12

I am new to Android and have a question regarding protection level "Signature" for permissions in AndroidManifest.xml.

The Android reference document states about "Signature" protection level:

A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.

This implies that permissions which have protection level "Signature" are not available to use by normal application and can only be used Android Dev Team.

What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?

When I tried to use the permission "READ_INPUT_STATE" (new in 2.2) I got the following error in LogCat:

06-28 09:28:34.943: WARN/PackageManager(60): Not granting permission android.permission.READ_INPUT_STATE to package com.example.wheredoyoulive (protectionLevel=2 flags=0x8444)

The same is true for permissions with Protection Level "SignatureOrSystem". There exists a caller application which has CALL_PRIVILEGED permission in addition to other permissions.

Please help me and clear my doubts.

Regards

Abhishek

Ilya Gazman
  • 31,250
  • 24
  • 137
  • 216
tandon16
  • 121
  • 1
  • 1
  • 3

2 Answers2

7

I believe the purpose of the "Signature" permission level is for two applications by the same developer to be able to share data seamlessly without bothering the user. The READ_INPUT_STATE permission is not intended to be used in applications:

Allows an application to retrieve the current state of keys and switches. This is only for use by the system.

See http://developer.android.com/reference/android/Manifest.permission.html#READ_INPUT_STATE

Computerish
  • 9,590
  • 7
  • 38
  • 49
  • Thanks for the response. In the case that you have mentioned the developer has to create a new Custom Permission to fully utilize the facilities provided by the protection level to my application. I gave the permission "READ_INPUT_STATE" to my sample application just to check what will happen if I give Signature level permission. – tandon16 Jun 28 '10 at 05:44
  • I have some doubts regarding the "Signature" protection level. By going with the discussion above can we conclude that no third party application will be granted permissions with protection level "Signature" or "SignatureOrSystem"? My original question was: "What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?" – tandon16 Jun 29 '10 at 02:43
  • Can you point me to an application that has the `DEVICE_POWER` permission? According to this, no (non-system) application can use that permission: http://stackoverflow.com/questions/733721/android-activation-of-the-system-key-lock – Computerish Jun 29 '10 at 04:58
  • Sorry for delayed response. The name of the application is CallRecorder v2.8.0. Although I don't have this application, I have seen the application and it's permissions at http://www.androlib.com/android.application.com-opensystem-callrecord-jjDw.aspx. – tandon16 Jul 01 '10 at 07:39
  • Please note that this question was asked while learning Android system to clear the doubts about the Android Permission Mechanisms.It has nothing to do with the application developer of the CALL RECORDER or with the owner of the site hosting the application. – tandon16 Jul 01 '10 at 12:14
  • I'm sorry, but I really don't know. All I can say is that in the Android market, it doesn't look like it has the ability to turn off the phone (which is what I assume DEVICE_POWER does). Look up that app in the market, press the MENU button, and then click on Security. – Computerish Jul 06 '10 at 02:03
0

Facebook home uses this,

once you install it you'll notice that it doesn't request ANY permissions, but explicitly requires that the facebook app be installed, this is so that the system can grant it the necessary permissions by proxy of the Facebook app.

Typically what happens is the Facebook app with advertise facilities for other apps to read your status and news feed, normally these apps would need to explicitly request permission to use them if they are signed under a different certificate or rather private key.

Keith Makan
  • 1