I am trying to use another third party application into my application. Basically using some of the services from third party app. But these services need custom permissions defined in the third party application. So I have added those permission in my applications manifest file.
Suppose if my application is installed before installing the third party application then it won't get those permissions and so if I try to access the services from third party app, I am getting Security exception.
Is there a way to ask for permissions again or any other suggestions.
The permissions you request in your manifest are the permissions your app will receive regardless of when it is installed. Period. The permissions granted to another application are accessible by that application only. If there is a permission you need to use, it should be in your manifest. If it is there, permission will be requested from the user upon installation.
This is actually a known limitation of custom permissions. Even if both apps where yours, the one that defines the custom permission needs to be installed first, otherwise you will get an exception. If you control both apps, you need to define it in both apps. Otherwise, there is really no workaround: a permission needs to be know to the system to be granted.
BTW, you can use a third-party permission, as long as it is not a signature permission, requiring your app to be signed with the same key.
Related
We use this SDK within our app. It's imported as its own module, and is packaged as a .AAR file. Last year, our app was removed from the Play Store multiple times for uploading contact information without displaying a prominent disclosure. This SDK was to blame for some of these removals. Our response was to remove all contact-related features from our app and to remove the READ_CONTACTS permission in both our app's AndroidManifest and the SDK's AndroidManifest. However, now we're reimplementing these contact-related features, so we can't remove this permission in our app's AndroidManifest any more. We need our app to have this permission, but the SDK must not have it.
My question is this: if our app has READ_CONTACTS permission, does that also grant this permission to the SDK? Or does the SDK's AndroidManifest need to explicitly include the READ_CONTACTS permission in order to be able to use it?
We need our app to have this permission, but the SDK must not have it.
That is not a thing, sorry.
if our app has READ_CONTACTS permission, does that also grant this permission to SDK?
Yes. There is no difference between a library and code that you typed in yourself.
I am implementing runtime permissions in my app. I have few questions though to understand them clearly.
Situation:
My application B is a child app of application A
That being said my application resides inside application A as part of it and, whenever needed I can launch it.
Question:
If a user has already granted all the necessary runtime permissions to application A (the parent app), then can the child app i.e. application B carry the same permission grant or it has to ask them again?
Do I need to ask the permissions again if I install a newer version of an app on top of the old? Let's say version 2 to 3.
Technically, yes. If app-A and app-B are two separate apps, they each need their own set of permissions and permission requests.
And no, if a permission was previously allowed, then an installation of a newer version does not reset that permission's state.
However, if you want app-B to retain the same permission states as app-A, you should look into something called android:sharedUserId. If app-A has the same sharedUserId as app-B, then app-B will have the same permission states as app-A, and vice versa.
I couldn't find any posts talking sufficiently about the shared permission states between apps with the same, but you can check out some of these posts for extra notes:
Two app with shared UserID
What is sharedUserId in Android, and how is it used?
https://stackoverflow.com/a/49492023/6668797
https://stackoverflow.com/a/8507761/6668797
I did a quick test myself and can confirm that two apps with the same sharedUserId do share permission states, so go try it yourself. Just setup a sample project/app that checks and requests a permission, clone it, give them the same sharedUserId, install both of them, allow the permission on one, and you'll see it's already in the allowed-state on the other.
I'm trying to use a custom permission created by another application (Bazaar) in my app (It's a permission to use a market com.farsitel.bazaar.permission.PAY_THROUGH_BAZAAR). Normally it works right.
But if Bazaar is installed after my application. My app won't get the custom permissions (Which are created by Bazaar) and throws exception. I want to know If anybody else has faced a similar problem and what solutions do you have to it?
This is a desired behaviour.
In the textbook, Android Security Internals: An In-Depth Guide to Android's Security Architecture by Nikolay Elenkov(2014) said:
The system can only grant a permission that it knows about, which
means that applications that define custom permissions need to be
installed before the applications that make use of those permissions
are installed. If an application requests a permission unknown to the
system, it is ignored and not granted.
BTW, permissions are assigned to each application at the install time by PackageManager, it maintains some information of installed packages, such as package name, version and permissions, these info are stored in /data/system/packages.xml. If you want to query all permissions on device, you can try pm list permissions.
I want to try some different ad providers for my android app.
Some of them want a lot permissions in the manifest which I don't always find appropriate.
(of course they all need android.permission.INTERNET since they fetch ads from their servers)
For example: Millenial Media wants android.permission.WRITE_EXTERNAL_STORAGE; a lot of other provider want android.permission.ACCESS_COARSE_LOCATION.
If I don't grant these permissions in the manifest does the app work correct anyway or could this cause problems?
And do I get ads from these providers anyway without these manifest-permissions?
Edit: it's hard to test all SDK's of the ad providers. For MoPub I know it still works if I don't give them android.permission.ACCESS_COARSE_LOCATION - and I get ads from them.
I think I will only get an Error when their SDK-Code is trying to use a Method which needs a permission - but they could catch this. So my question is more:
Do all ad providers handle this correct? And will they then refuse to send ads in general?
Edit-2:
Has anyone had errors/crashes because he didn't grant special permissions requested from the ad-providers SDK?
App will work fine but you will not get the adds.
these are compulsions , you need to add permissions in Android Manifest file .... its compulsion
From the official doc
If an application needs access to a feature protected by a permission,
it must declare that it requires that permission with a
<uses-permission> element in the manifest. Then, when the application
is installed on the device, the installer determines whether or not to
grant the requested permission by checking the authorities that signed
the application's certificates and, in some cases, asking the user. If
the permission is granted, the application is able to use the
protected features. If not, its attempts to access those features will
simply fail without any notification to the user.
This is the complete list of permissions you have to provide according to your needs
I am new to Android and have a question regarding protection level "Signature" for permissions in AndroidManifest.xml.
The Android reference document states about "Signature" protection level:
A permission that the system grants only if the requesting application
is signed with the same certificate as the application that declared
the permission. If the certificates match, the system automatically
grants the permission without notifying the user or asking for the
user's explicit approval.
This implies that permissions which have protection level "Signature" are not available to use by normal application and can only be used Android Dev Team.
What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?
When I tried to use the permission "READ_INPUT_STATE" (new in 2.2) I got the following error in LogCat:
06-28 09:28:34.943: WARN/PackageManager(60): Not granting permission android.permission.READ_INPUT_STATE to package com.example.wheredoyoulive (protectionLevel=2 flags=0x8444)
The same is true for permissions with Protection Level "SignatureOrSystem". There exists a caller application which has CALL_PRIVILEGED permission in addition to other permissions.
Please help me and clear my doubts.
Regards
Abhishek
I believe the purpose of the "Signature" permission level is for two applications by the same developer to be able to share data seamlessly without bothering the user. The READ_INPUT_STATE permission is not intended to be used in applications:
Allows an application to retrieve the current state of keys and switches. This is only for use by the system.
See http://developer.android.com/reference/android/Manifest.permission.html#READ_INPUT_STATE
Facebook home uses this,
once you install it you'll notice that it doesn't request ANY permissions, but explicitly requires that the facebook app be installed, this is so that the system can grant it the necessary permissions by proxy of the Facebook app.
Typically what happens is the Facebook app with advertise facilities for other apps to read your status and news feed, normally these apps would need to explicitly request permission to use them if they are signed under a different certificate or rather private key.