While developing a Launcher (Homescreen) application for Android, I've come into a security exception I don't understand.
When calling the
[bindAppWidgetId()][1] method from
within my Launcher Activity, I get
this security exception :
08-19 11:30:11.689: ERROR/AndroidRuntime(6032): java.lang.SecurityException: bindGagetId appWidgetId=99 provider=ComponentInfo{com.android.music/com.android.music.MediaAppWidgetProvider}: User 10034 does not have android.permission.BIND_APPWIDGET.
I first thought I had forgotten the BIND_APPWIDGET permission in my manifest, but it is definitely there.
The android api documentation states this :
"You need the APPWIDGET_LIST
permission. This method is to be used
by the AppWidget picker."
I tried to add the permission android.permission.APPWIDGET_LIST, but it doesn't solve the issue.
Also, I've looked at the manifest of the Settings application from the android sources that contains the AppWidgetPickActivity code : there's a special line that asks to share user id :
"android:sharedUserId="android.uid.system"
Could it be related to my problem ?
If anyone has an idea that would be great !
Cheers,
Laurent
I've found an answer!
BindAppWidgetId() is deliberately not available to applications! (security problems).
"The android.permission.BIND_APPWIDGET
permission is a system permission. You
can only get that permission if your
package is installed as a system
package (installed in /system/app in
stead of /data/app) or sign you app
with a certificate that's the same as
your android image. So basicly this
means you can only use this permission
if you are also the creator of the
android image on your platform/phone."
Here are the links to this information :
http://groups.google.com/group/android-developers/browse_thread/thread/231245ba6d1e690f/047b9d3f776d7e54?lnk=gst&q=bindAppWidgetId#047b9d3f776d7e54
http://groups.google.com/group/android-developers/browse_thread/thread/f24e0f484a79d529/ef84188e8533a125?lnk=gst&q=bindAppWidgetId#ef84188e8533a125
A quick Google search reveals that android.permission.APPWIDGET_LIST is a usable permission, even though it's not listed in the API docs.
Related
I have a React Native Android app that is requesting the QUERY_ALL_PACKAGES inside android/app/build/intermediates/merged_manifests/release/AndroidManifest.xml, as well as several other places like, android/app/build/intermediates/bundle_manifest/release/bundle-manifest/AndroidManifest.xml
This permission is not requested/added to my android/app/src/main/AndroidManifest.xml.
I need to find out why this permission is required.
Since it is not present in my android/app/src/main/AndroidManifest.xml, I am assuming that is a permission required by one of the packages installed in my app.
How can I go about finding what package/dependency is requiring this permission?
Any help or guidance would be greatly appreciated.
You can see what packages are requesting what permissions in the manifest-merger-release-report.txt
In my case this was located inside:
android/app/build/outputs/logs/manifest-merger-release-report.txt
(if you came here by googling looking for a solution for this error,below links will give you an answer,also my question has kind of an explanation!)
Possible duplicate of
INSTALL_FAILED_DUPLICATE_PERMISSION… C2D_MESSAGE
Error -505 INSTALL_FAILED_DUPLICATE_PERMISSION
Wait!
I got this error today in a live project.User came with the 505 error unable to install the app.Then i ran it on IDE!
If you download an app with this mentioned issue from play store you will get an error with 505 when you try to install.
If you try to run it using your IDE you will get the error like in above image! (correct me if I am wrong)
Then I was looking for reasons.
This was my issue!
<permission
android:name="in.wptrafficanalyzer.locationroutedirectionmapv2.permission.MAPS_RECEIVE"
android:protectionLevel="signature" />
<uses-permission android:name="in.wptrafficanalyzer.locationroutedirectionmapv2.permission.MAPS_RECEIVE" />
Surprise thing was another developer's app on a particular users phone used the same signature! Damn, those copy pastes met each other today!!
I think if I try to declare same permission in two applications with
same package name this error can occur.(correct me if I am wrong)
Here are my 2 questions?
1.Do they need to be with the same permission? anyway they will get this thing when its same. lets say app A users a pkg.name with permission permission.RECEIVE app B use same package with another permission CONFIGURE_SIP.Can this occur when they meet each other?(seems like a stupid question but I want to confirm the other app that was there in the client's mobile had the same thing!)
2.What are/is there any other the possibilities that this error can occur?
An application defines a custom permission using signature level security
You attempt to update the installed app with a version signed with a different key
The test device is running Android 21 or newer with support for multiple users
Got those 1 2 3 from this post ! Are they true? If yes any good explanation about them will be great or any additional reason for this error?
There are many good answers in the mentioned posts!Not asking how to fix this! But how it gets generated! Also if I mentioned/understood something wrong please do note it down!!
Thank you.
Edit : As I mentioned please note that the issue came form an app which is already in the Play Store. And about the other app I have no idea! It's there in the client's mobile.Probably its also from play store because even developer options was not activated till I try to run on that mobile.He did not had any previous apps from my company as well.He just tried to download the app got 505 error and came to fix it.
And also my first option was the removal of that permission an it made the app install successfully(not the right thing but to confirm where the issue was). That is the reason that I need to know the possibilities of this error!
#commonsware blogs has explain it in details in Custom Permission Vulnerability and the 'L' Developer Preview:
Near as I can tell, the “L” Developer Preview requires that all apps
with a <permission> element for the same android:name value be signed
by the same signing key. The actual protectionLevel or other values
inside the <permission> does not matter. Even if they are identical, an
app trying to define the <permission> will fail to install if an
existing installed app already defines the <permission>. Specifically,
the installation of the second app will fail with an
INSTALL_FAILED_DUPLICATE_PERMISSION error.
Here the answer from #commonsware: https://stackoverflow.com/a/11730133/4758255
Your problem isn't permissions. It's impossible to have two apps with the same manifest package name.It must be unique. So system think that user try to reinstall/update old app with new signing certificate. From android developers blog
If the signing certificate changes, trying to install the new application on to the device will fail until the old version is uninstalled.
EDIT:
I run some tests with permissions. I think, behavior is very similar with application package name. Error occur only if 100% matching. Results:
app A(package test.test) vs app B(package test.test2)
package="test.test">
<permission
android:name="test2.example.h"
android:protectionLevel="signature" />
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="test.test2">
<permission
android:name="test.example.hr"
android:protectionLevel="signature" />
permission A - test.example.h vs B - test.example.h - DUPLICATE_PERMSSIONS error
test.example vs test.example.h - success
test.example.g vs test.example.h - success
uses-permission doesn't affect on errors/installations. But I think you can get SeciurityException in runtime, if try to use others permissions.
I use crittercism for my app. Here is what i do to initialize Crittercism:
I only use the following permission:
<uses-permission android:name="android.permission.INTERNET"/>
and i initialize Crittercism like the following:
Crittercism.initialize(getApplicationContext(), "MY_APP_ID");
I do nothing else.
I can see some information about app installs etc, but i cannot see crash reports. I do the following when i click a button in my app and deliberately crash the app:
public void onClick(){
Integer i = null;
i++;
}
But i cannot see the crash report of this situation. Can anyone tell me why? Do i need to add mappings.txt file etc.?
Thanks
As the official Crittercism documentation says, you need more permissions.
Add the following permissions to your app’s AndroidManifest.xml file.
INTERNET
Required. Used to report data to Crittercism.
ACCESS_NETWORK_STATE
Optional. Allows providing network connectivity information such as carrier and network type.
READ_LOGS
Optional. Allows collecting logcat data to be attached to crashes and handled exceptions.
GET_TASKS
Optional. Allows augmenting crash reports with information on the activity running during a crash.
Documentation
You probably need "GET_TASKS" in order to have crash reports.
I found the problem.
It seems that in the developer console, the platform was set to IOS, i changed it to Android and i can see crash reports now.
I have two apps. one of the two has a custom content provider which works like a charm.
APP A -> The one with the provider
APP B -> The one that needs the data from the provider
Everything works fine in this scenario:
1st : Install app A
2nd: Install app B
However when I do it like this:
1st: Install app B
2nd: Install app A
I get the error :
09-19 13:07:22.576: E/AndroidRuntime(14621): Caused by: java.lang.SecurityException: Permission Denial: opening provider
uk.co.ringsizer.ui.BirthProvider from ProcessRecord{450c14c8 14621:uk.co.gemtv/u0a360}
(pid=14621, uid=10360) requires com.eir.provider.Size.READ_DATABASE
or com.eir.provider.Size.WRITE_DATABASE
My permissions are clearly stated in the manifest file and they are correct since it works if I install the apps in a different order.
It's the first time I'm using Content provider and I am relatively new to Android so the problem might be obvious to more experienced developers.
Any ideas? Has anybody else experienced the same issue before?
Thanks in advance.
The app that defines the custom <permission> must be installed before the app that requests it via <uses-permission>. If they are installed in the wrong order, the <uses-permission> app does not get the permission and must be uninstalled and reinstalled.
Custom permissions in general are risky for SDK apps.
Make sure that BOTH apps have the permission attribute in the manifest.
<permission android:name="com.example.permission.READ" />
I had only the use-permission attribute in the consuming app, and had exactly this problem. It'll work if the content provider app is installed first, but will fail if the content provider app is installed second.
When the consuming client app has the permission attribute as well, it will work regardless of app install order.
I got a well known security exception:
java.lang.SecurityException: Sending SMS message: User 1001 does not have android.permission.SEND_SMS
I added the following line to the android manifest file:
<uses-permission android:name="android.permission.SEND_SMS" />
But even when I do this I got the same exception.
This has possibly something to do with the shared user id I use:
android:sharedUserId="android.uid.phone", so here my question:
When I use a shared user id (from a system application), can I add my own permissions to the manifest file.
additional information:
I used the same certificate as the system, else I couldn't use the same user id as a system application.
Thanks in advance for your answers and remarks!
I know this question is old but I just had the same problem in 2019 and only found this un-answered question. I too was tinkering with with android:process & android:sharedUserId to let two apps use the same process and I too got a permissions-error that had previously not occurred before I started tinkering. I always got:
Neither user 10003 nor current process has android.permission...
What solved it for me was to perform a factory reset.