I want to export a ContentProvider for use by another one of MY apps. How do I prevent other apps from accessing it? If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app? I really need to lock down access to my apps only.
Thanks in advance...
If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app?
Well, you can use a signature-level custom permission (android:protectionLevel="signature"). Then, the app holding the permission and the app defending itself with the permission have to be signed by the same signing key.
There's a bug/limitation in Android that can allow an attacker, installed before your app, to hold this permission even though the attacker is not signed by your signing key. I go into that in more detail in this report (as it's a bit complex for an SO answer) and have a PermissionUtils class to help you detect that case.
来源:https://stackoverflow.com/questions/23281860/how-do-i-restrict-access-to-my-contentprovider-to-only-my-apps