permissions don't seem to make any difference...
In the manifest, I have only one <uses-permission> (permission.INTERNET), and I have two <permission> elements:
<permission android:name="myapp.permission.READ"
android:permissionGroup="myapp.permission-group.MYAPP_DATA"
android:label="#string/perm_read"
android:description="#string/perm_read_summary"
android:protectionLevel="signature" />
<permission android:name="myapp.permission.WRITE"
android:permissionGroup="myapp.permission-group.MYAPP_DATA"
android:label="#string/perm_write"
android:description="#string/perm_write_summary"
android:protectionLevel="signature" />
And then there is the provider:
<provider
android:name=".data.DataProvider"
android:multiprocess="true"
android:authorities="myapp.data.DataProvider"
android:readPermission="myapp.permission.READ"
android:writePermission="myapp.permission.WRITE" />
Right now, I have normal access to the ContentProvider, and it works just fine.
Why does it work if I didn't enforce with <uses-permission>?
Shouldn't it be needed also in the app where the provider is
declared?
Adding <uses-permission> with my own permissions make no difference. The permissions are not even listed in the app info. Why?
ps.: yes, I've read questions here on SO and on Google Groups (ones with Hackborn answering, too). I've followed (as you can see) what is described everywhere, but still... You could say that it's working, but the point is exactly that I want to see when it doesn't.
Shouldn't it be needed also in the app where the provider is declared?
AFAIK, your own app holds all your own permissions that you declare. Third parties would need <uses-permission>.
The permissions are not even listed in the app info. Why?
See above.
You could say that it's working, but the point is exactly that I want to see when it doesn't.
Write another app, in its own package, to test your permissions.
Related
We reviewed your request and found that your app, does not qualify for use of the requested permissions for the following reasons:
The declared feature {Default SMS} is allowed; however we determined it to be unnecessary for the core functionality of your app.
Default SMS [READ_SMS, SEND_SMS, WRITE_SMS, RECEIVE_SMS, RECEIVE_WAP_PUSH, RECEIVE_MMS]
I use the <uses-permission android:name="android.permission.SEND_SMS" />
to share the app via SMS (send a text and a link to the website ), whats the work arround?
Thanks
If I understand correctly you want SMS as a feature but not a requirement.
I think what you wanted to do is add uses-feature declarations with android:required="false".
From android docs
When you declare android:required="false" for a feature, it means that the application prefers to use the feature if present on the device, but that it is designed to function without the specified feature, if necessary.
Solved by removing <uses-permission android:name="android.permission.SEND_SMS" />
and calling a intent to open the Native Device Sms App
Is is possible to make content provider read-only? I know that this question was asked few times but according to all of them (eg. this) I have to write my own custom write permission.
<permission android:name="com.test.WRITE_DATABASE" android:protectionLevel="normal" />
<permission android:name="com.test.READ_DATABASE" android:protectionLevel="normal" />
//...
<provider
android:authorities="xxx"
android:name="xxx"
android:exported="true"
android:readPermission="com.test.READ_DATABASE"
android:writePermission="com.test.WRITE_DATABASE" />
But hacker could decompile my app and look inside manifest file and then he can easily write his own app with:
<uses-permission android:name="com.test.WRITE_DATABASE" />
So it's almost useless...
I have several apps to use one Content Provider inside my main application. Only this application should have write permission - other should only read from this database. Any ideas how to solve this?
See documentation about permissions here: https://developer.android.com/guide/topics/manifest/permission-element.html
Answer to your question is a android:protectionLevel property of a permission. You can set it to signature so only applications that signed with same key will be able to request this permissions.
In Appcelerator Titanium, I've build a simple one-page app that adds Roman Numerals. As best as I can tell, it has no need to ask for any permissions.
However, my friend testing the app told me it asks for access to the network and in the build/android/ directory the AndroidManifest.xml file includes these lines:
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
There's nothing in the tiapp.xml file requesting these permissions and I started with a stock, blank project and don't import any modules or widgets.
Where did these permission requests originate? How do I get rid of them?
All the info I can find discusses how to add or request a permission, but nothing explains how to ensure unnecessary permissions don't show up in the generated AndroidManifest.xml.
It is quite possible that those permissions are defined in one of the Android Libraries used by your app. Android build system provides tools to control how manifest merge is done. Try disabling manifest merge for <uses-permission/> elements of your app's manifest. See Merge Multiple Manifest Files docs.
Have a look at the builder.py (.titanium/mobilesdk/linux/5.3.0.GA/android/builder.py) somewhere around line 982. There you'll find the default permissions for Android. You can try to remove them and see if you have any errors. Make sure to disable the analytics first!
In Android documentation on permission-tree, I cannot find any use scenario showing permission-tree is useful.
Now there are several questions in my mind:
Why do we need permission-tree?
Is there any real scenario to illustrate permission-tree is necessary?
Is there any example to demonstrate how the client App requests the permission-tree?
Why do we need permission-tree?
When you use permission-tree, you don't want other apps to use any permission with the same base name as you declared from permission-tree.
For example, you use
<permission-tree
android:name="com.example.project.taxes"
android:label="" />
Which means you don't want other apps to use any permission prefix with "com.example.project.taxes".
If there is any app with the same base name installed before your app, both apps' permissions are valid.
If your app installed first, and another app using a permission prefix with your base name, another app's protection level will automatically change to "signature", even it declares as "normal" in the AndroidManifest.xml.
This can be checked when you pull system packages file from devices.
adb pull /data/system/packages.xml
Normal permission is like this,
<item name="com.google.android.gms.permission.TRANSFER_WIFI_CREDENTIAL" package="com.google.android.gms" />
If there is a conflict, it will become like this.
<item name="com.google.android.gms.permission.TRANSFER_WIFI_CREDENTIAL" package="com.google.android.gms" protection="2" />
That means you will block all the future installed app to gain the normal permission with your base name.
When some app trying to use it, Logcat will log some message like this when the app is installing,
PackageManager: Un-granting permission com.example.project.taxes.deductions.MAKE_SOME_UP from package com.others.app
So be careful to choose your permission-tree name.
Is there any real scenario to illustrate permission-tree is necessary?
From the /data/system/packages.xml from a new device, I can see only a google app is using permission tree.
<permission-trees>
<item name="com.google.android.googleapps.permission.GOOGLE_AUTH" package="com.google.android.gsf" />
</permission-trees>
And this app really uses a lot of customised permission, that's why it needs to declared the permission tree and not allow others to conflict with them.
Is there any example to demonstrate how the client App requests the permission-tree?
This is example how client app request the permission tree.
<permission-tree
android:name="com.example.project.taxes"
android:label="" />
But I don't think a client app is necessary to use permission tree, it's more meaningful for a system app. Otherwise, use a long name for permission tree, make sure no one else has conflict with this name.
I noticed that there are two types of permissions in the manifest file, "permission" and "uses-permission" like the two shown below;
<permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
for the following 4 permissions which do I use when I put them in my manifest.xml file? uses-permissions or permissions?
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.INTERNET
android.permission.CHANGE_WIFI_MULTICAST_STATE
For
<permission>
The documentation states:
Declares a security permission that can be used to limit access to specific components or features of this or other applications.
Therefore, since you are accessing Android's permissions, you want uses-permission instead. The documentation for this element states:
Requests a permission that the application must be granted in order
for it to operate correctly.
<permission> is normally used when making a custom permission (e.g. when making an app that other apps can tie in to, limiting access is a must), and <uses-permission> is used when your app actually needs a permission it doesn't have normally.
Lets start with "uses-permission...": Suppose you want to use GoogleMap in your application as an example to find a nearest location of any office such as bank or any other office. You need internet. So you need to give the permission to your android device to access INTERNET. This is done by using android permission called .
<uses-permission android:name="android.permission.INTERNET" />
Now come to "permission..": what it does is it Declares a security permission that can be used to limit access to specific components or features of this or other applications.If your application need some resources or some feature from other application, you can use by giving the specific class or package.
<permission android:name="com.example.project.DEBIT_ACCT" . . . />
Thanks. for more information, you can read
http://developer.android.com/guide/topics/manifest/manifest-intro.html
In short, the one you needed is the uses-permission statement.
Androird Document now has a dedicated page discussing these two usages.
In the Using Permissions part, it explains that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.app.myapp" >
<uses-permission android:name="android.permission.RECEIVE_SMS" />
...
</manifest>
is used to declare what permissions you'd like to use.
While in Defining and Enforcing Permissions you can see that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.me.app.myapp" >
<permission android:name="com.me.app.myapp.permission.DEADLY_ACTIVITY"
android:label="#string/permlab_deadlyActivity"
android:description="#string/permdesc_deadlyActivity"
android:permissionGroup="android.permission-group.COST_MONEY"
android:protectionLevel="dangerous" />
...
</manifest>
is used to define your own permission.
In layman terms, <uses-permission> specifies permissions your app needs to access some component restrict by another app that is the owner of that component.
<permission> specifies the restrictions you are placing on your components are the component owner.