19

I am learning Android programming and I have kind of understood the concept of custom permission.

Based on my understanding this is how custom permissions works:

'Base app'can protect some of its components (e.g., activity and services) by declaring custom permissions (i.e., using <permission> tags in the manifest file) and the'client app' that calls the activities and services protected by custom permissions need to acquire necessary permissions (i.e., using <uses-permission> tags in the manifest file) to call those components in the base app.

However, I have these questions regarding custom permissions:

  1. If the custom permission is declared as dangerous (i.e., android:protectionLevel="dangerous"), does the client app needs to get the approval from the user during installation time? If so, how does the user aware of these custom permissions because there won't be any documentation for the custom permissions.
  2. During installation time how does the client app knows that base app is already installed in the user's phone? Is there anyway for the client app to know this information?
  3. Once the client app is installed, what will happen if the user decides to remove the base app? In this case, if the user tries to use client app will it cause any security exception?

I don't know whether these questions make sense but it makes me wonder how custom permissions actually work in real scenario.

Thank you.

Maggie
  • 5,923
  • 8
  • 41
  • 56
  • Refer this link http://stackoverflow.com/questions/8816623/how-to-use-custom-permissions-in-android this will help – Manu Jul 08 '13 at 12:04

1 Answers1

2

The answers to your questions is give below. But you may refer http://developer.android.com/guide/topics/manifest/permission-element.html for a better understanding of Android permissions.

1.Yes, if you declare

android:protectionLevel="dangerous"

then the system may not automatically grant it to the requesting application.Any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding.

The base app defining custom permission is supposed to provide a description via 

android:description="string resource"

Here is the an example permission definition. Hope it is self explanatory.

<permission android:description="string resource"
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permissionGroup="string"
android:protectionLevel=["normal" | "dangerous" | 
 "signature" | "signatureOrSystem"] />

2.As far as I know, there is no way for the client app to see the presence of base app at the time of installation. But it is possible when the client App is started. Anyway, permissions are granted by the Android system based on your android.xml file. So the client app don't have to bother about base app at the time of installation.

3.The base app can be removed even when client app is still installed. It won't through any error messages or security exceptions at any stage. But when you try to run client app again, you may get an 'Activity not found' exception at the point where you try to call a base app activity from client app.

Vishnuprasad R
  • 1,682
  • 13
  • 23
  • 4
    Two important points: First, the user acceptance is all-or-nothing, either install the app with the permission warnings, or don't install it. Second, if the granting app wasn't installed before the using app, the permissions will not be granted and the functionality which depends on them will not work. – Chris Stratton Jun 13 '13 at 19:26