-
Notifications
You must be signed in to change notification settings - Fork 0
Application Permissions
- Before API 23 all permissions are granted at install time
- After API 23 the user must approve permission requests at execution
- Permissions defined in AndroidManifest.xml
<uses-permission android:name="PERMISSION" />
List of system permissions:
https://developer.android.com/reference/android/Manifest.permission.html
You want to check to make sure the application actually needs these permissions.
https://developer.android.com/guide/topics/permissions/defining
For example an app wants to control who can start on of its activities. Any app that uses the declared permission could call the activity.
<permission android:name="com.app.com.example.permission.PERMISSION />
- The system does not allow multiple packages to declare a permission with the same name
- unless all the packages are signed with the same certificate
- If a package declares a permission, the system does not permit the user to install other packages with the same permission name
- unless those packages are signed with the same certificate as the first package.
https://developer.android.com/guide/topics/manifest/permission-element.html#plevel
The android:protectionLevel can be one of :
| Value | Description |
|---|---|
| Normal | Default. Low risk permission giving requesting applications access to isolated application-level features with minimal risk to other apps or users. |
| Dangerous | Would give access to private user data or control over the device that can negatively impact the user |
| Signature | Permission granted only if the requesting application is signed with the same cert as the application declaring the permission |
| SignatureOrSystem | Grants only to applications that are in the system image or signed with the same cert as the application declaring the permission |
adb shell pm list permissions -s
android:exported = true
The exported element defines if an activity can be launched by components of other applications.
If you don't have intent filters the default value for this element is false.
If set to true, the activity is accessible to any app that knows it's exact class name.
If an intent filter is declared but no android:exported value is set, the filter will be exported by default.
If you intend an intent filter to be protected android:exported = false must be set on the intent filter.
Permissions can be specified by the receiver or the application sending the broadcast
Receivers can limit who can send them broadcasts with the android:permission attribute within the tag.
<receiver android:name"name" android:permission="android.permission.permission" />
Content Providers should have permissions specified to limit access to the providers data.
- Android:writePermission - for writing
- Android:readPermission - for reading
- Android:permission - Controls reading and writing to the content provider
- android:grantURIPermissions - true if the contant provider can be accessed with a content URI otherwise false
If the app doesn't specify any permissions then other applications have not access to the provider's data
If granturipermissions=true , temporary per-uri access can be granted