发表新帖
发表新帖

Android custom permissions - Marshmallow

后端 未结
关注
5 2016
失恋的感觉
失恋的感觉 2021-02-01 15:43

Background

Historically, Android Custom permissions have been a mess and were install order dependent, which was known to expose vulnerabilities.

Prior

5条回答
  • 长情又很酷
    长情又很酷 (楼主)
    2021-02-01 16:31

    As I understood you tried to do next thing (At least, that's how I was able to reproduce your problem):

    1. You declare your new custom permission in first (lets call it F) application

    2. You define that your F app uses com.example.app.permission.CONTROL_EXAMPLE_APP permission. That is right as the guideline says.

    3. You declare your custom broadcast receiver in your F app. To communicate with that broadcast your app (it's no matter which one, F or other app) must obtain your custom permission

    4. You define that you second (lets call it S) application uses com.example.app.permission.CONTROL_EXAMPLE_APP permission. Because you want to allow S app to send broadcast messages to F app receiver.

    5. Finally you try to send broadcast message from your S app using this code.

      final Intent intent = new Intent("com.example.app.REQUEST_RECEIVER");
context.sendOrderedBroadcast(intent, "com.example.app.permission.CONTROL_EXAMPLE_APP", new BroadcastReceiver() {
        @Override
        public void onReceive(final Context context, final Intent intent) {
            // getResultCode();
        }
    }, null, Activity.RESULT_CANCELED, null, null);

      And, this is important, you granted permission to your S app, but you didn't grant permission to your F app.

      As result your broadcast receiver declared in F app didn't receive anything.

    6. After you granted permission to your F app (Note that now S and F granted your custom permission) everything works fine. Broadcast receiver declared in F app received message from S app.

    I guess that is correct behaviour, because this doc says us:

    Note that, in this example, the DEBIT_ACCT permission is not only declared with the element, its use is also requested with the element. You must request its use in order for other components of the application to launch the protected activity, even though the protection is imposed by the application itself.

    And app which declare permission also must request the same permission to communicate with itself.

    As result, android API 23 should to get access to use your permission form user first. And we must to get 2 granted permissions, first from F app (because guidline says as that) and second from S app (because we just need to get access).

    But I didn't catch your next point:

    It would seem ridiculous to raise a dialog saying

    The application Example App wants permission to use Example App

    My native Android API 23 displays me something like that:

    The application Example App wants

    0 讨论(0)
 看不清?
提交回复
热议问题