I got a well known security exception:
java.lang.SecurityException: Sending SMS message: User 1001 does not have android.permission.SEND_SMS
I added the following line to the android manifest file:
<uses-permission android:name="android.permission.SEND_SMS" />
But even when I do this I got the same exception.
This has possibly something to do with the shared user id I use:
android:sharedUserId="android.uid.phone", so here my question:
When I use a shared user id (from a system application), can I add my own permissions to the manifest file.
additional information:
I used the same certificate as the system, else I couldn't use the same user id as a system application.
Thanks in advance for your answers and remarks!
I know this question is old but I just had the same problem in 2019 and only found this un-answered question. I too was tinkering with with android:process & android:sharedUserId to let two apps use the same process and I too got a permissions-error that had previously not occurred before I started tinkering. I always got:
Neither user 10003 nor current process has android.permission...
What solved it for me was to perform a factory reset.
Related
(if you came here by googling looking for a solution for this error,below links will give you an answer,also my question has kind of an explanation!)
Possible duplicate of
INSTALL_FAILED_DUPLICATE_PERMISSION… C2D_MESSAGE
Error -505 INSTALL_FAILED_DUPLICATE_PERMISSION
Wait!
I got this error today in a live project.User came with the 505 error unable to install the app.Then i ran it on IDE!
If you download an app with this mentioned issue from play store you will get an error with 505 when you try to install.
If you try to run it using your IDE you will get the error like in above image! (correct me if I am wrong)
Then I was looking for reasons.
This was my issue!
<permission
android:name="in.wptrafficanalyzer.locationroutedirectionmapv2.permission.MAPS_RECEIVE"
android:protectionLevel="signature" />
<uses-permission android:name="in.wptrafficanalyzer.locationroutedirectionmapv2.permission.MAPS_RECEIVE" />
Surprise thing was another developer's app on a particular users phone used the same signature! Damn, those copy pastes met each other today!!
I think if I try to declare same permission in two applications with
same package name this error can occur.(correct me if I am wrong)
Here are my 2 questions?
1.Do they need to be with the same permission? anyway they will get this thing when its same. lets say app A users a pkg.name with permission permission.RECEIVE app B use same package with another permission CONFIGURE_SIP.Can this occur when they meet each other?(seems like a stupid question but I want to confirm the other app that was there in the client's mobile had the same thing!)
2.What are/is there any other the possibilities that this error can occur?
An application defines a custom permission using signature level security
You attempt to update the installed app with a version signed with a different key
The test device is running Android 21 or newer with support for multiple users
Got those 1 2 3 from this post ! Are they true? If yes any good explanation about them will be great or any additional reason for this error?
There are many good answers in the mentioned posts!Not asking how to fix this! But how it gets generated! Also if I mentioned/understood something wrong please do note it down!!
Thank you.
Edit : As I mentioned please note that the issue came form an app which is already in the Play Store. And about the other app I have no idea! It's there in the client's mobile.Probably its also from play store because even developer options was not activated till I try to run on that mobile.He did not had any previous apps from my company as well.He just tried to download the app got 505 error and came to fix it.
And also my first option was the removal of that permission an it made the app install successfully(not the right thing but to confirm where the issue was). That is the reason that I need to know the possibilities of this error!
#commonsware blogs has explain it in details in Custom Permission Vulnerability and the 'L' Developer Preview:
Near as I can tell, the “L” Developer Preview requires that all apps
with a <permission> element for the same android:name value be signed
by the same signing key. The actual protectionLevel or other values
inside the <permission> does not matter. Even if they are identical, an
app trying to define the <permission> will fail to install if an
existing installed app already defines the <permission>. Specifically,
the installation of the second app will fail with an
INSTALL_FAILED_DUPLICATE_PERMISSION error.
Here the answer from #commonsware: https://stackoverflow.com/a/11730133/4758255
Your problem isn't permissions. It's impossible to have two apps with the same manifest package name.It must be unique. So system think that user try to reinstall/update old app with new signing certificate. From android developers blog
If the signing certificate changes, trying to install the new application on to the device will fail until the old version is uninstalled.
EDIT:
I run some tests with permissions. I think, behavior is very similar with application package name. Error occur only if 100% matching. Results:
app A(package test.test) vs app B(package test.test2)
package="test.test">
<permission
android:name="test2.example.h"
android:protectionLevel="signature" />
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="test.test2">
<permission
android:name="test.example.hr"
android:protectionLevel="signature" />
permission A - test.example.h vs B - test.example.h - DUPLICATE_PERMSSIONS error
test.example vs test.example.h - success
test.example.g vs test.example.h - success
uses-permission doesn't affect on errors/installations. But I think you can get SeciurityException in runtime, if try to use others permissions.
I've a problem with content provider and custom permissions.
Let's suppose that App A have a content provider containing wonderful informations. These informations are a little bit intrusive, that's why it's better to have a permission to read them.
Let's suppose that App B is a 3rd party application and want to access to the content provider of A.
Let's suppose that the permission to read into the content provider is "com.custom.a.readpermission".
In A manifest, there is :
<permission android:name="com.custom.a.readpermission"/>
<provider android:name="com.a.provider.MyProvider"
android:exported="true"
android:authorities="com.a.provider.MyProvider"
android:readPermission="com.custom.a.readpermission"/>
In B manifest, there is :
<uses-permission android:name="com.custom.a.readpermission"/>
So, now, if I install A; after, I install B. B can access to the data.
But, if I install B before A, I get :
java.lang.SecurityException: Permission Denial: opening provider com.a.provider.MyProvider requires com.custom.a.readpermission
So, how to manage a custom permission in that case ?
So, how to manage a custom permission in that case ?
Your primary options are:
Use a built-in system permission, as opposed to a custom one. This is a good idea in general, if the nature of the sensitive data is similar to other data already defended by built-in permissions.
Catch this exception and tell the user that they need to uninstall A and B and install them in the proper order.
If A and B are both by the same author, use a protectionLevel signature permission and have the same <permission> element in both A and B. Then the installation order will not matter, and the user won't be bothered with any prompts to agree to this permission.
However, bear in mind that prior to Android 5.0, the fact that option #3 works means that any app installed before A could do the same thing as B does, except downgrading the protectionLevel from signature to normal. This is a known vulnerability. Android 5.0 requires that custom permissions are defined on a "first one in wins" basis, and the second and subsequent apps trying to define the same <permission> have to be signed by the same signing key as the app that actually did define it.
In truth, permissions are great for pre-installed apps and the OS itself, but defining custom permissions at the app level is... less than great.
I have two apps. one of the two has a custom content provider which works like a charm.
APP A -> The one with the provider
APP B -> The one that needs the data from the provider
Everything works fine in this scenario:
1st : Install app A
2nd: Install app B
However when I do it like this:
1st: Install app B
2nd: Install app A
I get the error :
09-19 13:07:22.576: E/AndroidRuntime(14621): Caused by: java.lang.SecurityException: Permission Denial: opening provider
uk.co.ringsizer.ui.BirthProvider from ProcessRecord{450c14c8 14621:uk.co.gemtv/u0a360}
(pid=14621, uid=10360) requires com.eir.provider.Size.READ_DATABASE
or com.eir.provider.Size.WRITE_DATABASE
My permissions are clearly stated in the manifest file and they are correct since it works if I install the apps in a different order.
It's the first time I'm using Content provider and I am relatively new to Android so the problem might be obvious to more experienced developers.
Any ideas? Has anybody else experienced the same issue before?
Thanks in advance.
The app that defines the custom <permission> must be installed before the app that requests it via <uses-permission>. If they are installed in the wrong order, the <uses-permission> app does not get the permission and must be uninstalled and reinstalled.
Custom permissions in general are risky for SDK apps.
Make sure that BOTH apps have the permission attribute in the manifest.
<permission android:name="com.example.permission.READ" />
I had only the use-permission attribute in the consuming app, and had exactly this problem. It'll work if the content provider app is installed first, but will fail if the content provider app is installed second.
When the consuming client app has the permission attribute as well, it will work regardless of app install order.
I have a content provider and a test application both signed with a debug key. The client receives a content normally if permissions are not applied, but I want to apply permissions to the stuff. So the following lines are added into the content provider's manifest file:
<permission android:name="org.example.provider.READ"
android:permissionGroup="org.example.group.DATA_ACCESS"
android:label="#string/readonlyaccess"
android:protectionLevel="signature" />
<application
...
<provider android:name=".ImageContentProvider"
android:authorities="org.example.provider"
android:readPermission="org.example.provider.READ" />
In the client's manifest file the following line is added:
<uses-permission android:name="org.example.provider.READ" />
When I try to get the data from the provider, I get the error:
09-13 22:38:20.995: E/AndroidRuntime(13979): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.example.hello/com.example.hello.HelloActivity}: java.lang.SecurityException: Permission Denial: reading org.example.ImageContentProvider uri content://org.example.provider/file from pid=13979, uid=10040 requires org.example.provider.READ
Am I missing something, or is it related to the fact that the applications are signed by debug key? How to solve the problem? I saw a suggestion to add uses-permission to the provider as well, but this does not help either. NB. This is checked inside emulator, if this can be of any importance.
I found a related question throws SecurityException when signing with the default debug keystore, but it does not provide actual solution.
Yes, it works with debug keystores, at least the last time I tried it.
I would have the <permission> element in both apps. If you installed the <uses-permission> one first, and then installed the <permission> one, you would run into problems. The permission needs to be defined before the <uses-permission> is encountered, and the simplest way to do that is to put the <permission> in both.
While developing a Launcher (Homescreen) application for Android, I've come into a security exception I don't understand.
When calling the
[bindAppWidgetId()][1] method from
within my Launcher Activity, I get
this security exception :
08-19 11:30:11.689: ERROR/AndroidRuntime(6032): java.lang.SecurityException: bindGagetId appWidgetId=99 provider=ComponentInfo{com.android.music/com.android.music.MediaAppWidgetProvider}: User 10034 does not have android.permission.BIND_APPWIDGET.
I first thought I had forgotten the BIND_APPWIDGET permission in my manifest, but it is definitely there.
The android api documentation states this :
"You need the APPWIDGET_LIST
permission. This method is to be used
by the AppWidget picker."
I tried to add the permission android.permission.APPWIDGET_LIST, but it doesn't solve the issue.
Also, I've looked at the manifest of the Settings application from the android sources that contains the AppWidgetPickActivity code : there's a special line that asks to share user id :
"android:sharedUserId="android.uid.system"
Could it be related to my problem ?
If anyone has an idea that would be great !
Cheers,
Laurent
I've found an answer!
BindAppWidgetId() is deliberately not available to applications! (security problems).
"The android.permission.BIND_APPWIDGET
permission is a system permission. You
can only get that permission if your
package is installed as a system
package (installed in /system/app in
stead of /data/app) or sign you app
with a certificate that's the same as
your android image. So basicly this
means you can only use this permission
if you are also the creator of the
android image on your platform/phone."
Here are the links to this information :
http://groups.google.com/group/android-developers/browse_thread/thread/231245ba6d1e690f/047b9d3f776d7e54?lnk=gst&q=bindAppWidgetId#047b9d3f776d7e54
http://groups.google.com/group/android-developers/browse_thread/thread/f24e0f484a79d529/ef84188e8533a125?lnk=gst&q=bindAppWidgetId#ef84188e8533a125
A quick Google search reveals that android.permission.APPWIDGET_LIST is a usable permission, even though it's not listed in the API docs.