I am learning Android programming and I have kind of understood the concept of custom permission.
Based on my understanding this is how custom permissions works:
'Base app'can protect some of its components (e.g., activity and services) by declaring custom permissions (i.e., using <permission> tags in the manifest file) and the'client app' that calls the activities and services protected by custom permissions need to acquire necessary permissions (i.e., using <uses-permission> tags in the manifest file) to call those components in the base app.
However, I have these questions regarding custom permissions:
- If the custom permission is declared as dangerous (i.e.,
android:protectionLevel="dangerous"), does theclient appneeds to get the approval from the user during installation time? If so, how does the user aware of these custom permissions because there won't be any documentation for the custom permissions. - During installation time how does the
client appknows thatbase appis already installed in the user's phone? Is there anyway for theclient appto know this information? - Once the
client appis installed, what will happen if the user decides to remove thebase app? In this case, if the user tries to useclient appwill it cause any security exception?
I don't know whether these questions make sense but it makes me wonder how custom permissions actually work in real scenario.
Thank you.
The answers to your questions is give below. But you may refer http://developer.android.com/guide/topics/manifest/permission-element.html for a better understanding of Android permissions.
1.Yes, if you declare
android:protectionLevel="dangerous"
then the system may not automatically grant it to the requesting application.Any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding.
The base app defining custom permission is supposed to provide a description via
android:description="string resource"
Here is the an example permission definition. Hope it is self explanatory.
<permission android:description="string resource"
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permissionGroup="string"
android:protectionLevel=["normal" | "dangerous" |
"signature" | "signatureOrSystem"] />
2.As far as I know, there is no way for the client app to see the presence of base app at the time of installation. But it is possible when the client App is started. Anyway, permissions are granted by the Android system based on your android.xml file. So the client app don't have to bother about base app at the time of installation.
3.The base app can be removed even when client app is still installed. It won't through any error messages or security exceptions at any stage. But when you try to run client app again, you may get an 'Activity not found' exception at the point where you try to call a base app activity from client app.
来源:https://stackoverflow.com/questions/17078369/few-questions-about-custom-permissions-in-android