I am going through the documentation for the contentprovider "exported" attribute here
Can someone pleas explain what does this statement mean :
You can set android:exported="false" and still limit access to your provider by setting permissions with the permission attribute
I always thought with exported=false, none of the external apps can access the provider. But the above statement seems contradictory.
Thanks,
Your understanding of exported = false is right. It will block access to the contentProvider to everyone.
However, with right permissions (read/write) you can create 'exceptions' so that only apps with permissions will be able to access the content Provider even if it is blocked for every other app.
also, read this question
I think that is just a typo. And what it means is that you can 'allow access' by setting it to true and that you can use permissions to limit what applications can access the content provider.
I'll look into this, since I help teach this material... (will update)
Related
How can we ensure that certain applications are not able to access my data stored in content provider where in certain other applications can access that? Basically I need to allow some application of my interest to access my data stored in Content Provider but I do not want all the applications to be able to access that data. How can I achieve this?
Thanks.
The easiest way is to protect the content provider with a permission you define. Make it a signature a permission so only apps signed with your certificate are allowed to get it.
See:
http://developer.android.com/guide/topics/security/security.html
http://developer.android.com/reference/android/R.styleable.html#AndroidManifestProvider
http://developer.android.com/guide/topics/manifest/provider-element.html
If doing this based on certificates is not sufficient, you will need to write the permission checks yourself. This is done by calling Binder.getCallingUid() for incoming calls to your applications, and deciding whether the given uid has permission to access your provider. Actually implementing a different policy that is actually secure requires a lot of careful thought and design, though.
In the AndroidManifest.xml, at the screen with the properties of your ContentProvider, you have two fields:
Read Permission
WritePermission
So, you can define secure strings (also it may be path to some file) that are permissions for acces to your ContentProvider.
Applications that want to access your content provider must have that ones added in their UsesPermission elements.
In creating a mobile application for Android, I am dealing with a SQLite database which requires a ContentProvider. The ContentProvider is used for adding, update, reading, or deleting data from the database.
I read http://developer.android.com/guide/topics/manifest/provider-element.html but I did not find any further information what it means, especially for working with databases.
I have seen some manifests that define the following provider:
<provider
android:name="main.ContentProvider"
android:authorities="main.ContentProvider"
android:multiprocess="true">
</provider>
What does it mean to have multiprocess set to true? Does that mean many database queries will be handled simultaneously? And if I set it to false, what happens then?
Thx.
An Android framework engineer said "Don't use this attribute"
https://groups.google.com/forum/#!topic/android-developers/u9UMJtALSXw
Don't use this, it is some old cruft from pre-1.0 design that doesn't
work and should be ignored these days. Just pretend like the
attribute doesn't exist. :}
-- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email
to android-d...#googlegroups.com To unsubscribe from this group, send
email to android-developers+unsubscribe#googlegroups.com For more
options, visit this group at
http://groups.google.com/group/android-developers?hl=en
-- Dianne Hackborn Android framework engineer hac...#android.com
Don't use android:multiprocess="true".
Not only does it passively not help you, but it even actively causes other problems. For example, if you have android:multiprocess="true" then android:process=":something" doesn't start in a new process.
I'm working on an old project of my company and want to look up the manifest for unused components. Doing this I found the permission android.permission.WRITE_OWNER_DATA in manifest file, but I don't know for what reason the app does need it.
Every documentation I found says that this permission "Allows an application to write (but not read) the owner's data." That's okay, but I want to know for what API / method I need the permission so I can look up the existing code, if I need it!
Thank you for your help!
Greetings,
Jamic
I don't think you need the permission nowadays, the only reference I found is in some old android versions' contact provider; the permission was removed in version 9.
Is there a way to get the user's first name or entire name? I mean the user of the phone
does it require special manifest permissions?
Yep, starting in ICS you can read the profile of the device owner (which requires the READ_PROFILE permission):
http://developer.android.com/reference/android/provider/ContactsContract.Profile.html
Specifically the DISPLAY_NAME column should have their name. Or you could look up the StructuredName data item to get their GIVEN_NAME:
http://developer.android.com/reference/android/provider/ContactsContract.CommonDataKinds.StructuredName.html
What exactly do you mean? You may be able to access the name in certain ways:
You can try to access their information stored in a Google account, requiring the GET_ACCOUNTS permission
You could, as Vinayak.B suggested, try to glean the info from the contacts, requiring the READ_CONTACTS and the READ_PHONE_STATE permission, although I think this is a hit-or-miss option.
There is also a READ_PROFILE permission, which I think is an interesting way to go, but I don't have any experience with that, so I can't tell you whether or not it's a fruitful venture.
I would try the GET_ACCOUNTS option first, since they must have a Google account to download your app. It also seems a little less invasive to me
I really hope this answers your question, but if it doesn't, you really need to provide more information.
Do you mean from device Contact list? if yes, get the source code and which permission from here : http://tutorials-android.blogspot.in/2011/11/how-to-call-android-contacts-list.html
For instance, let's take android.permission.GET_PACKAGE_SIZE.
Searching for this string in Android 1.6 *.xml source files only points to a single application that uses it, frameworks\base\tests\AndroidTests.
So the next step is to search through the .java files in a hope that I'll eventually find the code that might look like it queries for package size.
Is this the supposed way of discovering permission use?
The Manage Applications UI uses the API protected by this permission. It probably doesn't request the permission in its manifest because it runs as the system user ID so is implicitly getting the permission.
For applications in general, yes you can look at their AndroidManifest.xml to find the permissions. This is complicated by shared user IDs, which allow multiple applications to run as the same uid, and thus share permissions; any such app requesting a permission grants that permission to all such apps. The settings app, which has the Manage Applications UI, uses the "system" shared user ID so gets all such permissions available to the system.
Generally speaking, you find out what permissions you need because they are referenced from APIs you want to use, normally in the docs, occasionally by exceptions.
Conversely, if a given permission is not cited in the docs, except where it is named (e.g., on Manifest.permission), then it is probably a system permission that you are ineligible to hold unless you are working on alternative firmware.
And, if you are working on alternative firmware, you'd be well-versed in searching the source code. I use Google Code Search, personally, such as this search for your desired permission.
So, in the case of GET_PACKAGE_SIZE, the only place you find it in the docs is in Manifest.permission, and the only place the source code requires it is in a non-SDK method, so I suspect you cannot hold it.
Just check the docs.
GET_PACKAGE_SIZE : Allows an
application to find out the space used
by any package.
http://developer.android.com/reference/android/Manifest.permission.html
EDIT
I may have mis-understood the question. If you want to know what code is using a permission value. Then you will in fact have to dig through the source yourself.