[Android framework protected API] Permission protection level definitio

by Guillaume Leterrier » Mon, 16 Mar 2009 20:22:31 GMT


Sponsored Links
 Hi,

 

Looking at the following developer web link that describes the core
android permissions,

 

 http://developer.android.com/reference/android/Manifest.permission.html 
< http://developer.android.com/reference/android/Manifest.permission.html 

 

The list encompasses the permissions associated to the android protected
API available from the Android frameworks.

 

However, I could not find any information related to the associated
protection level.

I guess this would be very useful to know for the application developers
and get the web link updated.

 

So, digging in the file "Frameworks\base\core\res\AndroidManifest.xml",
one could find such data.

 

Most of the permissions are defined as dangerous and few others as
normal.

The remaining others, related mostly to the system, are based on
signature protection.

 

Questions:

 

1)

 

Because the signature protection levels for the framework are defined in
a unique manifest XML file, 

 

- does it mean that there is no means to have different permissions
protected by different signature keys (but splitting the file and
framework API in groups)?

 

2)

The android framework is stored under the file directory
\system\framework\

 

- Is this directory considered as one Android package signed by the
current android system unique key?

- For permissions protected by signature or signatureOrSystem, what key
is used for such protection verification? OEM/system key ?

 

3)

 

- if the OEMs are modifying few framework permission signature rules (
dangerous => signature... ), how the applications compatibility will be
ensured on the Android platform accross various OEM smartphones ?

 

 

Guillaume



Other Threads

1. No security mechanism to protect again reflection

You can load and use the classes, but they will execute with the permission
of your app, not of the app whose code you're borrowing. Or are you saying
the code runs as the other app?

Even if Android did stop app A from borrowing app B's code as found on the
device, app A (or the developer of A) could still simply download the .apk
off Market and borrow it that way.

What's the threat you're worried about, exactly?





As you know you can easily load any classes using this api call

//ask for the code of the foreign context to be included and to ignore
any security given by the cross-process(owner) execution
//in working-environment to error checking ...
Context tmpCtxt = createPackageContext("com.google.android.notepad",
   Context.CONTEXT_INCLUDE_CODE + Context.CONTEXT_IGNORE_SECURITY);
Class<?> c =
tmpCtxt.getClassLoader().loadClass
("the.name.of.a.package.already.deployed.on.the.device");
//do normal Java-Reflection things with c

so does that means anyone can load my code and execute them using
reflection? Is there anything that protects android from this kind of
attacks?

2. Can other applications use the share function of "Facebook for Android"?

Hi, guys

"Facebook for Android" is great, but I just wonder that whether my
application can use the share function of it. Or, does the ""Facebook
for Android"" release some apis and let other applications use the
built in functions like "share" or "feed"?

Any advice is greatly appreciated. Thanks.
--~--~---------~--~----~------------~-------~--~----~

3. make a SurfaceView visible/invisible at runtime

4. Help me: My emulator reported an error that "com.android.settings has no certificates at entry AndroidManifest.xml"

5. How to install EAP TLS certificates for WiF

6. Android 2.0 Force close in contacts app

7. Toggle Button remove light indicator programmatically