Android Marshmallow, "dangerous" protection level and system components/apps

Question

I'm developing an application that going to be pr-installed (as a system app) on the firmware.

from the documentation so far about the relation between system apps, new permissions model, and the protection levels - I don't understand exactly when system app needs (if at all) to request user permission.

My problems starts when I try to use the WRITE_EXTERNAL_STORAGE permission. from the documentation I can see that it marked as "dangerous" permission.

- does "dangerous" permissions grant automatically to system apps?

when I use WRITE_EXTERNAL_STORAGE permission (as a system app) I'm getting security exception, and I don't know if it's mean that even tough my app installed as a system app - "dangerous" permissions must be requested by the user..

another point to mention:
to check the app behavior as a system app, I'm installing my application APK on the sys-priv directory (the device is rooted) of a nexus 5 running SDK preview 3. this is when I'm getting the security exception when attep to use methods requires the external storage permission..

Hello Tal, have you been to any conclusion with your question? I have the same situation and have some findings make me confused. I just flashed a new M image to my nexus 5 and checked the pre-loaded applications permissions. Most of them are granted some dangerous permissions by default. For example Hangouts have access to Contacts, Phone & SMS's. Phone app again has access to calls, contacts, phone. Photos app has access to Storage. How could this be? There should be a way to grant preloaded apps with some permissions, right? — mehmet6parmak, Nov 10 '15 at 08:52
@mehmet6parmak: yes, I have conclusion. as commonsWare unswered: on the developer preview 3 (and on the final android 6 version also) dangerous permissions are not granted automatically to system applications. you'll have to ask the user to grant them even if your app installed as a system app. — Tal Kanel, Nov 10 '15 at 08:56
the answer to - how can it be that you see google apps that granted this permissions without user interaction: probably they signed with same cetificate such other google components that already have this permission (see the protection levels definitiions..) — Tal Kanel, Nov 10 '15 at 08:59
Thank you for quick response, even they share same signature and sharedUserId there should be an app having these permissions by default, right? How could that app have it? Which application is that? :) — mehmet6parmak, Nov 10 '15 at 09:18
I don't know :-( but when you'll find out I'll be glad that you'll tell me your findings.. — Tal Kanel, Nov 10 '15 at 09:21

score 9 · Answer 1 · edited May 23 '17 at 12:00

After a lot of digging and debugging, I finally found some clue of granting runtime permission on marshmallow for system app, with a lot of inspirations in this stackoverflow ticket.

The key logic is in DefaultPermissionGrantPolicy. After systemReady, PackageManagerService checks if this user's default runtime permissions are not set yet(i.e. this is a new user), if so, PackageManagerService calls DefaultPermissionGrantPolicy.grantDefaultPermissions() to check/grant permissions:

public void grantDefaultPermissions(int userId) {
    grantPermissionsToSysComponentsAndPrivApps(userId);
    grantDefaultSystemHandlerPermissions(userId);
}

There are two cases that your built-in app may be automatically granted with runtime permission.

A> grantPermissionsToSysComponentsAndPrivApps -> will grant runtime permission with FLAG_PERMISSION_SYSTEM_FIXED and FLAG_PERMISSION_GRANTED_BY_DEFAULT.

if your system app has uid<10000, you will be granted with permissions for your user group.
if your system app fits all below conditions, it will be granted the permissions.
1. is a privilegedApp (under /system/priv-app/)
2. is persistent (android:persistent="true")
3. signed with platform signature.

B> grantDefaultSystemHandlerPermissions -> will grant runtime permission with FLAG_PERMISSION_GRANTED_BY_DEFAULT .

If your app is considered as a "default platform handler app", (i.e. your app is "expected to work out-of-the-box", like camera, dialer, SMS, calendar .etc, you can read more in method grantDefaultSystemHandlerPermissions()).

Other than that, your system application needs to ask user for granting dangerous permission, as long as it has targetSdk set to 23.

Do you have any more resources you recommend? I am developing a system/priv-app/ application for custom hardware, but don't have access to the platform key. On the android tv I am testing this on however, I noticed the Facebook app and another app have their permissions auto granted on factory reset. how can this be? — parkgrrr, May 25 '17 at 04:09
Is the auto-granted permission you saw on facebook a runtime permission or a install permission? Is the facebook app you are using targeting 23+ sdk? — Gracie, May 26 '17 at 05:14

score 5 · Accepted Answer · answered Sep 06 '15 at 12:49

5

Quoting the release notes for the 2nd M preview:

Apps included in the system image are no longer granted dangerous permissions automatically. All apps should check for and request permissions at runtime.

That fits with what I recall seeing when I first used the stock Camera app on a Nexus 5 with the final(?) 6.0 preview firmware — it too asked for the runtime permission.

So, AFAIK, system apps have to ask for runtime permissions, as do non-system apps.

answered Sep 06 '15 at 12:49

CommonsWare

986,068
189
2,389
2,491

thanks. do you have any idea if that's going to be change in the final release? – Tal Kanel Sep 06 '15 at 12:55
2

@TalKanel: Since it started with "no, system apps do not need to ask for runtime permissions", then changed to "well, actually, system apps *do* need to ask for runtime permissions", I will be surprised if it changes back. I assume that there's some way for device manufacturers/ROM modders to pre-populate the database of granted permissions. But since the user can always revoke those permissions, you still need to do some amount of runtime permission checking. – CommonsWare Sep 06 '15 at 13:18
there is one thing I don't understand: seems like google play app (I verified it target 23) don't need to ask user to grant the write external storage to download and install APK's. when I press "install" on an app from google play - it works seamlessly. how can it be? – Tal Kanel Sep 09 '15 at 06:56
@TalKanel: I don't know what "google play app" is, sorry. – CommonsWare Sep 09 '15 at 11:08
@TalKanel: You would have to ask Google. That being said, AFAIK the Play Store app does not write to external storage. – CommonsWare Sep 09 '15 at 12:05
so do you have any idea how it downloads apk files to? Can't it be that they download the apk to the internal application files dir? – Tal Kanel Sep 09 '15 at 12:07
1

@TalKanel: I would assume that the Play Store downloads to internal storage, and that it has special tricks to work with the package installer in that fashion. Again, you would have to ask Google. – CommonsWare Sep 09 '15 at 12:32
Hello @CommonsWare, do you have any info or idea about --> I just flashed a new M image to my nexus 5 and checked the pre-loaded applications permissions. Most of them are granted some dangerous permissions by default. For example Hangouts have access to Contacts, Phone & SMS's. Phone app again has access to calls, contacts, phone. Photos app has access to Storage. How could this be? There should be a way to grant preloaded apps with some permissions, right? – mehmet6parmak Nov 10 '15 at 08:55
I`m encountering the same issue. Still not clear how to grant a dangerous-level permission - But i can assure that the pre-installed Contacts app allow that. – gor Jul 03 '16 at 07:04

Android Marshmallow, "dangerous" protection level and system components/apps

2 Answers2

Linked