[drawkbox]

You need/needed READ_PHONE_STATE if you wanted to suspend your app data/saving and allow calls to be accepted you did.

For instance you are playing a game and a call comes in, you needed them to allow that and to possibly not crash your game and save your data as well as for some analytics/social network integration.

Also if you allowed os level music to be played over game audio, you need that to handle music and app state when a call came in.

It was/is a default on many large app platforms including game engines like Unity and any social network app integration such as Google Play Game Services and Unity analytics [1][2]. When you have READ_PHONE_STATE you could get the number and more.

For games it wasn't such a big thing but for apps like Facebook that are always running and kept alive playing a silent sound [3], it could get every call that ever came in on record and apparently did. With these holes, apps could scrape everything and they did [4].

[1] https://forum.unity.com/threads/unity-5-1-adds-android-permi...

[2] https://stackoverflow.com/questions/39668549/why-has-the-rea...

[3] https://www.reddit.com/r/iphone/comments/3opxhm/facebook_app...

[4] https://arstechnica.com/information-technology/2018/03/faceb...

[icebraining]

Where's the reference that you needed READ_PHONE_STATE to suspend your app? Shouldn't the app be automatically suspended when the caller app goes into the foreground?

[drawkbox]

The Facebook app itself is the real issue as both the Facebook app and Facebook Messenger require everything including READ_PHONE_STATE and contact permissions and pretty much everything[1][2].

> Where's the reference that you needed READ_PHONE_STATE to suspend your app? Shouldn't the app be automatically suspended when the caller app goes into the foreground?

Mostly for analytics and social platforms to access unique identifier for analytics you needed it such as in Unity up to 2015 [3][4].

> The Android build enforces READ_PHONE_STATE if the code has references to SystemInfo.deviceUniqueIdentifier. INTERNET is added when any network classes are referenced. ACCESS_NETWORK_STATE is added when calling Application.internetReachability

Also, early on it was required for saving state and or ensuring the app didn't crash. Mobile OSes were moving fast and without it the apps didn't auto suspend which they mostly do now. You can see some of this discussion in the links I included above. Anything older than Android Ice Cream required it as well.

It is added in by many plugins as well such as Google Game Play Services or other Analytics packages that most people didn't check. There was a reason the market was and is flooded with analytics packages.

It seems to re-pop up in analytics packages quite a bit and many aren't checking close enough per this example 2016 [4][5][6][7].

Largely it is due to people just building and shipping fast, there are other things that trigger it but the most common are doing things on suspend when a call comes in or to help allow the music to play in your game/app and turn off when a call comes in or analytics packages.

For the most part it is not needed now but up to 2016 it still was in many areas since Android started.

[1] https://play.google.com/store/apps/details?id=com.facebook.k...

[2] https://play.google.com/store/apps/details?id=com.facebook.o...

[3] https://answers.unity.com/questions/987433/read-phone-state-...

[4] https://forum.unity.com/threads/unity-5-1-adds-android-permi...;

[5] https://stackoverflow.com/questions/39668549/why-has-the-rea...

[6] https://github.com/facebook/facebook-sdk-for-unity/issues/58

[7] https://forum.unity.com/threads/read_phone_state-permission-...