Menu
I want to export a ContentProvider for use by another one of MY apps. How do I prevent other apps from accessing it? If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app? I really need to lock down access to my apps only.
Thanks in advance...
301
You can use the sharedUserId attribute in the AndroidManifest. xml 's manifest tag of each package to have them assigned the same user ID. By doing this, for purposes of security the two packages are then treated as being the same app, with the same user ID and file permissions.
An app will send a notification to ask for permission to use features on your phone, which you can Allow or Deny. You can also change permissions for a single app or by permission type in your phone's Settings.
If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app?
Well, you can use a signature-level custom permission (android:protectionLevel="signature"). Then, the app holding the permission and the app defending itself with the permission have to be signed by the same signing key.
There's a bug/limitation in Android that can allow an attacker, installed before your app, to hold this permission even though the attacker is not signed by your signing key. I go into that in more detail in this report (as it's a bit complex for an SO answer) and have a PermissionUtils class to help you detect that case.
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
