How to use custom permissions in Android?

android permissions android-manifest
82,849

Solution 1

I created a test code you can use it and test your permissions. There are two applications PermissionTestClient which declares permission and protects its activity with this permission. Here is its manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.testpackage.permissiontestclient"
    android:versionCode="1"
    android:versionName="1.0" >

    <uses-sdk android:minSdkVersion="10" />
    <permission android:name="com.testpackage.mypermission" android:label="my_permission" android:protectionLevel="dangerous"></permission>

    <application
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name" >
        <activity
            android:permission="com.testpackage.mypermission"
            android:name=".PermissionTestClientActivity"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>

            <intent-filter >
                <action android:name="com.testpackage.permissiontestclient.MyAction" />
                <category android:name="android.intent.category.DEFAULT" />                
            </intent-filter>
        </activity>
    </application>

</manifest>

There is nothing special in Activity file so I will not show it here.

PermissionTestServer application calls activity from PermissionTestClient. Here is its manifest file: 

<?xml version="1.0" encoding="utf-8"?>


<uses-sdk android:minSdkVersion="10" />
<uses-permission android:name="com.testpackage.mypermission"/>

<application
    android:icon="@drawable/ic_launcher"
    android:label="@string/app_name" >
    <activity
        android:name=".PermissionTestServerActivity"
        android:label="@string/app_name" >
        <intent-filter>
            <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>
    </activity>
</application>

</manifest>

And Activity:

package com.testpackage.permissiontestserver;

import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;

public class PermissionTestServerActivity extends Activity {
    private static final String TAG = "PermissionTestServerActivity";

    /** Called when the activity is first created. */
    Button btnTest;
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);

        btnTest = (Button) findViewById(R.id.btnTest);
        btnTest.setOnClickListener(new OnClickListener() {

            @Override
            public void onClick(View v) {
                Log.d(TAG, "Button pressed!");
                Intent in = new Intent();
                in.setAction("com.testpackage.permissiontestclient.MyAction");
                in.addCategory("android.intent.category.DEFAULT");
                startActivity(in);
            }
        });
    }
}

To test it just remove uses-permission from Server application. You'll get security violation error.

Solution 2

You need to create a permission in your base app's manifest by declaring it exclusively. For example:

<permission android:name="your.namespace.permission.TEST"
    android:protectionLevel="normal" android:label="This is my custom  permission" />

And later make use of it in your desired app as:

<uses-permission android:name="your.namespace.permission.TEST" />

Note: It is vital to maintain the order in which you install your applications with custom permissions. i.e You must need to install that app first which declares the permission and later install the one which makes use of it. Any disruption in this order may break the usage of custom. permissions.

Solution 3

As mentioned in the answers, you should also take into account the order you install the apps.

this is important because:

if the App that requests the permission (App B) is installed before the App that defines the permission (App A), then there will be no such defined permission in the specific device so the OS won't ask for the permission at all.

later on, when you install the App A and try to run App B, the latter will fail to access the secure component.

One workaround would be to define the same custom permission in both Apps, A and B in order to make sure that the permission exists in the device regardless of which App is installed first, so when the App A is installed, the permission will be already granted to App B.

In that case though, you should make sure that the protection level is the same in both declarations because this can lead to security risk.

(note here that from android 5.0 and on you cannot define the same permission in more than one App, except when those Apps are signed with the same signature key).

Solution 4

The accepted answer shows the correct flow to create custom permissions. I have some note to decide which permission and permission name after my testing

android:protectionLevel="normal" // don't need user confirmation to grant, similar to some low-risk permission like android.permission.INTERNET

android:protectionLevel="dangerous" // need user confirmation to grant // similar to some high-risk permission like android.permission.CAMERA

android:protectionLevel="signature" // both app need to sign with the same signature

On Android < 6, user grant dangerous permission when install or update app. Android do it for us, we don't need to code
Android >= 6, user grant dangerous permission when using app (Runtime Permission). We need to code to request runtime permission

Android dangerous permission name need to has 2 parts (test on Android 10, Pixel 4XL), label, description, icon is not required to make permission work

<permission
        android:name="my.MyCustomPermission" // work well
        android:name="MyCustomPermission" // not work, the runtime permission dialog won't show
        android:label="" // don't required
        android:description="" // don't required
        android:icon="" // don't required

Solution 5

Defining custom permission is done using <Permission> tag.. Please follow the link below to use user defined permissions in application:

Declaring and Enforcing Permissions

Share:
82,849
pixel
Author by

pixel

Updated on July 08, 2022

Comments

  • pixel
    pixel almost 2 years

    I have two applications.

    One is declaring permission and having single Activity:

    Part of AndroidManifest.xml

    <application
    android:icon="@drawable/ic_launcher"
    android:label="@string/app_name"
    android:permission="your.namespace.permission.TEST" >
    <activity
        android:name=".DeclaringPermissionActivity"
        android:label="@string/app_name" >

        <intent-filter>
            <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>

        <intent-filter> 
         <action android:name="android.intent.action.VIEW" /> 
         <category android:name="android.intent.category.DEFAULT" /> 
         <category android:name="android.intent.category.BROWSABLE" /> 
         <data android:scheme="myapp"
             android:host="myapp.mycompany.com" /> 
        </intent-filter> 
    </activity>
</application>

    The second declares that is uses permission

    Part of AndroidManifest.xml

    <uses-sdk android:minSdkVersion="10" />
<uses-permission android:name="your.namespace.permission.TEST" />

<application

    Part of Activity:

    public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main);

    startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("myapp://myapp.mycompany.com/index")));
}

    I'm installing the application declaring permission, then I run the second application.

    In a result I get security exception:

     01-11 09:46:55.249: E/AndroidRuntime(347): java.lang.RuntimeException: Unable to start activity ComponentInfo{your.namespace2/your.namespace2.UsingPErmissionActivity}: java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=myapp://myapp.mycompany.com/index cmp=your.namespace/.DeclaringPermissionActivity } from ProcessRecord{407842c0 347:your.namespace2/10082} (pid=347, uid=10082) requires your.namespace.permission.TEST
  • pixel
    pixel over 12 years
    Thanks, my mistake was to put permission attribute only to <application> element.
  • fr1550n
    fr1550n almost 11 years
    This does not work for me when I use android:protectionLevel="signature" in the PermissionTestClient, I use the permission on that apps launcher and get: Permission Denial: starting Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 cmp=my.package.foobar/.DashboardActivity } from null (pid=4070, uid=2000) requires my.custom.permission.ACCESS_ACTIVITY - so the app fails to launch it's own Activity 0_o
  • Yury
    Yury almost 11 years
    Signature level of permission means that your client and server should be signed with the same certificate. Try to launch the code using dangerous level and if everything is ok, then try to launch with signature. One more thing, if you use signature I think you need to export a signed apk files and then install them.
  • Tobrun
    Tobrun almost 10 years
    I would like to inform everybody about a security vulnerabiity related to using custom permissions. See this commonsware post: commonsware.com/blog/2014/02/12/…
  • Igor Čordaš
    Igor Čordaš over 9 years
    Concise and short and it works. Top voted answer is better but this is exactly what was asked in the question. One note thou, this is ALL you need to use custom permissions, becouse security manager takes care of the rest.
  • Anshu
    Anshu over 9 years
    I cannot get this to work, even when I declare uses-permission in the app that created the permission. It throws security exception at the start
  • waqaslam
    waqaslam over 9 years
    As long as I remember correctly, the order in which you install the apps matter too. First install the app which declares custom permission and then install the app which uses that custom permission.
  • Bharath Booshan
    Bharath Booshan about 9 years
    Can we use the custom permission within the application which created the permission?
  • waqaslam
    waqaslam about 9 years
    @BharathBooshan Yes, you can do that
  • Sanchit
    Sanchit over 7 years
    Put custom permission in both applications and then you do not have to worry about which application is installed first.
  • VIN
    VIN over 7 years
    Don't forget to add android:description = "string resource" attribute while defining your custom permission, this will be helpful while explicitly asking for permissions in marshmallow
  • ToBe
    ToBe about 7 years
    Is this still true? I can't reproduce the installation order bug. I have put the permission definition (<permission />) in just one app. No matter in which order I install the apps (I have uninstalled both for each test run first) it always works - at least for "signature" protected permissions...
  • waqaslam
    waqaslam over 4 years
    for signature level, the order doesn't matter.
  • Mike6679
    Mike6679 about 4 years
    Will this pop a dialog that prompts the user to accept the permission in app B ? If so how do you avoid that, signature level permission?
  • vicky
    vicky about 4 years
    Any solution for android 5.0 and above with different sign in key

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Getting internet permission in flutter app
Android 6.0+ java.io.FileNotFoundException: (Permission denied)
How i can request permission at runtime in Android?
Android Internet permission in Unity
ACCESS_FINE_LOCATION AndroidManifest Permissions Not Being Granted
What is the use of android permission Wake Lock?
List of Android permissions normal permissions and dangerous permissions in API 23?
Send sms permission doesn't work
Enable USB debugging (under settings/applications/development) programmatically from within an app
Android requires user to enable permissions for my app that are already requested in manifest