Permalink
Find file
b63aed8 Dec 14, 2016
75 lines (53 sloc) 3.36 KB

Application & Framework Permissions

Platform Provided Permissions

List of all platform provided permissions

Declaring custom permissions

See <permission>

android:protectionLevels

See comprehensive official list R.attr list. Notes below:

Apk definable:

  • Normal
    • The system automatically grants this type of permission to a requesting application at installation
  • Dangerous
    • This type of permission introduces potential risk, the system may not automatically grant it to the requesting application. On M-6-23 (when the target is also 23+) this would trigger a dialog for the user to grant the perm
  • Signature
    • Meaning of this depends on where the permission is defined.
      • If in the core OS /system/framework/framework-res.apk/AndroidManifest.xml then the permission holder would need to be signed by the same key (which is the platform key used in the OS signing process)
      • If an Application defines this permission then the holder would need to be signed by the same key as the application
    • Permission will be auto granted if sig check passes
  • signatureOrSystem
    • See signiture and system

Other:

Platform permission holder representation

When an app is installed the applications permissions are added to the below files. If you edit these on a rooted device the changes are ignored - and seemed to be wiped (or still ignored) on reboot (tested on 4.4.2 emulator).

The PackageManager most likely has this info in mem and it may be verified on boot or have more verification checks down the protected call chains. Need to look into this more.

/data/system/packages.xml

Entry looks like

<package name="com.example.android.apis" codePath="/data/app/ApiDemos.apk" nativeLibraryPath="/data/app-lib/ApiDemos" flags="4767300" ft="154bb1bf808" it="154bb1bf808" ut="154bb1bf808" version="19" userId="10050">
    <sigs count="1">
        <cert index="0" />
    </sigs>
    <perms>
        <item name="android.permission.READ_EXTERNAL_STORAGE" />
        ...
    </perms>
    <signing-keyset identifier="2" />
</package>

/data/system/packages.list

Entry looks like

com.example.android.apis 10050 0 /data/data/com.example.android.apis default 3003,1028,1015

For info on the GIDs at the end look at Kernel Permissions