Permissions

  • Each application is sandboxed, meaning it cannot access the data of other applications.

  • Each app has its own user on OS, This means if user_1 tries to access the app for user_2 it will be denied. These permissions are defined in a file called platform.xml (/etc/permissions/platform.xml).

  • Use the adb shell package manager to list the packages with -U flag and notice that each app has a unique user_id

    davinci:/ $ pm list packages -U                                                
package:com.android.thememanager.module uid:10095
package:com.lbe.security.miui uid:10047
package:com.qualcomm.qti.server.wigig.tethering.rro uid:10277
package:com.android.bluetooth uid:1002
package:com.qualcomm.timeservice uid:10157
package:com.miui.newmidrive uid:10070
package:com.qualcomm.atfwd uid:10133
package:com.qualcomm.embms uid:10094
package:com.android.providers.contacts uid:10031

📌App Permissions

Custom permissions can be defined to allow specific data sharing between applications. The protection levels for custom permissions are “dangerous,” “normal,” and “signature.”

  • Dangerous” permissions require the user to grant permission and decide whether to allow or deny access to certain sensitive features or data on the device.

  • normal” grants permission automatically without asking

    • It's not the right option for sensitive permissions.

  • and “signature” allows access only for applications signed with the same key. Signature protection is the most secure but may not be practical in practice. Hence, a “dangerous” protection level is commonly used, although it may lead to some security risks.

📍We have three files that are part of the Android operating system and are related to various aspects of the system’s configuration and permissions. Here’s a brief overview of each file:

📍/data/system/packages.xml:

  • It contains the granted permissions to each app on the system.

  • The packages.xml file is located in the /data/system/ directory of an Android device. This file is used by the Android Package Manager (PackageManager) to store information about installed packages (applications) on the device. It contains details about each installed app, such as package name, version, installation status, granted permissions, and other package-related information.

  • When an app is installed or uninstalled on the device, the Package Manager updates this file to reflect the system’s package database changes. The file is essential for keeping track of the installed apps and their permissions.

    <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<packages>
    <package name="com.example.app1" codePath="/data/app/com.example.app1" nativeLibraryPath="/data/app/com.example.app1/lib" flags="..."
        version="12345" userId="10000" installer="com.android.vending">
        <!-- More details about the package -->
        <sigs count="1">
            <cert index="..." />
        </sigs>
        <perms>
            <item name="android.permission.CAMERA" granted="true" flags="0" />
            <item name="android.permission.INTERNET" granted="true" flags="0" />
            <!-- More permissions -->
        </perms>
        <!-- More details about the package -->
    </package>

    <package name="com.example.app2" codePath="/data/app/com.example.app2" nativeLibraryPath="/data/app/com.example.app2/lib" flags="..."
        version="67890" userId="10001" installer="com.android.vending">
        <!-- More details about the package -->
        <sigs count="1">
            <cert index="..." />
        </sigs>
        <perms>
            <item name="android.permission.CAMERA" granted="true" flags="0" />
            <item name="android.permission.RECORD_AUDIO" granted="false" flags="0" />
            <!-- More permissions -->
        </perms>
        <!-- More details about the package -->
    </package>
</packages>

  • As we see, every app has its own user ID that can access the data belonging to this app only.

📍/etc/permissions/platform.xml:

  • The platform.xml file is part of the Android operating system’s configuration and is located in the /etc/permissions/ directory.

  • This file defines the system-wide permissions for all applications on the device. It contains a list of permission definitions, each with a unique name and protection level.

  • As mentioned in the previous response, permissions defined in platform.xml determine how sensitive data or device features can be accessed by different applications. The file plays a crucial role in enforcing security and access controls across the entire Android system.

  • To read this file:

    davinci:$ cat /etc/permissions/platform.xml

  • Output:

    <?xml version="1.0" encoding="utf-8"?>

<permissions>
    <!-- Define permission groups -->
    <permission-group name="android.permission-group.LOCATION" >
        <item name="android.permission.ACCESS_FINE_LOCATION" />
        <item name="android.permission.ACCESS_COARSE_LOCATION" />
    </permission-group>

    <!-- Define permissions -->
    <permission name="android.permission.ACCESS_FINE_LOCATION" >
        <group gid="android.permission-group.LOCATION" />
        <!-- More details about the permission -->
    </permission>

    <!-- More permission groups and permissions -->
</permissions>

  • File Content

    1. <permissions> Element:

      • This is the root element of the XML document, indicating that it contains permission-related information.

    2. Permission Groups:

      • <permission-group> elements are used to define groups of related permissions. In this example, a group named android.permission-group.LOCATION is defined.

      • Within the group, there are two <item> elements specifying individual permissions: ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION. These permissions are related to location access.

    3. Individual Permissions:

      • <permission> elements define individual permissions. In this case, ACCESS_FINE_LOCATION is being defined.

      • The <group> element inside the permission specifies the group to which the permission belongs. This is linking the individual permission to the LOCATION group.

📍Android_filesystem_config.h:

  • The Android_filesystem_config.h file is a header file in the Android source code. It defines the permissions and attributes for various directories and files in the Android filesystem. Each entry in this file specifies the default permissions (owner, group, others) and the SELinux context for a specific path in the Android filesystem.

  • When the Android system is built, this file is used to set the appropriate permissions and attributes for different directories and files. It ensures that the correct security context and permissions are applied to system resources during runtime.

  • We don’t care that much about this file because it grants permission to system-predefined users

note that these files are part of the Android operating system’s internal configuration and are not meant to be directly modified or accessed by regular users “until you root the device” or third-party applications. Making changes to these files without proper understanding or authorization can lead to system instability or security issues. They are primarily used by the Android OS itself to manage app installations, permissions, and filesystem configurations.

📌But how can APP 1 read data from APP 2?

  • To enable one app to access data or perform specific actions in another app, you can define custom permission using the <permission> element in the manifest of the app providing the data or functionality, and then use the <uses-permission> element in the manifest of the app that wants to access that data or functionality.

📍An Example

  1. Provider App (Providing Data):

    • Assume you have an app that provides some sensitive data, and you want to allow other apps to access this data only if they have specific permission.

       <permission
        android:name="com.example.providerapp.PERMISSION_ACCESS_DATA"
        android:label="Access Provider App Data"
        android:protectionLevel="dangerous" />

  2. Client App B (Accessing Data):

    • Assume you have another app that wants to access the data provided by the first app. This app needs to request and be granted the custom permission defined in the provider app’s manifest.

       <!-- Request permission to access data from the Provider App -->
    <uses-permission android:name="com.example.providerapp.PERMISSION_ACCESS_DATA" />

  • In Summary,

    1. The Provider App defines a custom permission named PERMISSION_ACCESS_DATA using the <permission> element. The permission has a protection level of dangerous, which requires explicit user consent.

    2. The Client App wants to access data from the Provider App. It requests the PERMISSION_ACCESS_DATA permission using the <uses-permission> element.

    3. When the client app is installed, it will need to explicitly request the PERMISSION_ACCESS_DATA permission from the user. If the user grants permission, the client app can then access the data or perform the allowed actions provided by the provider app.

PreviousAndroidManifest.xml fileNextActivities

Last updated