tags:

views:

63

answers:

1
Q: 

Regarding Android Permissions and Signature Protection level ...

Hi,

I am new to Android and have a question regarding protection level "Signature" for permissions in AndroidManifest.xml.

The Android reference document states about "Signature" protection level:

"A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval."

This implies that permissions which have protection level "Signature" are not available to use by normal application and can only be used Android Dev Team.

What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?

When I tried to use the permission "READ_INPUT_STATE" (new in 2.2) I got the following error in LogCat:

06-28 09:28:34.943: WARN/PackageManager(60): Not granting permission android.permission.READ_INPUT_STATE to package com.example.wheredoyoulive (protectionLevel=2 flags=0x8444)

The same is true for permissions with Protection Level "SignatureOrSystem". There exists a caller application which has CALL_PRIVILEGED permission in addition to other permissions.

Please help me and clear my doubts.

Regards

Abhishek

A: 

I believe the purpose of the "Signature" permission level is for two applications by the same developer to be able to share data seamlessly without bothering the user. The READ_INPUT_STATE permission is not intended to be used in applications:

Allows an application to retrieve the current state of keys and switches. This is only for use by the system.

See http://developer.android.com/reference/android/Manifest.permission.html#READ_INPUT_STATE

Computerish  2010-06-28 04:48:21
Thanks for the response. In the case that you have mentioned the developer has to create a new Custom Permission to fully utilize the facilities provided by the protection level to my application.I gave the permission "READ_INPUT_STATE" to my sample application just to check what will happen if I give Signature level permission.
tandon16  2010-06-28 05:44:23
Ok, Is your question resolved then?
Computerish  2010-06-28 14:35:45
I have some doubts regarding the "Signature" protection level. By going with the discussion above can we conclude that no third party application will be granted permissions with protection level "Signature" or "SignatureOrSystem"? My original question was:"What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?"
tandon16  2010-06-29 02:43:34
Can you point me to an application that has the `DEVICE_POWER` permission? According to this, no (non-system) application can use that permission: http://stackoverflow.com/questions/733721/android-activation-of-the-system-key-lock
Computerish  2010-06-29 04:58:15
Sorry for delayed response. The name of the application is CallRecorder v2.8.0. Although I don't have this application, I have seen the application and it's permissions at http://www.androlib.com/android.application.com-opensystem-callrecord-jjDw.aspx.
tandon16  2010-07-01 07:39:39
Please note that this question was asked while learning Android system to clear the doubts about the Android Permission Mechanisms.It has nothing to do with the application developer of the CALL RECORDER or with the owner of the site hosting the application.
tandon16  2010-07-01 12:14:48
I'm sorry, but I really don't know. All I can say is that in the Android market, it doesn't look like it has the ability to turn off the phone (which is what I assume DEVICE_POWER does). Look up that app in the market, press the MENU button, and then click on Security.
Computerish  2010-07-06 02:03:59

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?