Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android Custom Permission Fails Based on App Install Order

Having issues with my apps on Google Play. I have a free app which utilizes a custom permission. This permission allows access to paid apps. These paid apps act as "keys" and unlock features in the free app. Basically the free app will attempt to start the intent of one of the paid apps. The paid app will do some stuff and return saying whether the free app should unlock features or not.

Problem arises based on the order of app installation. If the free app is installed first then a paid app, the free app can't start the intent. Returns permission denial. If the paid app is installed first then the free app, the free app can start the intent no problem. Rebooting the device and/or force stopping the apps doesn't resolve the issue. I'm attaching the relavent code. Something tells me I'm doing something incorrectly.

  • Free App Manifest (relevant code):

    ...
    <uses-permission android:name="com.company.license.PERMISSION" />
    ...
    
  • Free App Code to check intent (relevant code):

    Intent KeyApp = new Intent("com.company.license.action.AUTH_1");
    KeyApp.putExtra("com.company.license.challenge", 1);
    
    //If free app is installed first, an exception is thrown for not having the proper permission. If paid app is installed first, no exception is thrown
    try {
        startActivityForResult(KeyApp, COMMING_FROM_KEYAPP);
    } catch (Exception e) {
        cancelStartUp();
    }
    
  • Paid App Manifest (relevant code):

    <manifest xmlns:android="http://schemas.android.com/apk/res/android"
        package="com.company.installer.1"
    ...
    <permission
        android:name="com.company.license.PERMISSION"
        android:icon="@drawable/icon"
        android:label="@string/app_name"
        android:protectionLevel="normal" >
    </permission>
    
    <application
        android:icon="@drawable/icon"
        android:label="@string/app_name"
        android:theme="@android:style/Theme.NoDisplay" >
    
        <activity
            android:name="com.company.license.auth"
            android:configChanges="keyboardHidden|orientation"
            android:exported="true"
            android:permission="com.company.license.PERMISSION"
            android:theme="@style/Theme.Transparent" >
            <intent-filter>
                <action android:name="com.company.license.action.AUTH_1" />
    
                <category android:name="android.intent.category.DEFAULT" />
            </intent-filter>
        </activity>
    
        <activity
            android:name="com.company.installer.redirect"
            android:configChanges="keyboardHidden|orientation"
            android:exported="true"
            android:theme="@style/Theme.Transparent" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
    
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
    
    </manifest>
    
like image 770
Jay Soyer Avatar asked Jul 30 '12 21:07

Jay Soyer


People also ask

Can Android apps define custom permissions?

Apps can define their own custom permissions and request custom permissions from other apps by defining <uses-permission> elements. However, you should carefully assess whether it is necessary for your app to do so.

How do I grant permission to install an app?

Go to “Settings -> Apps & notifications -> Advanced -> Special app access -> Install unknown apps.”

Can apps bypass Android permissions?

Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user's contacts data. When you say that an app can't access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox.


1 Answers

Put the same <permission> element in both apps. Also, since this is specific to your two apps, I would use android:protectionLevel="signature" instead of normal -- this means the user will never need to approve the permission and nobody else will be able to request the permission. And, this recipe will allow installation in either order.

UPDATE: Note, however, that the use of custom permissions opens up potential vulnerabilities, due to Android's "first one in wins" approach.

UPDATE #2: And this is now no longer supported as of Android 5.0, as two apps cannot both have the same <permission> element unless they are signed by the same signing key.

like image 87
CommonsWare Avatar answered Oct 24 '22 07:10

CommonsWare