Android: Add apk Private Permissions

Source: Internet
Author: User

First, the Android system permissions:

APK at the time of installation, Android provides a unique Linux user ID for each package. This ID remains the same during the lifetime of the package on the device. On different devices, the same package may have different uid, and it is important that the UID of each package on the specified device is unique.

Because security is implemented at the process level, the code for any two packages typically cannot run in the same process because they need to run as different Linux users. You can use the Shareduserid attribute in the androidmanifest.xml manifest tag of each package to assign them the same user ID. After doing so, for security purposes, two packages will be treated as the same application with the same user ID and file permissions. Note that in order to remain secure, only two apps that have signed the same signature (and request the same Shareduserid) are assigned the same user ID.

In the absence of the corresponding permissions, when the access to an app process or operation will be reported SecurityException exception, the following attempt to bind a background service permissions Exception Log:

 on- on  -: $:22.334W/activitymanager (2108): Permission denial:accessing Service Componentinfo{com.cmcc.media.hfp.aidl/com.cmcc.media.hfp.aidl.remoteservice } fromPid=16297, uid=10038requires Com.cmcc.media.hfp.aidl.NANO_REMOTE_SERVICE on- on  -: $:22.340E/androidruntime (16297): FATAL exception:main on- on  -: $:22.340E/androidruntime (16297): Process:com.example.administrator.nano_server, PID:16297 on- on  -: $:22.340E/androidruntime (16297): Java.lang.RuntimeException:Unable to start activity componentinfo{com.example.administrator.nano_server/ Com.example.administrator.nano_server. Mainactivity}: Java.lang.SecurityException:Not allowed to bind to service Intent {act= Com.cmcc.media.hfp.client.service pkg=Com.cmcc.media.hfp.aidl} on- on  -: $:22.340E/androidruntime (16297): At Android.app.ActivityThread.performLaunchActivity (Activitythread.java:2198) on- on  -: $:22.340E/androidruntime (16297): At Android.app.ActivityThread.handleLaunchActivity (Activitythread.java:2248) on- on  -: $:22.340E/androidruntime (16297): At android.app.activitythread.access$ the(Activitythread.java:136) on- on  -: $:22.340E/androidruntime (16297): At Android.app.activitythread$h.handlemessage (Activitythread.java:1197) on- on  -: $:22.340E/androidruntime (16297): At Android.os.Handler.dispatchMessage (Handler.java:102) on- on  -: $:22.340E/androidruntime (16297): At Android.os.Looper.loop (Looper.java:136) on- on  -: $:22.340E/androidruntime (16297): At Android.app.ActivityThread.main (Activitythread.java:5046) on- on  -: $:22.340E/androidruntime (16297): At Java.lang.reflect.Method.invokeNative (Native Method) on- on  -: $:22.340E/androidruntime (16297): At Java.lang.reflect.Method.invoke (Method.java:515) on- on  -: $:22.340E/androidruntime (16297): at Com.android.Internal. os. Zygoteinit$methodandargscaller.run (Zygoteinit.java:861) on- on  -: $:22.340E/androidruntime (16297): at Com.android.Internal. os. Zygoteinit.main (Zygoteinit.java:677) on- on  -: $:22.340E/androidruntime (16297): At Dalvik.system.NativeStart.main (Native Method) on- on  -: $:22.340E/androidruntime (16297): Caused by:java.lang.SecurityException: Not allowed to bind to service Intent {Act=com.cmcc.media.hfp.client.service pkg=Com.cmcc.media.hfp.aidl} on- on  -: $:22.340E/androidruntime (16297): At Android.app.ContextImpl.bindServiceCommon (Contextimpl.java:1727) on- on  -: $:22.340E/androidruntime (16297): At Android.app.ContextImpl.bindService (Contextimpl.java:1691) on- on  -: $:22.340E/androidruntime (16297): At Android.content.ContextWrapper.bindService (Contextwrapper.java:517) on- on  -: $:22.340E/androidruntime (16297): at Com.example.administrator.nano_server. MAINACTIVITY.M (Mainactivity.java:326) on- on  -: $:22.340E/androidruntime (16297): at Com.example.administrator.nano_server. Mainactivity.onstart (Mainactivity.java:303) on- on  -: $:22.340E/androidruntime (16297): At Android.app.Instrumentation.callActivityOnStart (Instrumentation.java:1171) on- on  -: $:22.340E/androidruntime (16297): At Android.app.Activity.performStart (Activity.java:5247) on- on  -: $:22.340E/androidruntime (16297): At Android.app.ActivityThread.performLaunchActivity (Activitythread.java:2171) on- on  -: $:22.340E/androidruntime (16297):     ... OneMore

  

    • If the device is running Android 6.0 (API level 23) or a later version , and the app targetsdkversion is 23 or later, the app requests permissions at run time for the user. Users can invoke permissions at any time, so the app needs to check whether it has the required permissions each time it runs
    • If the device is running Android 5.1 (API level) or earlier, and the app's targetsdkversion is 22 or lower , The user is asked to grant permissions when the user installs the app. If you add new permissions to an updated version of the app, the system will require that permission to be granted when the user updates the app. Once the user installs the app, the only way they revoke permissions is to uninstall the app

Ii. Customization & Use Rights

1. Why do I define private permissions? Suppose a backend service is developed to interact with a specific client app, but someone has recompiled the code for the server application, obtained the Aidl interface definition and application package name, and the specific action, then can bind the service directly, and then through the Aidl The remote method of invoking the server is arbitrarily manipulated, so the server needs to authenticate the client requesting the connection.

2. To define private permissions, you must first use one or more < permission > elements in the androidmanifest.xml (System source code in \frameworks\base\core\res\ ), such as read phone number permissions:

<!--allows read access to the device's phone number (s). This is a subset of the capabilitiesGranted by {@link #READ_PHONE_STATE} but isexposed to ephemeral applications. <p>protection level:dangerous--> <permission android:name="Android.permission.READ_PHONE_NUMBERS"Android:permissiongroup="Android.permission-group.phone"Android:label="@string/permlab_readphonenumbers"android:description="@string/permdesc_readphonenumbers"Android:protectionlevel="dangerous|ephemeral"/>

Permissions contain a list of properties, including: The name of the permission, the permission group to which the permission belongs, the tag of the permission, the title, description, and the level of permission:

    • Android:permissiongroup

This property is used to specify the permission group to which the permission belongs, as defined in the Android.permission-group.phone permission group in the previous example:

<!--used forPermissions that is associated telephony features. -<permission-group Android:name="Android.permission-group.phone"Android:icon="@drawable/perm_group_phone_calls"Android:label="@string/permgrouplab_phone"android:description="@string/permgroupdesc_phone"android:priority=" -"/>

One thing to note about permission groups: If one of the permissions in the permission group has been taken, the system will allow the same or lower permissions for other levels of protection for that permission group. For example, in more than 6.0 of the system through runtime permissions to obtain android.permission.CALL_PHONE this permission, then the same group of permissions android.permission.READ_PHONE_STATE will not need to be obtained through the runtime permission mechanism.

    • Permissionflags:

A corresponding flag is set for this permission, for example: Costsmoney, which may cause charges for obtaining this permission.

    • Label

Set the title for the permission.

    • Description

Sets a description for this permission.

    • Priority

Specifies the priority level for this permission.

    • Icon

Sets the icon for this permission.

    • ProtectionLevel:

Specifies the level of protection for this permission. The main protection levels are: normal, dangerous, signature, signatureorsystem four kinds:

①normal: default value. Lower-risk permissions, with minimal risk to other applications, systems, and users. When you install an app, the system automatically approves the permissions granted to that type of app, without requiring users to explicitly approve it (but you can choose to view those permissions).

②dangerous: higher-risk permissions, applications that request this type of permission can have a negative impact on users by accessing private data or controlling the device. Because this type of license introduces a potential risk, the system may not automatically grant it to the requested app. For example, the system can show the user any dangerous licenses that are requested by the app and need to be confirmed before continuing, or you can take some other approach to avoid automatic user permission.

③signature: The System grants permissions only if the app requesting the permission uses the same certificate signature as the app that claims permissions. If the certificate matches, the system automatically grants permissions without notifying the user or requiring explicit approval from the user.

④signatureorsystem: Grant only Apps (System app) that use the same certificate signing for apps with claims rights in the Android system image. Avoid this option, the "signature" level is sufficient for most needs, and the "Signatureorsystem" permission is used in certain special cases.

3. To use protected system features, you must include one or more < Uses-permission > tags in the app manifest:

Declare a permission to your service as follows:

<permission    android:name="com.cmcc.media.hfp.aidl.NANO_REMOTE_SERVICE"      android:protectionlevel="signature" />

Set permissions: android:permission= "Com.cmcc.media.hfp.aidl.NANO_REMOTE_SERVICE"

<Application<Service Android:name="Com.cmcc.media.hfp.aidl.RemoteService"
android:permission="com.cmcc.media.hfp.aidl.NANO_REMOTE_SERVICE"      android:exported="true"'> <intent-filter> <!--client-side wake-up <action android:name="Com.cmcc.media.hfp.client.service"/> <category android:name="Android.intent.category.DEFAULT"/> </intent-filter> </service></application>

   

Client app gets access to service:

    <!--get access to the service "  -    <uses-permission android:name="  Com.cmcc.media.hfp.aidl.NANO_REMOTE_SERVICE" />

-end-

    

Android: Add apk Private Permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.