root (which is not the case with the final user devices).
- Preferably use System (UID 1000) as it allows more privileges than ADB (UID 2000). E.g. changing "System-Fixed" permissions is possible only when running as system.
+ Preferably use System (UID 1000) as it allows more privileges than ADB (UID 2000). E.g. changing "System-Fixed" permissions is possible only when running as system.
What are invalid permissions in Exclusion Filters?
- If an app is requesting a manifest permission but it's not declared (provided) by Android framework or any of the installed packages, it's an invalid permission. For instance "com.android.vending.BILLING" is an invalid permission if Play Store app is not installed on your device.
+ If an app is requesting a manifest permission but it's not declared (provided) by Android framework or any of the installed packages, it's an invalid permission. For instance com.android.vending.BILLING is an invalid permission if Play Store app is not installed on your device.
@@ -635,7 +683,7 @@ FAQs
What are different AppOp modes and which one should I use?
Normally you should Allow or Ignore. Or you may want to allow an operation only when the app is in Foreground (only on Pie+). Deny is the intense version of Ignore which may crash the requesting app. Default is the system's default behavior which differs for different AppOps.
- Please note that not every AppOp mode can be possibly set on every AppOp for every app. For instance on recent Android releases CAMERA and MICROPHONE are allowed to be used by user apps only in foreground (even if set mode is Allow). Similarly, some AppOps can never be set to Foreground mode.
+ Please note that not every AppOp mode can be possibly set on every AppOp for every app. For instance on recent Android releases CAMERA and MICROPHONE are allowed to be used by user apps only in foreground (even if set mode is Allow). Similarly, some AppOps can never be set to Foreground mode.
Related: Why do some AppOps cannot be changed?
Official documentation: AppOpsManager.
@@ -662,7 +710,7 @@ FAQs
What does READ_MEDIA_AUDIO permission do?
- READ_MEDIA_[AUDIO|VIDEO|IMAGES] are recent addition to AppOps list, added in Android 10 (IIRC) as a part of Android's Scoped Storage implementation. Source code states: Read media of audio type. In simple terms it controls apps (which use MediaStore) access to audio files in external shared storage.
+ READ_MEDIA_[AUDIO|VIDEO|IMAGES] are recent addition to AppOps list, added in Android 10 (IIRC) as a part of Android's Scoped Storage implementation. Source code states: Read media of audio type. In simple terms it controls apps (which use MediaStore) access to audio files in external shared storage.
@@ -672,7 +720,7 @@ FAQs
How can I change INTERNET permission?
- Android doesn't allow changing all permissions, like those with the Normal protection level (e.g. INTERNET) or those with Fixed flag or Signature protection level (usually System or Framework apps). See Manifest permissions and AppOps.
+ Android doesn't allow changing all permissions, like those with the Normal protection level (e.g. INTERNET) or those with Fixed flag or Signature protection level (usually System or Framework apps). See Manifest permissions and AppOps.
@@ -698,8 +746,8 @@ FAQs
To change this option from PMX:
- - Go to Exclusion Filters -> Extra AppOps list and check "AUTO_REVOKE_PERMISSIONS_IF_UNUSED".
- - Back on the main screen, type "AUTO_REVOKE_PERMISSIONS_IF_UNUSED" in the top search bar. Make sure that deep search is enabled in search settings.
+ - Go to Exclusion Filters -> Extra AppOps list and check AUTO_REVOKE_PERMISSIONS_IF_UNUSED.
+ - Back on the main screen, type AUTO_REVOKE_PERMISSIONS_IF_UNUSED in the top search bar. Make sure that deep search is enabled in search settings.
- Set the mode Allow or Ignore for whichever apps you want.
@@ -734,7 +782,7 @@ FAQs
How to use the app in work profile / multi-user environment?
- Paid version supports work profiles and multiple users. Select a user from drop-down menu.
+ Pro version supports work profiles and multiple users. Select a user from drop-down menu.
@@ -772,29 +820,29 @@ FAQs
When a new app is installed, can PMX drop its permissions by default?
- Yes. But there's nothing to drop. All the revocable manifest permissions are already revoked and stay revoked unless the user grants them explicitly. As far as AppOps are concerned, many of them don't appear until at least once used by the app e.g. VIBRATION and READ_CLIPBOARD. Many others (e.g. READ_CONTACTS) have their corresponding manifest permissions already dropped, as pointed out. So it's not predictable at the time of app installation which AppOps should be removed.
- But a notification is displayed when a new app is installed (if using Permission Watcher) so the user can set permissions one by one or apply a profile (upcoming feature).
+ Yes. But there's nothing to drop. All the revocable manifest permissions are already revoked and stay revoked unless the user grants them explicitly. As far as AppOps are concerned, many of them don't appear until at least once used by the app e.g. VIBRATE and READ_CLIPBOARD. Many others (e.g. READ_CONTACTS) have their corresponding manifest permissions already dropped, as pointed out. So it's not predictable at the time of app installation which AppOps should be removed.
+ But a notification is displayed when a new app is installed (if using Permission Watcher) so the user can set permissions one by one or apply a profile.
Why PMX requires INTERNET permission?
The standalone Pro version requires internet connection for license verification. The other two versions - Free and Play Store Pro - can work completely offline. Though Play Store app needs internet connection for license verification.
- Optional use of android.permission.INTERNET permission:
+ Optional use of android.permission.INTERNET permission:
- Check for app updates. You can disable this in app settings.
- Fetch help contents of this webpage that you view in drawer -> Help.
- Local (on-device) use of android.permission.INTERNET permission:
- Android does not allow apps to create network sockets without having the INTERNET permission even if they are meant to be used only locally and not for an internet connection. PMX has two uses of local (on-device) connections (the ability to create localhost sockets at 127.0.0.1) for Inter Process Communication (IPC):
+ Local (on-device) use of android.permission.INTERNET permission:
+ Android does not allow apps to create network sockets without having the INTERNET permission even if they are meant to be used only locally and not for an internet connection. PMX has two uses of local (on-device) connections (the ability to create localhost sockets at 127.0.0.1) for Inter Process Communication (IPC):
- PMX starts a background process with root / ADB privileges and talks to that process over network socket. After the initial handshake, both processes start talking over Binder. We have no better way to do this because Android doesn't allow apps to talk over UNIX domain sockets either.
- - If your device is not rooted and you use PMX with ADB, then connecting to
adbd requires internet permissions. See Is PMX spying on me using ADB over network?.
+ - If your device is not rooted and you use PMX with ADB, then connecting to adbd requires internet permissions. See Is PMX spying on me using ADB over network?.
- So if the app is unable to create or use local network sockets, it will fail. And if you want to stop PMX from using internet, it must not stop the app from talking to on-device processes over loopback interface for IPC. This is usually the case with iptables-based firewalls like AFWall+ and VPN based firewalls like NetGuard. But some ROMs have a built-in feature to disallow network access:
+ So if the app is unable to create or use local network sockets, it will fail. And if you want to stop PMX from using internet, it must not stop the app from talking to on-device processes over loopback interface for IPC. This is usually the case with iptables-based firewalls like AFWall+ and VPN based firewalls like NetGuard. But some ROMs have a built-in feature to disallow network access:
This not only prevents the app from using internet but also disables its ability to create loopback sockets for IPC. So PMX won't be able to get root / ADB privileges if this permission is denied.
@@ -808,8 +856,8 @@ FAQs
Is PMX spying on me using ADB over network?
No.
- PMX talks to adbd process over localhost (127.0.0.1). But there's no way to start adbd listen on localhsot only, and not on other network interfaces (because ADB is meant to be used externally from a PC). You can surely stop adbd listening from external IP addresses, if you can. PMX would still work, without any port being exposed externally.
- Also you can change 5555 port to whatever number you want in Advanced Settings. It's not hard-coded.
+ PMX talks to adbd process over localhost (127.0.0.1). But there's no way to start adbd listen on localhsot only, and not on other network interfaces (because ADB is meant to be used externally from a PC). You can surely stop adbd listening from external IP addresses, if you can. PMX would still work, without any port being exposed externally.
+ Also you can change 5555 port to whatever number you want in Advanced Settings. It's not hard-coded.
Also ADB since Android 4.2 is meant to be protected with RSA key authentication (one of the strongest authentication mechanism). So even if the device is accessible from internet (which is highly unlikely), no one can make an ADB connection without authentication.
You can verify these claims in whatever way you want. We are here to assist you technically.
@@ -841,4 +889,4 @@
-