Custom permission for the app
I recently read about custom permissions for our app in android.
uses-permission
understandable. It contains the permission your app will need to access some user data or device functions, etc. And for the right job.
Now we go to the element permission
. It declares permissions that an action or service may require for other applications to consume your application data or logic
Now, let's say I use a permission tag in my application manifest file, like this:
<permission android:name="my.pkg.CUST_PER"/>
This will mean that my application can have this possible resolution.
And apply this permission using it in your Activity tag like this:
<activity
android:name=".MyApp"
android:permission="my.pkg.CUST_PER">
Now, as per my understanding, only apps that have requested my specified permission will be able to access my secured app components.
If another application tries to access these components without my special permission, what happens? I think it should crash and it will be visible in the logcat as:
SecurityException: Missing permission: my.pkg.CUST_PER
If so, isn't this a security breach?
How can I protect my app data under these circumstances?
source to share
use-permission is clear. It contains the permission your app will need to access some user data or device functions, etc. And for the right job.
<uses-permission>
means that your application wants to keep the permission specified in the item <uses-permission>
. What is protected by this permission is up to other developers. In some cases, it can protect certain things that allow you to "access some user data or device functionality."
This will mean that my application can have this possible resolution.
No, it is not. It just defines a new resolution. It does not indicate that your application or any other application has any other relation to resolution.
Now, as per my understanding, only apps that have requested my specified permission will be able to access my secured app components.
More precisely, only applications with an item <uses-permission>
can claim access to a protected component. In addition, as Mr. Orlowski points out , protectionLevel
in <permission>
specifies whether user acceptance (a protectinoLevel
from normal
or dangerous
) is accepted if the application is to be signed with the same signatures as the application that protects itself with permission (a protectionLevel
of signature
), or if the application needs to be installed in section /system
(a protectionLevel
of system
).
If another application tries to access these components without my special permission, what happens? I think it should crash and it will show in the logcat as: This permission is required: my.pkg.CUST_PER
Right.
If so, isn't this a security breach?
Not particularly.
How can I protect my app data under these circumstances?
Don't reveal it in the first place. the full and whole point behind android:permission
is that you want other applications to access the data, subject to user acceptance, signature, etc. If you do not want other applications to access the data, do not export the component. For actions, services, and manifest-registered sinks, this is usually done without having <intent-filter>
. For elements, <provider>
you must manually assign a android:exported
value to the attribute false
.
source to share
How can I protect my app data under these circumstances?
You should read the whole docs as android:protectionLevel
there is exactly a solution to this problem and is explained here:
https://developer.android.com/guide/topics/manifest/permission-element.html#plevel
source to share