I want to learn how to create a main application and its associated key application. The problem is I don't know how to make key application broadcast mainapp.action.VALID into main app.
#MainApp
<permission
android:name="mainapp.permission.CHECK_RESULT"
android:protectionLevel="signature" />
<application>
<receiver
android:name=".ResponseReceiver"
android:permission="mainapp.permission.CHECK_RESULT" >
<intent-filter>
<action android:name="mainapp.action.CHECK_OK" />
</intent-filter>
</receiver>
#KeyApp
Intent i = new Intent();
i.setAction("mainapp.action.CHECK_OK");
context.sendBroadcast(i, "mainapp.permission.CHECK_RESULT");
The result is, intent is rejected: it requires mainapp.permission.CHECK_RESULT permission. But If I remove the permission, mainapp.receiver.ResponseReceiver can receive the intent and also can confirm that both app use the same signature.
What do I miss here?
As nandeesh indicates, you need the corresponding <uses-permission> element in your KeyApp, saying that KeyApp requests the mainapp.permission.CHECK_RESULT permission.
Also, AFAIK, your second parameter to sendBroadcast() will require MainApp to also have the <uses-permission> element for mainapp.permission.CHECK_RESULT. If that is not your intent (pun intended (nested pun intended (oh, no! infinite pun recursion!))), I would drop that second parameter on the sendBroadcast() call.
Related
So I have 2 apps - A and B.
In A i have a BroadcastReceiver. In the receiver tag (manifest file) I specify an android:permission string (let's say com.example.app.SEND). Now B cannot send broadcasts to A anymore. Makes sense!
So what do I have to do in order for B to send broadcasts to A ? In B's manifest, I specified uses-permission tag with android:name set to the same string (com.example.app.SEND) as the receiver's android:permission but still the broadcasts won't go from B to A.
What am I doing wrong ? Or is there something else that needs to be done ?
-- Update --
Here's my app A's receiver tag:
<receiver
android:name="com.example.app.MyReceiver"
android:enabled="true"
android:exported="true"
android:permission="com.example.BReceiver.SEND" >
<intent-filter>
<action android:name="com.example.BReceiver" />
</intent-filter>
</receiver>
And here's the uses-permission tag from my B's manifest:
<uses-permission android:name="com.pycitup.BReceiver.SEND" />
So I'd to set a custom permission for the same string like this in B's manifest:
<permission android:name="com.pycitup.BReceiver.SEND" />
Was quite straight-forward and simple. Just required a bit of reading across the web.
From B create an intent and set the action to your broadcast receivers name.
Intent myintentB=new Intent();
myintentB.setAction("com.example.app.SEND");
sendBroadcast(myintentB);
This should technically hit your receiver.
Hi I am working on soft keyboard.
I am getting exception of permission when I am accessing my service
class from my simple activity class.
Stack Trace of exception is shown below,
In above image InputServiceMethod class = Underlined by Green color.
Activity class = Underlined by Blue color.
I am getting this exception when I am calling InputServiceMethod class
from activity class.
For this I used the below code which gives me exception,
Intent intent = new Intent(v.getContext(),SoftKeyboard.class);
startService(intent);
finish();
My manifest file as shown below,
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.android.softkeyboard"
android:installLocation="preferExternal">
<uses-permission android:name="android.permission.VIBRATE" />
<!-- <permission android:name="android.permission.BIND_INPUT_SERVICE" -->
<!-- android:exported="true"></permission> -->
<application android:label="#string/ime_name">
<service
android:name="com.example.android.softkeyboard.SoftKeyboard"
android:permission="android.permission.BIND_INPUT_METHOD"
android:exported="true">
<intent-filter>
<action android:name="android.view.InputMethod" />
</intent-filter>
<meta-data
android:name="android.view.im"
android:resource="#xml/method" />
</service>
<activity
android:name="com.configuration.Configuration"
android:label="#string/title_activity_configuration" >
</activity>
</application>
I don't understand as even if I give permission about BIND_INPUT_METHOD it is throwing exception.
How to fix it? Thanks
It looks like you are binding service to action android.view.InputMethod while it is protected by permission android.permission.BIND_INPUT_METHOD which is used to ensure that only the system can bind to it by its protection level. So According to Android you can only define the keyboard handling service but can't call it explicitly, it will be called automatically by system whenever a input method is required. So there are two ways to solve it:
1. Let it be called by system, don't call it explicit, or
2. Sign your application with system's signature you are running on, which makes your application platform dependent. (Not advised if your building generic application).
Hope you understand the situation.
The permission you are using i.e:
permission about BIND_INPUT_METHOD
is only for system apps and mostly will work only on rooted devices,
it wont accept on unrooted devices.
Here is a scenario. My app has
BroadcastSenderActivity
SampleBroadcastReceiver
I am using the sendBroadcast(intent, permission) method to send out my broadcast because I would like only my SampleBroadcastReceiver to receive the broadcast message and prevent other receivers in my app from receiving the message.
Note: All receivers are registered for the same action but at the time of broadcast based on the system conditions the message will be broadcasted with varying permissions.
From the documentation I learnt that I need the following in the manifest :
Need to declare <permission android:name="com.example.MYPERMISSION"
android:label="my_permission"
android:protectionLevel="normal"></permission>
in the manifest
Have this stmt to request for the permission which is at the app level <uses-permission android:name="com.example.MYPERMISSION"/>
QUESTION -
Instead of app-level permission request how can I request permission only for a particular component in my app? eg. SampleBroadcastReceiver (see code below). Is it possible?*
What's the purpose of the <android-permission> tag which is available for all inidividual components? Can it serve my purpose ?
AndroidManifest
.........
<activity
android:name="com.example.activities.BroadcastSenderActivity"
android:label="BroadcastSenderActivity"
android:theme="#android:style/Theme.Light" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- ************************************** RECEIVER ******************************************* -->
<receiver android:name="com.example.broadcastTest.SampleBroadcastReceiver"
android:exported="false">
<intent-filter>
<action android:name="com.example.ACTION_BROADCAST_SEND" />
</intent-filter>
</receiver>
<receiver android:name="com.example.broadcastTest.BroadcastReceiver_1"
android:exported="false">
<intent-filter>
<action android:name="com.example.ACTION_BROADCAST_SEND" />
</intent-filter>
</receiver>
<receiver android:name="com.example.broadcastTest.BroadcastReceiver_2"
android:exported="false">
<intent-filter>
<action android:name="com.example.ACTION_BROADCAST_SEND" />
</intent-filter>
</receiver>
public class BroadcastSenderActivity extends Activity {
public BroadcastSenderActivity() {
}
#Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Log.d(Logger.TAG, "BroadcastSenderActivity - onCreate");
setContentView(R.layout.broadcast_tester);
Button btn = (Button)findViewById(R.id.sendBroadcastBtn);
btn.setOnClickListener(new View.OnClickListener() {
#Override
public void onClick(View v) {
Intent broadcastIntent = new Intent();
Log.d(Logger.TAG, "BroadcastSenderActivity - sending the broadcast");
broadcastIntent.setAction(com.example.ACTION_BROADCAST_SEND);
BroadcastSenderActivity.this.sendBroadcast(broadcastIntent, com.example.MYPERMISSION);
You can secure each separate component with a specific permission. This is the android:permission="..." attribute that can be applied to each component separately. This allows you to require different permissions, for example, to launch a specific Activity, start a specific Service or use a specific BroadcastReceiver. This attribute indicates that the application needs to hold the specified permission in order to use the specific component.
An application holds a set of permissions. These permissions are requested in the manifest by the <uses-permission> tags. The user is shown this list when the application is installed and the application is granted these permissions upon installation.
When you send a broadcast, usually all installed and/or registered BroadcastReceivers are able to see this broadcast. When you use the method sendBroadcast(intent, permission) the permission parameter is used to control which receivers are able to see the broadcast. However, this permission checking is also done at the application level. This means that if an application has been granted the specified permission, then all of that application's BroadcastReceivers will be able to see the broadcast.
Therefore, what you want to do is not possible using the Android permission mechanism. Because an application either has or does not have a specific permission, you cannot have fine-grained control over which components can be used by a specific application.
Hopefully this answers your question.
EDIT: Alternative suggestion:
Since this is all within a single application, you should be able to manage this yourself. Personally, I think using the Android permission framework for this is overkill. You can just add an appropriate extra to the broadcast Intent and use that for controlling access to the receivers. Or, you can define 2 different Intent actions, and use that to control access.
I have some receivers declared in my AndroidManifest :
<!-- no warning -->
<receiver
android:name=".receivers.TriggerMonitoringBootReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<!-- no warning -->
<receiver
android:name=".receivers.ScanResultsReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.net.wifi.SCAN_RESULTS" />
</intent-filter>
</receiver>
<!-- warning : Exported receiver does not require permission-->
<receiver
android:name=".receivers.BatteryMonitoringReceiver"
android:enabled="false">
<intent-filter>
<action android:name="#string/intent_action_setup_alarm" />
<action android:name="#string/intent_action_cancel_alarm" />
<action android:name="#string/intent_action_monitor" />
</intent-filter>
</receiver>
The first one is meant to receive a BOOT_COMPLETED action. The second is meant to receive android.net.wifi.SCAN_RESULTS. The third one is meant to receive some actions I broadcast (intent_action_monitor) and some actions broadcasted by the AlarmManager (intent_action_setup_alarm etc).
Two questions:
Why don't I get the warning on all receivers?
What permissions do I need to set for receivers meant to receive from system services to correct the warning (I understand what it is about and I don't want anyone to use my receivers anyway) ? Will exported="false" do for boot receivers, wifi receivers, alarm receivers etc?
I thought of using a custom permission with android:protectionLevel="signatureOrSystem" but the docs advise against both this protection level and custom permissions. So how I should handle this warning ?
Links to the docs and/or some code will be much appreciated.
Why don't I get the warning on all receivers ?
Because the first two are clearly designed to be broadcast by Android. The last one is unknown, partly because you did not supply the string resource values, and possibly because they are your own unique action strings.
What permissions do I need to set for receivers meant to receive from system services to correct the warning
The correct solution is to delete the <intent-filter>. If you are broadcasting these Intents, or if you are wrapping an Intent in a getBroadcast() PendingIntent, you do not need action strings. Use the Intent constructor that takes the Java class object as the second parameter, and use that:
new Intent(this, BatteryMonitoringReceiver.class)
You are welcome to still attach an action string to that Intent, if you want, but you can dump the <intent-filter> (routing will be based on the supplied component, in this case the Java class).
Only use an <intent-filter> when you are expecting the OS or third-party apps to initiate the Intent themselves (executing a PendingIntent that you created does not count).
The warning "Exported receiver does not require permission" means, You have an intent-filter with some action (which means by default you have android:exported="true" set and it can now receive broadcasts from ANY broadcasters outside of your application) Since it can receive broadcasts from ANY broadcasters outside of your application, it warns you by saying "Hey, are you sure ANY broadcaster can invoke you? In my opinion, it is better if you allow only those broadcasters to invoke you that has the permission you have set for this receiver through android:permission"
You can remove this warning by adding android:exported="false" to the receiver tag
If you do want to export your receiver to other processes, you can add your own permission definition in your android-manifest file for avoiding this warning, like
<permission
android:name="com.yourpage.permission.YOUR_PERMISSION"
android:protectionLevel="normal" />
<uses-permission
android:name="com.yourpage.permission.YOUR_PERMISSION" />
<receiver <!-- warning : Exported receiver does not require permission-->
android:name=".receivers.BatteryMonitoringReceiver"
android:permission="com.yourpage.permission.YOUR_PERMISSION"
android:enabled="false" >
<intent-filter>
<action android:name="#string/intent_action_setup_alarm" />
<action android:name="#string/intent_action_cancel_alarm" />
<action android:name="#string/intent_action_monitor" />
</intent-filter>
</receiver>
for more information, you can refer to http://developer.android.com/training/articles/security-tips.html
If, like me, you are here because your app built with a previous SDK version stopped working with more recent versions and you would like to fix it with minimal change, just add
android:exported=false
to the receiver tag in the manifest file. The solution by CommonsWare is obviously the one to go with for the long term but this fixes the issue temporarily if you are using custom intents and don't mean to export them.
Going by Lubo's way, you would need to export this custom permission, which would prompt the user before installation. That means the descriptive text for the permission needs to be well written so you don't end up scaring the user into changing his mind about installing the app. Also, it would need to be translated into all your target languages.
To hide this warning, add tools:ignore="ExportedReceiver" to the receiver:
<receiver
android:name=".MyReceiverIndentedForOtherAppsWithoutPermissions"
tools:ignore="ExportedReceiver">
<intent-filter>
<action android:name="com.my.app.CUSTOM_ACTION" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</receiver>
I have 2 application "A" and "B"
Application "A" is signed with certificate C_A and "B" with C_B
in "A"
<activity android:name=".ActivityA" android:protectionLevel="signature" android:label="#string/app_name">
<intent-filter>
<action android:name="com.temp.packagea" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
in app "B"
Intent i = new Intent();
i.setAction("com.temp.package");
startActivity(i);
and the problem is that the application A is started with no problems from application B.
How can I protect starting activity in my app from application that are signed with the same signature as mine.
protectionLevel is not a valid attribute for an Activity tag within a manifest. The protectionLevel tag applies to a <permission> element and is used when your application is specifying a new permission (not one of the default Android system permissions).
It looks like you are trying to prevent applications from invoking an Activity (A, in your example) if they are not signed with the same certificate as the containing application. What you want to do here is to declare a new permission in the manifest (of the application containing A) by using a <permission> element and set the protectionLevel of your new permission to Signature. Then, in your manifest declaration for the Activity, use an android:permission attribute so that this new permission is required to start the Activity. For any other application that you want to be able to invoke the Activity, you just need to add a uses-permission element in that other application's manifest and specify the new permission you created. Since that permission is a Signature permission, the system will automatically grant it when the new application is installed.
Wrong usage on android:protectionLevel, should put it in permission node.