I am developing an application which has a number of components, each component will be a separate Android app. The "Core" app will use content providers to offer access to the database, and reading the permissions documentation "Signature" protection is the way I want to go.
I've defined a group for my permission, mainly so my permissions would show up nicely against my own icon in the "Permissions" section of the App Info. with android:protectionLevel="normal" they show up just fine. But when I use the android:protectionLevel="signature" they disappear.
<permission-group
android:name="com.example.permissions.GROUP"
android:label="#string/lblGroup"
android:description="#string/descGroup"
android:icon="#drawable/ic_menu_permissions_group" />
<permission
android:name="com.example.permission.CONFIG_READ"
android:permissionGroup="com.example.permissions.GROUP"
android:protectionLevel="signature"
android:label="#string/lblConfigRead"
android:description="#string/descConfigRead" />
<permission
android:name="com.example.permission.CONFIG_WRITE"
android:permissionGroup="com.example.permissions.GROUP"
android:protectionLevel="signature"
android:label="#string/lblConfigWrite"
android:description="#string/descConfigWrite" />
Given that I am currently developing and, therefore using the developers key, are there some other hoops I need to jump through in order to get the "signature" protection level to work for developers?
As always many thanks for your help
Steve
But when I use the android:protectionLevel="signature" they disappear.
That is because the user does not need to approve them. Signature-level permissions are automatically granted and denied based upon the signatures of the apps.
are there some other hoops I need to jump through in order to get the "signature" protection level to work for developers?
It already works, for your own apps. If "developers" are third parties, you cannot use signature-level permissions, as they will be signing with their own signing keys.
Related
I installed a new application to release it to the play console. I installed Apk. First, I uploaded it to the open beta channel, but it always seems to be under review.
Later, after installing each apk, I get an e-mail about application permissions, they say that they do not comply with their privacy and sensitivity policies.
These appear in the permissions required by apk on the play console:
android.permission.ACCESS_NETWORK_STATE, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, com.google.android.c2dm.permission.RECEIVE
This is the content of mail:
Requested permissions do not match core functionality of the app
You declared Select Carrier Services and Device Automation as the core functionality of your app. However, after review, we found that your app does not match the declared use case(s). Learn more about permitted uses and exceptions.
Please either:
Make changes to your app so that it meets the requirements of the declared core functionality or,
Select a use case that matches your app’s functionality
Sensitive permission
Your app does not qualify for use of the requested permissions. Permission requests should make sense to users. You may only request permissions that are necessary to implement critical current features or services in your application. You may not use permissions that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes.
This is the my AndroidManifest.xml and permissions:
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
If anyone has an idea or can help I would be very glad.
Although I changed it 8 times and installed the apk, I did not get approval for how many days and I constantly receive the mail I sent the content above, every time I send an apk..
code from cloud-messaging/android/client#manifest
<permission android:name="<your-package-name>.permission.C2D_MESSAGE" android:protectionLevel="signature" />
<uses-permission android:name="<your-package-name>.permission.C2D_MESSAGE" />
Because google says so? :)
It is so that the app declares a dependency which is then auditable and viewable by the user. And if you are wondering why some permissions must be explicitly requested and how it is decided which permissions are dangerous and which not (and hence should be explicit) -- that's a call that Google, as the owner of the Android platform, has made. Obviously, those choices are driven by adoption rates, a component of which is consumer's demand for transparency, so there's a loose feedback from app users into those choices but ultimately Google makes such decisions opaquely. We can only guess.
Android permissions are listed here:
Manifest.permission http://developer.android.com/reference/android/Manifest.permission.html
In AndroidManifest.xml at https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml, there are few extra permissions that are not listed in the Manifest.permission.
These hidden permission come with the #hide in thir description in AndroidManifest.xml.
Why there permissions are hidden?
Can these permissions still be used by applications if it is allowed for third party applications?
Those type of permissions are for core system applications (from manufacturers) and/or low-level enough to be AOSP-specific.
Example:
<!-- #hide Allows low-level access to tun tap driver -->
<permission android:name="android.permission.NET_TUNNELING"
android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
android:protectionLevel="signature" />
This permission is reserved for Android's AOSP source code. It falls under SYSTEM_TOOLS permission group and can only be used when signed with the same signature as the OS.
The API team simply decided not to expose this permission, and I doubt anyone (except core system applications) can use them or even declare them be using them -- hidden APIs = private APIs.
Can somebody give me an example on how could I use the Firefox for Android content provider for getting a list of the links in my app history?
Thanks!
Firefox's ContentProvider is not accessible to third party applications. Here is the permission declaration from the manifest:
<permission android:name="#ANDROID_PACKAGE_NAME#.permissions.BROWSER_PROVIDER"
android:protectionLevel="signature"/>
A protectionLevel of "signature" means that the permission is only available to apps that are signed with the same key. Unless they change this, there's no way for your app to access the ContentProvider.
Consider this as a wiki question.
While I setup my project to support Map V2, There has been a step to add MAPS_RECEIVE permission.
<permission
android:name="com.example.mapdemo.permission.MAPS_RECEIVE"
android:protectionLevel="signature"/>
<uses-permission android:name="com.example.mapdemo.permission.MAPS_RECEIVE"/>
Why we creating and consuming the permission from the app itself?
Is that google play services app interact using this permission ?
This permission can't takes care of these things?
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES"/>
I thought the use of custom permission is to allow other apps to launch/use our app's services/resources.
For future visitors:
This permission is now completely unnecessary. The latest update of
Google Play Services 3.1.59 made it useless. As a result, it can be
removed.
source
This is the same pattern you see when using Google Cloud Messaging (GCM) with its C2D_MESSAGE permission. The idea is to protect an endpoint in your application (e.g. a broadcast receiver) so that some other component (presumably part of the Maps API) can contact it securely (otherwise, another application could impersonate your application by using the same intent filter).
In this case, then, Maps API internally sets up such an endpoint (transparently to you) and can, with the use of this permission, that this endpoint cannot be impersonated (because to do so would require the permission, which is protected by your application signature).
This permission specifies your package name.
i.e.
<permission
android:name="package_name.permission.MAPS_RECEIVE"
android:protectionLevel="signature"/>
<uses-permission android:name="package_name.permission.MAPS_RECEIVE"/>
thus, the google API simply allows your project to recieve the map.
The permission tells where to use the API.
I found that this permission is still needed when using the debug certificate. When I exported and signed my application it worked fine, but it wouldn't work when I used the debug cert. I have the MD5 for both my debug cert and application cert associated with the same key. When I finally added these extra permissions, it worked. I am using a Moto X running 4.4 with everything up to date.