W/PackageManager(61): Not granting permission android.permission.SET_ACTIVITY_WATCHER to package
This is one such example of a permission that will not be granted to applications without being signed using the platform signature. With that said I would like to know how any application running on a rooted device (with /system/bin/su and SuperUser.apk) can be granted any of these permissions.
Process p = Runtime.getRuntime().exec("su");
p.waitFor();
Doing this prompts the super user dialog with "accept" or "reject," but SecurityExceptions are still thrown.
You can declare your app to run as a system app by setting the sharedUserId as follows in the AndroidManifest.xml
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="[your package name]"
android:sharedUserId="android.uid.system">
More details can be found here: How to sign Android app with system signature?
you need to copy your apk file to '/system/apps'. It can be done programatically. you can do this only if you have root permissions. once copied, reboot the device(reboot can also be done programatically if you have root) and you'll be granted all permissions mentioned in your manifest file. You can also distribute this on market.
Related
I know that some directories(e.g. /data/data/{package}/lib) will be generated after APK installation.I want to know whether the permissions(e.g.-rwxr-xr-x) of these directories and files in them can be set at the code level before APK installation?Or is the permission of the files generated during installation granted by the Android system during installation and the permissions cannot be set in advance?How can I do to implement it if the permissions of the generated file can be set in advance?
The files in data/data/package/ are always private to your application. No other process can read or write them (except the system, of course). And there's no way to override those permissions at install time. You probably could at runtime, but I'm not sure why you'd want to.
I have inherited an Android project without having much idea about the development on this platform. First I want to explain why I want to debug a system app if you have any idea about the problem:
This project is a system app and has to change Settings.Secure.LOCATION_MODE's value. Now the customer has problems with this feature and wants to solve it.
The device is Android 5.1 with manufacturer's special permissions and the APK file is in system/priv-app folder.
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" /> is in AndroidManifest.xml.
I get this exception: "Permission denial: writing to secure settings requires android.permission.WRITE_SECURE_SETTINGS".
In the main actitvity this condition is checked:
public boolean isSystemApp() {
return (getApplicationInfo().flags & (ApplicationInfo.FLAG_SYSTEM |
ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) != 0;
}
So I want to debug the system app running it in the system/priv-app to have privileges. Is it posible?
I work on Android 6 AOSP. I am able to build add the application as a system app
but now I want to add runtime permission by default on this system app. Like that the app can start without asking the user to validate the permission.
Do you know how I can do that?
Thanks for you help.
If your app is privileged, all Runtime permissions are granted if requested in manifest.
To make your app privileged:
in Android.mk
LOCAL_CERTIFICATE := platform
LOCAL_PRIVILEGED_MODULE := true
If this does not solve your problem:
1. You can grant Runtime permissions to your app in Runtime. App must have android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS. Pm.java
IPackageManager pm = IPackageManager.Stub.asInterface(ServiceManager.getService("package"));
pm.grantRuntimePermission(pkgname, perm, UserHandle.USER_OWNER);
pm.updatePermissionFlags(perm, pkgname, PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT,
PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT, UserHandle.USER_OWNER);
You can grant permissions manually by modifying
DefaultPermissionGrantPolicy.java.
Additionally, if app use shared user id with system. Any permission is granted even though it is not requested in manifest.
android:sharedUserId="android.uid.system".
You can grant runtime permissions to system apps by modifying the DefaultPermissionsGrantPolicy.java class.
In the grantDefaultSystemHandlerPermissions(int userId) method, add this code:
PackageParser.Package yourPackage = getSystemPackageLPr("YOUR_APP_PACKAGE_NAME");
if (yourPackage != null
&& doesPackageSupportRuntimePermissions(yourPackage)) {
grantRuntimePermissionsLPw(yourPackage, CONTACTS_PERMISSIONS, userId);
grantRuntimePermissionsLPw(yourPackage, CALENDAR_PERMISSIONS, userId);
}
Make sure you add the code above this line:
mService.mSettings.onDefaultRuntimePermissionsGrantedLPr(userId);
I want to use the permission android.permission.DEVICE_POWER and it is need system or signature, I searched a lot and seems the apk in /system/priv-app may have the permission, but I failed on my Nexus 4 5.0.2.
I put the apk to /system/priv-app, but the logcat shows that
Not granting permission android.permission.DEVICE_POWER to package xxxx
Is there something wrong I did? Or is there any other ways to get the permission?
Refer to the documentation on android:protectionLevel in the documentation.
Only permissions with a protection level of signatureOrSystem will be assigned upon install if the app is included in the /system/priv-app folder. android.permission.DEVICE_POWER is not one of these. Refer to the manifest definition in the source:
Here is the excerpt:
<!-- Allows low-level access to power management.
<p>Not for use by third-party applications. -->
<permission android:name="android.permission.DEVICE_POWER"
android:label="#string/permlab_devicePower"
android:description="#string/permdesc_devicePower"
android:protectionLevel="signature" />
Hence the app needs to be signed with the platform key of the ROM/system/AOSP-build in order to attain this permission.
To get this permission, the application must be signed with the key which used to sign the platform. This may be different for manufacturers. So its practically not possible to get these permissions granted to a user application.
Following are some of the permissions that may NOT be granted to the user application:
android.permission.ACCESS_CHECKIN_PROPERTIES
android.permission.ACCESS_SURFACE_FLINGER
android.permission.ACCOUNT_MANAGER
android.permission.BIND_APPWIDGET
android.permission.BIND_DEVICE_ADMIN
android.permission.BIND_INPUT_METHOD
android.permission.BIND_WALLPAPER
android.permission.BRICK
android.permission.BROADCAST_PACKAGE_REMOVED
android.permission.BROADCAST_SMS
android.permission.BROADCAST_WAP_PUSH
android.permission.CALL_PRIVILEGED
android.permission.CHANGE_COMPONENT_ENABLED_STATE
android.permission.CLEAR_APP_USER_DATA
android.permission.CONTROL_LOCATION_UPDATES
android.permission.DELETE_CACHE_FILES
android.permission.DELETE_PACKAGES
android.permission.DEVICE_POWER
android.permission.DIAGNOSTIC
android.permission.FACTORY_TEST
android.permission.FORCE_BACK
android.permission.GLOBAL_SEARCH
android.permission.HARDWARE_TEST
android.permission.INJECT_EVENTS
android.permission.INSTALL_LOCATION_PROVIDER
android.permission.INSTALL_PACKAGES
android.permission.INTERNAL_SYSTEM_WINDOW
android.permission.MANAGE_APP_TOKENS
android.permission.MASTER_CLEAR
android.permission.READ_FRAME_BUFFER
android.permission.READ_INPUT_STATE
android.permission.REBOOT
android.permission.SET_ACTIVITY_WATCHER
android.permission.SET_ORIENTATION
android.permission.SET_PREFERRED_APPLICATIONS
android.permission.SET_TIME
android.permission.STATUS_BAR
android.permission.UPDATE_DEVICE_STATS
android.permission.WRITE_GSERVICES
android.permission.WRITE_SECURE_SETTINGS
clean your project it will be fine like this :
project -> Clean
May this will work for you
How can i gain android.permission.DEVICE_POWER
I run ./gradlew connectedAndroidTest and I need my test APK to have a permission which should not be in any non-testing APK (debug, release). I have created a manifest with permission:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.mypackage">
<uses-permission android:name="android.permission.SET_ANIMATION_SCALE"/>
</manifest>
Then I have copied this manifest to src/androidTest directory, as release notes from gradle android plugin suggest:
0.13.0 (2014/09/18)
Requires Gradle 2.1
It is now possible to provide a manifest for test apps (src/androidTest/AndroidManifest.xml)
However, the permission is not applied during my connected tests.
If I create a src/debug directory and move this manifest there -- the permission is applied correctly during connected tests (but also during regular debug builds, which is undesirable).
Am I doing something wrong or is there a bug?
The problem stems from my misunderstanding of how connectedAndroidTest gradle task works. It creates and deploys 2 android applications - a testable (your project) and a tester (an app which simulates a user who interacts with the testable app). My intent was to add the permission to the testable app. However, adding a manifest to src/androidTest resulted in adding the permission to the tester app. Here's how I figured that out:
If I execute
adb shell pm list packages -f -3
(-3 means to list only third-party packages) I can see something like this
package:/data/app/SmokeTestApp.apk=com.android.smoketest
package:/data/app/GestureBuilder.apk=com.android.gesture.builder
package:/data/app/com.mycompany.myapp-2.apk=com.mycompany.myapp
package:/data/app/SoftKeyboard.apk=com.example.android.softkeyboard
package:/data/app/org.libsdl.app-2.apk=org.libsdl.app
package:/data/app/SmokeTest.apk=com.android.smoketest.tests
package:/data/app/com.mycompany.myapp.test-1.apk=com.mycompany.myapp.test
The app with test-1 suffix is the tester app, another one is my testable app. Checking their permission gives:
root#generic_x86:/ # aapt d permissions /data/app/com.mycompany.myapp-2.apk
package: com.spredfast.android
uses-permission: android.permission.INTERNET
uses-permission: android.permission.WRITE_EXTERNAL_STORAGE
root#generic_x86:/ # aapt d permissions /data/app/com.mycompany.myapp.test-1.apk
package: com.spredfast.android
uses-permission: android.permission.SET_ANIMATION_SCALE
So the permission, SET_ANIMATION_SCALE, which I was intending to put into my testable app is put into the tester app. No wonder that moving the manifest from src/androidTest to src/debug would put the permission into the testable app (correct, but too broad).
Here's how I solved the original problem - putting the permission into the application only in case of the application being run inside connectedAndroidTest task.
I have created an empty build flavor to be used with integration tests:
productFlavors {
/**
* This flavor is to be run only using connectedAndroidTestAnimcontrol
*/
animcontrol {}
regular {}
}
Moved src/androidTest/AndroidManifest.xml with the single permission into src/animcontrol/AndroidManifest.xml
Executed connected tests as
./gradlew connectedAnimcontrolDebugAndroidTest
That did the trick, now I have AndroidManifest.xml which will be merged with main app's manifest only when being run as connectedAndroidTest.
Hope this helps someone.