Defining custom permissions android - android

What would be the best strategy to define custom (application specific) permissions in Android?
I have an application of which part of it is accessible without requiring a login. But part of the application functionality is to be restricted to users who actually have logged in. I was trying to think of the best way to do this on Android and was thinking on the lines of defining a permission in the android manifest. But is this is the right tool for the job?
I come from a world where user permission are as easy as putting annotations on the class #admin, #manager. Nothing of that I suppose in the Android world.
Also my concern is I do not want the user to see my custom permissions while installing the app since it might just confuse/scare him for no reason.
Wanted to ask how people approach this issue? Do they just hardcode a utility method isLoggedIn() and call it before executing anything that requires permission?

I maintain a cookie when a user logs in. If that cookie is not set, I give them the un-authenticated experience. If the cookie is set, I use it to make service calls.

Related

How to access or modify Android ContentProvider?

I want to know how to modify message data, neither root nor default application in android application
Goal is block number list manager and i want to receive message of to filtered number I’ve looked BlockNumberContract api but this require permission like default sms/dialer application, carrier application Only default application(User is chosen application) will have access MMS-SMS ContentProvider when on android 4.4+ I was check to LINK
Also, If you know anything else, please let me know them
Additionally if impossible on android application level, Please another level any solutions and any ideas let me know
thanks :)
You can't. That's the entire reason they created the Default Messaging App- to prevent you from doing it. You need to be the default messaging app to do this- or at least root and directly edit the db.

Is it possible to ask for runtime permissions from a library?

We make some libraries that clients implement in their apps and now we are looking to update them to support Android 6.0 new permissions model.
My question is if there is any way to request dangerous permissions in runtime from our libraries (mostly static classes) instead of asking the client to request those permissions prior to using our libraries.
I have been messing with it but it just seems not possible for me, looks like it has to be made from an Activity which we do not have.
Am I right or is there any way to do it?
Thanks in advance.
looks like it has to be made from an Activity which we do not have.
Correct. That is because the permission-request logic depends heavily on startActivityForResult() and onActivityResult(), wrapped to handle permission requests.
Plus, requesting permissions needs to be tightly tied into the overall application flow, and a UI-less library will have no way of knowing whether it is appropriate to be attempting to request a permission at this time.
You are welcome to check whether you have the permission, via ContextCompat.checkSelfPermission(), as that has no UI. So, you might use this to check, at the entry point(s) of your library, whether you have the requisite permissions to do your work, rather than just let the SecurityException or whatever happen.
Google official library for android runtime permissions both java & kotlin
Library name: EasyPermissions
Java-library
Kotlin-library

Restrict activities or android component based on user profile

I am writing an application where, after successfull login and based on the user profile, the user can only see certain activities. For instance, if user has profilA, he can only see Activities A, B, C. If he has profilB, he can only sees Activities D,F,G.
Note that I could write 2 applications and my problem is solved easily but the requirements are the app should manage profileA and profileB.
I was thinking about custom permissions to implement this. Where each activity will be restricted with a custom permissions. For instance, Activities A,B and C would be restricted with com.myapp.permissions.profilA. And Activities D,F and G would be restricted with com.myapp.permissions.profilB.
While searching again, I have found the permission-tree element and the PackageManager.addPermission(PermissionInfo info).
The javadoc of addPermissionsays :
Add a new dynamic permission to the system. For this to work, your package must have defined a permission tree through the tag in its manifest. A package can only add permissions to trees that were defined by either its own package or another with the same user id; a permission is in a tree if it matches the name of the permission tree + ".": for example, "com.foo.bar" is a member of the permission tree "com.foo".
The idea that I have is, define a permission-tree, after successfull login, based on the user profile, "sets the custom permissions" of the application. I don't know if it's possible.
It's a similar feature when certain apps hide some admins features to their users. I am thinking of similar functionality.
Is it possible to achieve this functionality? Or do I need to think for another solution?
I am open to all propositions.
There is an easier way to go about about. In your API, create a user_code for each user so that after a successful login, you can get the user_code for the currently logged in user. Once you get the code say in the Home/Dashboard Activity, you can check if the user is allowed to access a certain activity and if they are not allowed, you can probably return an alert dialog telling them that they don't have the rights.
It seems that defining custom permissions to restrict access to certain activities is not exactly what you need. Seems to me that you're going on the wrong direction...as the documentation states...creating custom permissions is relatively uncommon...I mean permissions were designed to reduce security issues and sandbox applications from each other....the latter doesn't seem to be your case.
Anyway, it is extremely uncommon...IMHO, to create custom permissions for the mere purpose to restrict access to certain activities. Especially, because the same way you login a user and the same way you determine what a specific user is allowed to do...it's exactly the same way you can determine when to restrict access to a specific part of your app
Not really sure why you would need to rely on the permission system to do this. What I'm thinking is that you can just create logic to disable whatever features that would lead to those Activities from being launched based on the logged in profile.
If your activities don't have any filters that would allow them to be launched implicitly by another intent, then that means your app complete control over when they're launched.
Use the login result to control what you display to the user. If you wanted to, you could create two separate XML layout files. One that has buttons for A, B, and C, and the other that has buttons for D, E, and F.
Just because an Activity exists doesn't mean it's automatically displayed to the user as an "entry point". You're doing that through what you display in other activities.

Android - best practices for authorization

I am researching how to autenticate and authorize user within Android application
For autentication there is the AccountManager but I am not sure how to check whether the user is signed in or not. I know how to set up AccountAuthenticatorActivity and AuthenticatorService but I am not sure how its connected with the application.
Am I supposed to call some check on every onCreate in every activity to ensure that the user is signed in or does the service does that for me somehow?
If I am supposed to do some regular checking, what is the best practice towards where such checking should be called?
It depends on your application, really. Unless you have a requirement for very strict security, like a financial application, government application, etc. I think you could get by with a simpler approach. For example, after a user logs in (however you choose to implement this) store a value in SharedPreferences to denote the user has authenticated. From here, you could do one of the following:
If your application requires you authenticate every activity/fragment you launch, simply check this SharedPreferences value. You could also create a base activity that all your other activities extend and do your authentication check there.
If you only need to authenticate once, modify your launcher activity in your manifest to check for this value. If the user has authenticated already, create a new Intent for your 'home' activity and redirect your user and finish() the launcher activity.
As always, it depends. Do you need to protect the whole app? or some particular activities or some fragment in some activities. Take a look at Mint app.
It asks the user to enter pass code to access app. For something like this, create a base activity and make all activities in your app inherit this and do the checking in the base activity.
If you need to secure just some activities, create a base activity
just for these activities and do your security check there.
If it is for some portion of an activity, You have to roll up something specific for your workflow.
Just a tip, Try to split your question into smaller problems, it makes easier for people to answer.

How do I figure out what code will user a given permission?

For instance, let's take android.permission.GET_PACKAGE_SIZE.
Searching for this string in Android 1.6 *.xml source files only points to a single application that uses it, frameworks\base\tests\AndroidTests.
So the next step is to search through the .java files in a hope that I'll eventually find the code that might look like it queries for package size.
Is this the supposed way of discovering permission use?
The Manage Applications UI uses the API protected by this permission. It probably doesn't request the permission in its manifest because it runs as the system user ID so is implicitly getting the permission.
For applications in general, yes you can look at their AndroidManifest.xml to find the permissions. This is complicated by shared user IDs, which allow multiple applications to run as the same uid, and thus share permissions; any such app requesting a permission grants that permission to all such apps. The settings app, which has the Manage Applications UI, uses the "system" shared user ID so gets all such permissions available to the system.
Generally speaking, you find out what permissions you need because they are referenced from APIs you want to use, normally in the docs, occasionally by exceptions.
Conversely, if a given permission is not cited in the docs, except where it is named (e.g., on Manifest.permission), then it is probably a system permission that you are ineligible to hold unless you are working on alternative firmware.
And, if you are working on alternative firmware, you'd be well-versed in searching the source code. I use Google Code Search, personally, such as this search for your desired permission.
So, in the case of GET_PACKAGE_SIZE, the only place you find it in the docs is in Manifest.permission, and the only place the source code requires it is in a non-SDK method, so I suspect you cannot hold it.
Just check the docs.
GET_PACKAGE_SIZE : Allows an
application to find out the space used
by any package.
http://developer.android.com/reference/android/Manifest.permission.html
EDIT
I may have mis-understood the question. If you want to know what code is using a permission value. Then you will in fact have to dig through the source yourself.

Categories

Resources