Here is a test I ran to understand Android Content Provider permissions:
App ProviderApp manifest:
<provider
    android:authorities="com.mycompany.myProviderApp"
    android:name="com.mycompany.myProviderApp.ContentProviderForMyOtherApps"
    android:exported="true"/>
I also implemented a dummy ContentProvider (ContentProviderForMyOtherApps) with a basic query method returning a string in ProviderApp:
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
    String[] cols = {"column1"};
    MatrixCursor cursor = new MatrixCursor(cols);
    MatrixCursor.RowBuilder builder = cursor.newRow();
    builder.add("HELLO!");
    return cursor;
}
App ClientApp code:
Cursor cursor = getContentResolver().query(Uri.parse("content://com.mycompany.myProviderApp"),null,null,null,null);
cursor.moveToFirst();
Log.d(TAG, cursor.getString(0)); // output: HELLO!
Okay, so everything is working fine, ClientApp accesses the provider successfully.
But my understanding of the documentation, based on the excerpts below, is that ClientApp should have been denied access to the provider, because:
android:readPermission inside the provider (e.g. com.mycompany.myProviderApp.READ)uses-permission (e.g. com.mycompany.myProviderApp.READ)Documentation excerpts:
If a provider's application doesn't specify any permissions, then other applications have no access to the provider's data.
https://developer.android.com/guide/topics/providers/content-provider-basics.html#Permissions
android:exported
Whether the content provider is available for other applications to use: true: The provider is available to other applications. Any application can use the provider's content URI to access it, subject to the permissions specified for the provider.
https://developer.android.com/guide/topics/manifest/provider-element.html
Why is this code (provider and client declaring NO permissions) actually working?
(What have I missed in the documentation?)
The documentation has a bug. This:
If a provider's application doesn't specify any permissions, then other applications have no access to the provider's data.
should read as:
If a provider's application doesn't specify any permissions, then other applications' access to the provider's data is determined solely by the
android:exportedvalue (truegrants unlimited access to all applications;falseblocks access by other applications) andandroid:grantUriPermissionsvalue (which gets complicated).
IMHO, that whole section needs to be rewritten. But, with respect to your test, an exported permission-less provider is wide open, with any app being able to read and write with impunity.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With