is there any way to make an external content provider available to only one package?
for example available only to my app?
Thanks in advance.
Although its too late, I would like to share the answer which I have found,
You need to declare your own custom permission inside manifest file of content provider application like this..
<permission android:name= "com.android.testpermission" android:protectionLevel="signature" >
And inside your Content Provider tag you have to specify a permission that a client is required to have like this way...
<provider android:name=".MyProvider"
android:authorities="com.example.contentproviderexample.MyProvider" android:exported="true" android:permission="com.android.testpermission" android:multiprocess="true" ></provider>
And inside your 2nd application to access content provider data you need to specify the uses permission inside manifest file,like this..
<uses-permission android:name="com.android.testpermission"/>
Now sign both the application using same keystore signature & this way any other application can't access your content provider data. Only applications that hold those permissions & signed with same keystore signature will be able to access the provider data.
You can add permissions to the manifest declaration for the content provider. Only applications that hold those permissions will be able to access the provider.
Related
Is is possible to make content provider read-only? I know that this question was asked few times but according to all of them (eg. this) I have to write my own custom write permission.
<permission android:name="com.test.WRITE_DATABASE" android:protectionLevel="normal" />
<permission android:name="com.test.READ_DATABASE" android:protectionLevel="normal" />
//...
<provider
android:authorities="xxx"
android:name="xxx"
android:exported="true"
android:readPermission="com.test.READ_DATABASE"
android:writePermission="com.test.WRITE_DATABASE" />
But hacker could decompile my app and look inside manifest file and then he can easily write his own app with:
<uses-permission android:name="com.test.WRITE_DATABASE" />
So it's almost useless...
I have several apps to use one Content Provider inside my main application. Only this application should have write permission - other should only read from this database. Any ideas how to solve this?
See documentation about permissions here: https://developer.android.com/guide/topics/manifest/permission-element.html
Answer to your question is a android:protectionLevel property of a permission. You can set it to signature so only applications that signed with same key will be able to request this permissions.
I was trying to create a content provider serving to all Apps in system; kept getting security permission error when ran other Apps to read.
Could anyone help to show me the sample of how to compose read permission in Manifest, because I cannot access developer.android.com even by VPN in PRC...shame...thanks a lot...
To quote the developer docs:
Content Provider Permissions
A provider's application can specify permissions that other applications must have in order to access the provider's data. These permissions ensure that the user knows what data an application will try to access. Based on the provider's requirements, other applications request the permissions they need in order to access the provider. End users see the requested permissions when they install the application.
If a provider's application doesn't specify any permissions, then other applications have no access to the provider's data. However, components in the provider's application always have full read and write access, regardless of the specified permissions.
So you would need to declare a permission for the content provider in your manifest, such as:
<permission android:name="com.your.app.permission.READ_MY_PROVIDER"
android:label="#string/read_permission"
android:description="#string/read_permission_description"
android:protectionLevel="normal" />
As a child of the <application> element. The protection level should be normal if you want all apps to be able to access it, or signature if it should only be accessible by apps you have signed with the same key.
And add that permission to the provider like so:
<provider
...
android:readPermission="com.your.app.permission.READ_MY_PROVIDER"
... />
Then, request the same permission in the other apps, and they will be able to access your content provider:
<uses-permission android:name="com.your.app.permission.READ_MY_PROVIDER">
If I create a ContentProvider and want it to be available to certain 3rd party apps but not too others.
How would one go about that?
Use permissions. Read about them here:
https://developer.android.com/guide/topics/providers/content-provider-creating.html#Permissions
Then you just need to publish those permissions to only those parties you wish to allow access.
You can add permission to provider. like
<provider
android:name="com.example.app.provider.MyProvider"
android:authorities="com.example.myprovider"
android:label="#string/app_name"
android:readPermission="com.example.permission.READ_PROVIDER" />
and write your own permission into manifest
<permission
android:name="com.example.permission.READ_PROVIDER"
android:description="provider_desc"
android:label="#string/permission_access_label"
android:protectionLevel="signature" />
Write this permission to manifest of the application which want to access provider.
Where signature insures that applications (which access provider and original are signed with same certificate)
Read more about Writing your own Content Provider
I noticed that there are two types of permissions in the manifest file, "permission" and "uses-permission" like the two shown below;
<permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
for the following 4 permissions which do I use when I put them in my manifest.xml file? uses-permissions or permissions?
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.INTERNET
android.permission.CHANGE_WIFI_MULTICAST_STATE
For
<permission>
The documentation states:
Declares a security permission that can be used to limit access to specific components or features of this or other applications.
Therefore, since you are accessing Android's permissions, you want uses-permission instead. The documentation for this element states:
Requests a permission that the application must be granted in order
for it to operate correctly.
<permission> is normally used when making a custom permission (e.g. when making an app that other apps can tie in to, limiting access is a must), and <uses-permission> is used when your app actually needs a permission it doesn't have normally.
Lets start with "uses-permission...": Suppose you want to use GoogleMap in your application as an example to find a nearest location of any office such as bank or any other office. You need internet. So you need to give the permission to your android device to access INTERNET. This is done by using android permission called .
<uses-permission android:name="android.permission.INTERNET" />
Now come to "permission..": what it does is it Declares a security permission that can be used to limit access to specific components or features of this or other applications.If your application need some resources or some feature from other application, you can use by giving the specific class or package.
<permission android:name="com.example.project.DEBIT_ACCT" . . . />
Thanks. for more information, you can read
http://developer.android.com/guide/topics/manifest/manifest-intro.html
In short, the one you needed is the uses-permission statement.
Androird Document now has a dedicated page discussing these two usages.
In the Using Permissions part, it explains that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.app.myapp" >
<uses-permission android:name="android.permission.RECEIVE_SMS" />
...
</manifest>
is used to declare what permissions you'd like to use.
While in Defining and Enforcing Permissions you can see that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.me.app.myapp" >
<permission android:name="com.me.app.myapp.permission.DEADLY_ACTIVITY"
android:label="#string/permlab_deadlyActivity"
android:description="#string/permdesc_deadlyActivity"
android:permissionGroup="android.permission-group.COST_MONEY"
android:protectionLevel="dangerous" />
...
</manifest>
is used to define your own permission.
In layman terms, <uses-permission> specifies permissions your app needs to access some component restrict by another app that is the owner of that component.
<permission> specifies the restrictions you are placing on your components are the component owner.
I have a content provider and a test application both signed with a debug key. The client receives a content normally if permissions are not applied, but I want to apply permissions to the stuff. So the following lines are added into the content provider's manifest file:
<permission android:name="org.example.provider.READ"
android:permissionGroup="org.example.group.DATA_ACCESS"
android:label="#string/readonlyaccess"
android:protectionLevel="signature" />
<application
...
<provider android:name=".ImageContentProvider"
android:authorities="org.example.provider"
android:readPermission="org.example.provider.READ" />
In the client's manifest file the following line is added:
<uses-permission android:name="org.example.provider.READ" />
When I try to get the data from the provider, I get the error:
09-13 22:38:20.995: E/AndroidRuntime(13979): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.example.hello/com.example.hello.HelloActivity}: java.lang.SecurityException: Permission Denial: reading org.example.ImageContentProvider uri content://org.example.provider/file from pid=13979, uid=10040 requires org.example.provider.READ
Am I missing something, or is it related to the fact that the applications are signed by debug key? How to solve the problem? I saw a suggestion to add uses-permission to the provider as well, but this does not help either. NB. This is checked inside emulator, if this can be of any importance.
I found a related question throws SecurityException when signing with the default debug keystore, but it does not provide actual solution.
Yes, it works with debug keystores, at least the last time I tried it.
I would have the <permission> element in both apps. If you installed the <uses-permission> one first, and then installed the <permission> one, you would run into problems. The permission needs to be defined before the <uses-permission> is encountered, and the simplest way to do that is to put the <permission> in both.