Create an android service which can be called only by certain apps

Question

The design is like Master-follower app in android. Where when follower app comes up it needs to start a service in the Master app [Not the master app itself, no Activity just service]. And get results from the master service.

I have something like this :

<!-- Android provider backend service -->
<service android:name="com.abc.shop.ABCProductService" android:exported="true">
        <intent-filter>
            <action android:name="com.abc.shop.ABCProductService" />
        </intent-filter>
</service>

Now I can call something like from inside an Activity in the follower app.

Intent intent = new Intent("com.abc.shop.ABCProductService");
this.startService(intent);

In service implementation I return STICKY, so as the service is not destroyed.

@Override
public int onStartCommand(Intent intent, int flags, int startId) {
    ....//some init stuff
    return START_STICKY;
}

I have two questions here :

1. The service does not start using the above code. I am certain about it as when I try to find the service in the running service it is not there.

2. I do not want any other app to be able to call this service except my Follower app, which would be signed by the same author. Any way to achieve this security/authentication?

Forgive my novice question, I tried to find the solution but could find no good solution.

Thanks Varun

Answer 1

Where when follower app comes up it needs to start a service in the Master app [Not the master app itself, no Activity just service]

You cannot have a service of an app run without the app itself running. A service is a part of an app, just as an activity is a part of an app.

Now I can call something like from inside an Activity in the follower app.

Note that you are starting any service that has an <intent-filter> for this action string, which may or may not be your service.

In service implementation I return STICKY, so as the service is not destroyed.

Unless you are expressly calling stopService() or stopSelf() somewhere, you will be wasting the user's system RAM needlessly. Only have your service running when it is actively delivering value to the user.

The service does not start using the above code.

You will need to debug your app. Check LogCat for messages. There's nothing obviously wrong from what you have posted. I would not rely upon some running-services list, but rather whether the service is doing what it is supposed to do.

I do not want any other app to be able to call this service except my Follower app, which would be signed by the same author. Any way to achieve this security/authentication?

The master app can define a signature-level <permission> and have an android:permission attribute on the <service> to defend it with that permission. The follower app would need the corresponding <uses-permission> element and, as you state, would have to be signed by the same signing key. Note that this too has vulnerabilities, though the "L" Developer Preview changes the game a bit.