I know that this is not the first Thread about this permission, however the other ones aren't finished or don't help me.
What I need is to inflate KeyEvents using Instrumentation. That works great and is insanely faster than the shell ("input keyevent ") method. But if I want to inject to other apps I catch a SecurityException. That didn't surprise me to much so I added <uses-permission android:name="android.permission.INJECT_EVENTS" /> to my manifest. Eclipse stops to debug this telling me that only system apps can use this permission. So I compiled using the signed apk tool and pushed that apk to /system/app. Rebooted, and guess what
W/PackageManager( 3499): Not granting permission android.permission.INJECT_EVENTS to package com.<....> (protectionLevel=2 flags=0x8be45)
The app is targeted for only one special device. So I know all the specs and it is rooted. But su injection-commands take to long and SuperUser is required. I would love to do that with Instrumentation or maybe there is something else I should try?
The firmware is not written by me, so I don't have the platform key.
Thanks for your help!
EDIT: Got the platform keys (The dev used the normal Google ones), signed and aligned, then pushed the apk to /system/app. Also added android:sharedUserId="android.uid.system" to my manifest. On Boot there is no longer the logcat message. However when I want to send the keysync I still catche the SecurityException. Any ideas?
EDIT2: Here is an excerpt from ps. Seems like the package ist not listed as system
u0_a108 5241 2399 492044 48968 ffffffff 40113ab0 S com.mypackage
Update Use the signtool located here, then go ahead and read on in my blog.
Ok, I got the right platform-keys and it works like a charm now! I signed using http://forum.xda-developers.com/showthread.php?t=1125626
and replaced (renamed the sign.... to testkey....) the testkeys inside signare folder with
signapk-key.platform.x509.pem
signapk-key.platform.pk8
(Google for them)
Also make sure to zipalign and then to copy to /system/app. Installing the .apk the normal way is NOT possible as it is flagged as System app.
Related
I have an app that needs to be able to read all the voicemail on the device, which requires the com.android.voicemail.permission.READ_VOICEMAIL permission. It's a system-level permission, and I can't figure out a way to grant that permission to my app.
I already had my app successfully get root access, and I can run commands as "su", but when I try to run pm grant com.my.app com.android.voicemail.permission.READ_VOICEMAIL, I still get an error. Is there anyway to get this done?
Alternatively, I know that moving my app to the /system/priv-app/MyApp/MyApp.apk should solve this problem, but I'm having issues doing that on Android 13. I tried doing it on LineageOS 20, and after rebooting, it would boot-loop (until I started in Recovery, and manually deleted the APK from the system partition). There used to be a Magisk module called App Systemizer that would do this cleanly, but it's my understanding that it no longer works on Android 12 or 13
I still don't know how to do this using any root commands, but I figured out how to properly move my app to /system/priv-app, which automatically gives it all system permissions.
In addition to just moving the APK there, you need to also create a permissions file with your app package name in /system/etc/permissions. Here's an example of my com.my.app.xml:
<?xml version="1.0" encoding="utf-8"?>
<permissions>
<privapp-permissions package="com.my.app">
<permission name="com.android.voicemail.permission.ADD_VOICEMAIL"/>
<permission name="com.android.voicemail.permission.READ_VOICEMAIL"/>
<permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/>
</privapp-permissions>
</permissions>
I have access to an Android tablets' platform key and certificate. I'm attempting to build an app and install it with system level privileges by doing the following:
Create a Java KeyStore file with platform.pk8 and platform.x509.pem using the bash script called platform_import_keystore found on GitHub.
In AndroidManifex.xml add the following:
<uses-permission android:name="android.permission.READ_LOGS"/>
android:sharedUserId="android.uid.system"
Sign APK with PLATFORM key and certificate using a Java KeyStore file in Android Studio.
Install APK
When the app runs, the system denies READ_LOGS permission.
Why isn't my app running with system level permissions?
What #Mark mentions is correct to some extent, for system apps.
I think you are doing something else wrong.
I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.
That changes things AFAIK, so if it's AOSP 10+, it might behave differently.
Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/ or push it into /vendor/app/.
You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied messages.
I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)
There's two classes of system apps, /system/app/ and /system/priv-app/
The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name.
If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.
User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.
All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/ and use keytool or similar to check it's signature, and then try to match with your release apk.
It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.
I want to add this permission to my Android manifest:
<uses-permission android:name="android.permission.MODIFY_PHONE_STATE" />
But after I paste this permission in my manifest, it tests red underline and says:
permission is only granted to system apps
What can I do?
MODIFY_PHONE_STATE permission is granted to system apps only.
For your information, there are 2 types of Android apps: system & user
User apps are just all your normal app installations through the Google Play Store, Amazon Appstore or sideloading. These go into the /data partition of your Android phone, which is the part of the internal memory made available for user data and apps.
System apps are basically the apps that come pre-installed with your ROM. In a standard Android user environment, the user doesn’t have write access to the /system partition and thus, installing or uninstalling system apps directly isn’t possible.
In order to install an app as a system app on your Android device,
your device must either be rooted or have a custom recovery installed (or both).
That being said, that error is actually wrong because you have a valid code and compilation should work. It would be better if it gave a warning instead. In Eclipse you can easily fix it. Just go to:
Window -> Preferences -> Android -> Lint Error Checking.
Find ProtectedPermission from the list and set the severity to something other than error(info for example). This way your project will still compile.
MODIFY_PHONE_STATE is a system-only permission. System Apps are either pre-installed into a system folder or compiled by a manufacturer using their security certificate.
Hence, if you are trying to do this you are trying to use API which are no longer supported. With Android versions 2.3+ you can monitor incoming calls, but blocking is not allowed (i think from the link you posted thats what you're trying to do).
Android issues if you need to follow: Issue 15022 and Issue 14789
This error appears in SDK 19 onwards, when you change the manifest.
Do Project Clean and Build.
It should clear this error.
just clean your project it will be fine like this :
project > Clean...
There are four types of Permission
Regular
Dangerous
Signed
Signed or System
The first two can be used by Simple Apps Other two can only be used by the app which is build in framework
Because this is the system level permission device developer not grant this so application development tools also warn against this so you have to
Simply Clean project & Rebuild this is it
Find ProtectedPermission from the list in
Window -> Preferences -> Android -> Lint Error Checking.
and set the severity to something other than error(info for example). This way your project will still compile.
I am building an app that will be bundled on an android device as a system app. The manufacturer is a ways out on delivering the device to us, so in the meantime I'd like to grant my app system level permissions in the emulator so I can work on an auto update feature that will do silent installs of APKs without any interactions from the user. From what I've read, its my understanding that the only way to be able to do silent installs on android is if your app is signed with the same cert as the OS. So how can I simulate this in the emulator?
If you want a signatureOrSystem permission, you just need to be placed on the system image; you don't need to be signed with any special cert. You can do this as a one-off (until you exit the emulator) like this:
> adb root
> adb remount
> adb push /path/to/My.apk /system/app/My.apk
Once you have done that, you can use the normal process to install further updates on the data partition ("adb install -r /path/to/My.apk" which is what the developer tools do when you run from Eclipse). When installing this way, the app retains any signatureOrSystem permissions it had requested from the original version on the system image, but can not gain any new such permissions.
If you need pure signature permissions, you need to sign your app with the same cert as whatever is declaring those permissions (typically the core framework, but the media system is a separate cert etc). If you are requesting signature permissions you don't need to be installed on the system image, you can just install it as a normal app and it can still get the permissions because of the signing.
As far as I can tell, you need to:
download the Android source and build an emulator firmware image.
sign your application with the keys in the Android source tree at /build/target/product/security/.
add android:sharedUserId="android.uid.system" to your application's manifest.
run your application on an emulator using the image built in step 1.
The reason for having to build your own firmware image is so that you can get at the keys. Now, it might be possible that the keys for the standard emulator image are available somewhere, which will save you the long and exceedingly tedious process of building your own Android, but I'm afraid I have no idea where these might be.
Disclaimer: never tried this myself.
Installing a simple HelloWorld asks for permission to write to external storage, why? I have not added any request in my manifest? Looking in the logs I see "I/PackageParser(15463): Implicit adding android.permission.WRITE_EXTERNAL_STORAGE to old pkg". I am compiling for Android 1.6 and installing on an Sony Ericsson X10. How do I avoid the request since my HelloWorld does not need any of those permissions and any user might be scared away due to shady permissions?
Installing a simple HelloWorld asks for permission to write to external storage, why?
Because either you do not have a <uses-sdk> element in your manifest or its android:minSdkVersion is set to 3 or lower. See this previous SO question for more.