Limit content provider access

by AndroidKing » Tue, 14 Jul 2009 09:27:43 GMT


Sponsored Links
 is there an easy way to limit my content provider access to only one
or more packages
I don't want other packages to access my data

I looked at   grantUriPermission  but its not straight forward and it
doesn't work

any ideas?
--~--~---------~--~----~------------~-------~--~----~



Limit content provider access

by Dianne Hackborn » Tue, 14 Jul 2009 14:23:39 GMT


 By far the easiest way is to do this based on app certificates -- just use
android:readPermission and android:writePermission in the manifest, and
declare the permission you are using there with <permission> to be
android:protectionLevel="signature".  Then only apps signed with the same
certificate as your own will be able to get the permission, and thus able to
read/write the provider.






-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.

--~--~---------~--~----~------------~-------~--~----~


Sponsored Links


Limit content provider access

by AndroidKing » Tue, 14 Jul 2009 23:38:10 GMT


 Thanks for the reply

That doesn't really help
I want to limit the access based on the package name.
The package name will have different signature from my App.
I added android:readPermission and android:writePermission to the
content provider
but what is the use, any package can add these two permissions and
still access the content provider
I think Android is missing the access limitation...

any other way???





--~--~---------~--~----~------------~-------~--~----~



Limit content provider access

by Dianne Hackborn » Wed, 15 Jul 2009 00:00:05 GMT


 You can limit who can get the permissions based on certificate, to control
who can get the permission, using android:protectionLevel="signature".

The package name is not secure at all -- anyone can write an app with a
particular package name, you have no idea what app it actually is based on
that.  If you really want to do this based on package name, you can
implement the security check yourself at the points of call into your
content provider (such as the query() method) -- you can use
Binder.getCallingUid() to find out who is calling you and the PackageManager
to find the package(s) associated with that.  The platform doesn't provide
any easy way to to this, though, because it is does not provide any actual
security.








-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.

--~--~---------~--~----~------------~-------~--~----~



Other Threads

1. read-only contact

How to make any contact as read-only in android contacts application.
My requirement is I want add some contact as read-only contact in
android 2.1 contacts application for my sync account not all. suppose
I added 4 contact A , B, C and ,D in my account. now I want to show
contact B as read - only when user will see the contact detail and
while edit it will add as new copy of contact B.

Any help will be appreciated.
Thanks

-- 

2. Dynamically load jar files in android runtime

I have a jar file in my app local data "/data/data/ro.lisamobile/files/
echo.jar".
I want to load the class "lisa.modules.echo.EchoModule" which resides
in my jar.

I am using java.net.URLClassLoader to load the class. On an non
android environment the code works, on android it gives me this
exception "can't load this type of class file".

Do you know why is that ?

Thanks.
Below it's an output of Logcat:

03-22 14:46:53.676: WARN/file(779): file:/data/data/ro.lisamobile/
files/echo.jar
03-22 14:46:53.776: INFO/ActivityManager(563): Displayed activity
ro.lisamobile/.LisaMobile: 3976 ms
03-22 14:46:53.816: ERROR/dalvikvm(779): ERROR:
defineClass(0x4364dfe0, lisa.modules.echo.EchoModule, 0x436549a0, 0,
1, 0x43655b58)
03-22 14:46:53.826: WARN/System.err(779):
java.lang.UnsupportedOperationException: can't load this type of class
file
03-22 14:46:53.835: WARN/System.err(779):     at
java.lang.VMClassLoader.defineClass(Native Method)
03-22 14:46:53.846: WARN/System.err(779):     at
java.lang.ClassLoader.defineClass(ClassLoader.java:338)
03-22 14:46:53.865: WARN/System.err(779):     at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:
123)
03-22 14:46:53.875: WARN/System.err(779):     at
java.net.URLClassLoader.findClassImpl(URLClassLoader.java:1220)
03-22 14:46:53.875: WARN/System.err(779):     at
java.net.URLClassLoader$4.run(URLClassLoader.java:629)
03-22 14:46:53.875: WARN/System.err(779):     at
java.net.URLClassLoader$4.run(URLClassLoader.java:628)

-- 

3. Regarding using intents in the GridView and absolute layouts

4. Avoid Black Screen on starting application?

5. Porting Android to Logic zoom1 MDK

6. Application Crashing OutOfMemory .Restructuring Help Needed

7. About Dynamic Voltage and Frequency Scaling In ADP2