Following the manifestation file https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml, we have some protection levels of permissions, such as
signature|system|development, signature|system, system|signature, signature|development|appop, signature|privileged, signature|installer, signature. I know that the permissions with ".|system|." are used only for the system/manufacturer applications. But for "signature", "signature|development|appop" levels, I wonder whether a third-party application can get the certificate to use them? Because I saw that Facebook has the permission "Battery_stats" in its list of permissions. I tried to find the information to confirm this question, but found no clear confirmation.
Related
this is regarding new permission changes. So, in the previous build, we needed SMS and call permission so we filled a form while uploading to play store and those permissions were in the manifest. But, now we have removed that permission. It is still showing that older declared permission. There is no way to edit declaration form that we don't have those permissions now.
And it wants us to select a core functionality.
this is the error we are seeing:
Declare sensitive permissions
All apps requesting to use sensitive permissions, such as SMS or Call Log permission groups, must complete the Permissions Declaration Form. Failing to report any app functionality that uses these permissions can lead to app suspension.
We don't allow these permissions to be used for contact prioritization, affinity profiles, or social graphs.
If you're using SMS or Call Log permissions for account verification, sharing content, or initiating a text message or phone call, you can use alternative methods to get the same functionality. Learn more
Previously declared permissions (3 permissions)
You do not have to edit Declaration form. What is perhaps happening here is you are directly releasing (permission free app) to Production Mode while your Internal Release or Alpha or Beta still has an apk which requires permission. PlayStore Review mechanism does not distinguish between mode of APKs and keep rejecting updates if it finds an active APK which has sensitive permissions. I would suggest you to first upload your new APK to Internal Test and then promote it to Aplha/Beta and then to Production. This will solve your problem and you would not be getting the Declaration form again.
Get all the tracks to the same version
I can't seem to find it in the Manifest.permission page on the Android developer website. I see GET_TASKS but it's deprecated.
As per #CommonsWare's answer:
REAL_GET_TASKS is a signature-level permission; it cannot be held by ordinary Android SDK apps.
Also a comment by #Gürol'Ca on his answer:
GET_TASKS was a 'normal' permission which can be requested by 3rd party applications. However, REAL_GET_TASKS's protection level is signature or system which cannot be requested by 3rd party applications.
When checking the official documents about < permission > - android:protectionLevel:
"signature"
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
Wasn't able to find a totally clear description, or a doc that defines it completely in detail. But I think basing from these, it seems that it is a permission with regards to App Signing.
Cheers!
I'm building an Android app, and one of the permission I need is defined as:
android:protectionLevel="signature|system|development"
How do I get the signature protection level? Do I need to sign my application somehow?
Do I need to sign it with OEM ? (Samsung\HTC\LG)?
signature means that to be able to get access to the resource, your app have to be signed with the same certificate that the holder of the permission. If this is not your app you are trying to connect to, then you basically are out of luck. If that's system one then you are out of luck even more, This is documented here:
"signature"
A permission that the system grants only if the
requesting application is signed with the same certificate as the
application that declared the permission. If the certificates match,
the system automatically grants the permission without notifying the
user or asking for the user's explicit approval.
EDIT
Im trying to read logcat file through my application. this requires
the permission android.permission.READ_LOGS
You cannot access logs on stock ROM that are not created by your application. That's introduced for security reasons, so would not make sense to let you get it just because you need it. If you build own ROM, then you can have it, but then you should know this already.
I am trying to use another third party application into my application. Basically using some of the services from third party app. But these services need custom permissions defined in the third party application. So I have added those permission in my applications manifest file.
Suppose if my application is installed before installing the third party application then it won't get those permissions and so if I try to access the services from third party app, I am getting Security exception.
Is there a way to ask for permissions again or any other suggestions.
The permissions you request in your manifest are the permissions your app will receive regardless of when it is installed. Period. The permissions granted to another application are accessible by that application only. If there is a permission you need to use, it should be in your manifest. If it is there, permission will be requested from the user upon installation.
This is actually a known limitation of custom permissions. Even if both apps where yours, the one that defines the custom permission needs to be installed first, otherwise you will get an exception. If you control both apps, you need to define it in both apps. Otherwise, there is really no workaround: a permission needs to be know to the system to be granted.
BTW, you can use a third-party permission, as long as it is not a signature permission, requiring your app to be signed with the same key.
I am new to Android and have a question regarding protection level "Signature" for permissions in AndroidManifest.xml.
The Android reference document states about "Signature" protection level:
A permission that the system grants only if the requesting application
is signed with the same certificate as the application that declared
the permission. If the certificates match, the system automatically
grants the permission without notifying the user or asking for the
user's explicit approval.
This implies that permissions which have protection level "Signature" are not available to use by normal application and can only be used Android Dev Team.
What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?
When I tried to use the permission "READ_INPUT_STATE" (new in 2.2) I got the following error in LogCat:
06-28 09:28:34.943: WARN/PackageManager(60): Not granting permission android.permission.READ_INPUT_STATE to package com.example.wheredoyoulive (protectionLevel=2 flags=0x8444)
The same is true for permissions with Protection Level "SignatureOrSystem". There exists a caller application which has CALL_PRIVILEGED permission in addition to other permissions.
Please help me and clear my doubts.
Regards
Abhishek
I believe the purpose of the "Signature" permission level is for two applications by the same developer to be able to share data seamlessly without bothering the user. The READ_INPUT_STATE permission is not intended to be used in applications:
Allows an application to retrieve the current state of keys and switches. This is only for use by the system.
See http://developer.android.com/reference/android/Manifest.permission.html#READ_INPUT_STATE
Facebook home uses this,
once you install it you'll notice that it doesn't request ANY permissions, but explicitly requires that the facebook app be installed, this is so that the system can grant it the necessary permissions by proxy of the Facebook app.
Typically what happens is the Facebook app with advertise facilities for other apps to read your status and news feed, normally these apps would need to explicitly request permission to use them if they are signed under a different certificate or rather private key.