1page.title=System Permissions 2page.tags=permissions 3@jd:body 4 5<div id="qv-wrapper"> 6<div id="qv"> 7 8<h2>In this document</h2> 9<ol> 10<li><a href="#arch">Security Architecture</a></li> 11<li><a href="#signing">Application Signing</a></li> 12<li><a href="#userid">User IDs and File Access</a></li> 13<li><a href="#permissions">Using Permissions</a></li> 14<li><a href="#normal-dangerous">Normal and Dangerous Permissions</a> 15 <ol> 16 <li><a href="#perm-groups">Permission Groups</a></li> 17 </ol> 18</li> 19<li><a href="#defining">Defining and Enforcing Permissions</a> 20 <ol> 21 <li><a href="#custom-recommendations">Custom permission recommendations</a></li> 22 <li><a href="#manifest">...in AndroidManifest.xml</a></li> 23 <li><a href="#broadcasts">...when Sending Broadcasts</a></li> 24 <li><a href="#enforcement">Other Permission Enforcement</a></li> 25 </ol></li> 26<li><a href="#uri">URI Permissions</a></li> 27</ol> 28 29 <h2>Key classes</h2> 30 <ol> 31 <li>{@link android.Manifest.permission}</li> 32 <li>{@link android.Manifest.permission_group}</li> 33 </ol> 34 35 <h2>See Also</h2> 36 <ol> 37 <li><a href="{@docRoot}training/permissions/index.html">Working with System 38 Permissions</a></li> 39 </ol> 40 41<!-- 42 <h2>See also</h2> 43 <ol> 44 <li></li> 45 </ol> 46--> 47</div> 48</div> 49 50<a class="notice-designers" 51 href="https://www.google.com/design/spec/patterns/permissions.html"> 52 <div> 53 <h3>Design Patterns</h3> 54 <p>Permissions</p> 55 </div> 56</a> 57 58<!-- video box --> 59<a class="notice-developers-video" 60 href="https://www.youtube.com/watch?v=f17qe9vZ8RM"> 61<div> 62 <h3>Video</h3> 63 <p>Google I/O 2015—Android M Permissions: Best Practices for 64 Developers</p> 65</div> 66</a> 67 68<p>Android is a privilege-separated operating system, in which each 69application runs with a distinct system identity (Linux user ID and group 70ID). Parts of the system are also separated into distinct identities. 71Linux thereby isolates applications from each other and from the system.</p> 72 73<p>Additional finer-grained security features are provided through a 74"permission" mechanism that enforces restrictions on the specific operations 75that a particular process can perform, and per-URI permissions for granting 76ad hoc access to specific pieces of data.</p> 77 78<p>This document describes how application developers can use the 79security features provided by Android. A more general <a 80href="http://source.android.com/tech/security/index.html" 81class="external-link">Android Security 82Overview</a> is provided in the Android Open Source Project.</p> 83 84 85<a name="arch"></a> 86<h2>Security Architecture</h2> 87 88<p>A central design point of the Android security architecture is that no 89application, by default, has permission to perform any operations that would 90adversely impact other applications, the operating system, or the user. This 91includes reading or writing the user's private data (such as contacts or 92emails), reading or writing another application's files, performing 93network access, keeping the device awake, and so on.</p> 94 95<p>Because each Android application operates in a process sandbox, applications 96must explicitly share resources and data. They do this by declaring the 97<em>permissions</em> they need for additional capabilities not provided by 98the basic sandbox. Applications statically declare the permissions they 99require, and the Android system prompts the user for consent.</p> 100 101<p>The application sandbox does not depend on the technology used to build 102an application. In particular the Dalvik VM is not a security boundary, and 103any app can run native code (see <a href="{@docRoot}tools/sdk/ndk/index.html">the Android 104NDK</a>). All types of applications — Java, native, and hybrid — 105are sandboxed in the same way and have the same degree of security from each 106other.</p> 107 108 109<a name="signing"></a> 110<h2>Application Signing</h2> 111 112<p>All APKs ({@code .apk} files) must be signed with a certificate 113whose private key is held by their developer. This certificate identifies 114the author of the application. The certificate does <em>not</em> need to be 115signed by a certificate authority; it is perfectly allowable, and typical, 116for Android applications to use self-signed certificates. The purpose of 117certificates in Android is to distinguish application authors. This allows 118the system to grant or deny applications access to <a 119href="{@docRoot}guide/topics/manifest/permission-element.html#plevel">signature-level 120permissions</a> and to grant or deny an application's <a 121href="{@docRoot}guide/topics/manifest/manifest-element.html#uid">request to be given 122the same Linux identity</a> as another application.</p> 123 124<a name="userid"></a> 125<h2>User IDs and File Access</h2> 126 127<p>At install time, Android gives each package a distinct Linux user ID. The 128identity remains constant for the duration of the package's life on that 129device. On a different device, the same package may have a different UID; 130what matters is that each package has a distinct UID on a given device.</p> 131 132<p>Because security enforcement happens at the 133process level, the code of any two packages cannot normally 134run in the same process, since they need to run as different Linux users. 135You can use the {@link android.R.attr#sharedUserId} attribute in the 136<code>AndroidManifest.xml</code>'s 137{@link android.R.styleable#AndroidManifest manifest} tag of each package to 138have them assigned the same user ID. By doing this, for purposes of security 139the two packages are then treated as being the same application, with the same 140user ID and file permissions. Note that in order to retain security, only two applications 141signed with the same signature (and requesting the same sharedUserId) will 142be given the same user ID.</p> 143 144<p>Any data stored by an application will be assigned that application's user 145ID, and not normally accessible to other packages. When creating a new file 146with {@link android.content.Context#getSharedPreferences}, 147{@link android.content.Context#openFileOutput}, or 148{@link android.content.Context#openOrCreateDatabase}, 149you can use the 150{@link android.content.Context#MODE_WORLD_READABLE} and/or 151{@link android.content.Context#MODE_WORLD_WRITEABLE} flags to allow any other 152package to read/write the file. When setting these flags, the file is still 153owned by your application, but its global read and/or write permissions have 154been set appropriately so any other application can see it.</p> 155 156 157<h2 id="permissions">Using Permissions</h2> 158 159<p>A basic Android application has no permissions associated with it by default, 160meaning it cannot do anything that would adversely impact the user experience 161or any data on the device. To make use of protected features of the device, 162you must include one or more 163<a href="{@docRoot}guide/topics/manifest/uses-permission-element.html" 164 ><code><uses-permission></code></a> 165tags in your <a href="{@docRoot}guide/topics/manifest/manifest-intro.html">app 166manifest</a>.</p> 167 168<p>For example, an application that needs to monitor incoming SMS messages would 169specify:</p> 170 171<pre><manifest xmlns:android="http://schemas.android.com/apk/res/android" 172 package="com.android.app.myapp" > 173 <uses-permission android:name="android.permission.RECEIVE_SMS" /> 174 ... 175</manifest></pre> 176 177<div class="sidebox-wrapper"> 178<div class="sidebox"> 179 <h3>Permission Levels</h3> 180 <p>For more information about the different protection levels for 181 permissions, see <a href="#normal-dangerous">Normal and Dangerous 182 Permissions</a>.</p> 183</div> 184</div> 185 186<p> 187 If your app lists <em>normal</em> permissions in its manifest (that is, 188 permissions that don't pose much risk to the user's privacy or the device's 189 operation), the system automatically grants those permissions. 190 If your app lists <em>dangerous</em> permissions in its manifest (that is, 191 permissions that could potentially affect the user's privacy or the device's 192 normal operation), the system asks the user to explicitly grant those 193 permissions. The way Android makes the requests depends on the system 194 version, and the system version targeted by your app: 195</p> 196 197<ul> 198 <li>If the device is running Android 6.0 (API level 23) or higher, 199 <em>and</em> the app's <a 200 href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target" 201 ><code>targetSdkVersion</code></a> 202 is 23 or higher, the app requests permissions from the user at run-time. 203 The user can revoke the permissions at any time, so the app needs to 204 check whether it has the permissions every time it runs. 205 For more information about requesting permissions in your app, see the 206 <a href="{@docRoot}training/permissions/index.html">Working with System 207 Permissions</a> training guide. 208 </li> 209 210 <li>If the device is running Android 5.1 (API level 22) or lower, <em>or</em> 211 the app's <a 212 href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target" 213 ><code>targetSdkVersion</code></a> 214 is 22 or lower, the system asks the user to grant the permissions when the 215 user installs the app. If you add a new permission to an updated version of 216 the app, the system asks the user to grant that permission when the user 217 updates the app. Once the user installs the app, the only way they can 218 revoke the permission is by uninstalling the app. 219 </li> 220</ul> 221 222<p>Often times a permission failure will result in a {@link 223java.lang.SecurityException} being thrown back to the application. However, 224this is not guaranteed to occur everywhere. For example, the {@link 225android.content.Context#sendBroadcast} method checks permissions as data is 226being delivered to each receiver, after the method call has returned, so you 227will not receive an exception if there are permission failures. In almost all 228cases, however, a permission failure will be printed to the system log.</p> 229 230<p>The permissions provided by the Android system can be found at {@link 231android.Manifest.permission}. Any application may also define and enforce its 232own permissions, so this is not a comprehensive list of all possible 233permissions.</p> 234 235<p>A particular permission may be enforced at a number of places during your 236program's operation:</p> 237 238<ul> 239<li>At the time of a call into the system, to prevent an application from 240executing certain functions.</li> 241<li>When starting an activity, to prevent applications from launching 242activities of other applications.</li> 243<li>Both sending and receiving broadcasts, to control who can receive 244your broadcast or who can send a broadcast to you.</li> 245<li>When accessing and operating on a content provider.</li> 246<li>Binding to or starting a service.</li> 247</ul> 248 249<h3 id="auto-adjustments">Automatic permission adjustments</h3> 250 251<p> Over time, 252new restrictions may be added to the platform such that, in order 253to use certain APIs, your app must request a permission that it previously did not need. 254Because existing apps assume access to those APIs is freely available, 255Android may apply the new permission request to the app's manifest to avoid 256breaking the app on the new platform version. 257Android makes the decision as to whether an app might need the permission based on 258the value provided for the <a 259href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 260attribute. If the value is lower than the version in which the permission was added, then 261Android adds the permission.</p> 262<p>For example, the {@link android.Manifest.permission#WRITE_EXTERNAL_STORAGE} permission was 263added in API level 4 to restrict access to the shared storage space. If your <a 264href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 265is 3 or lower, this permission is added to your app on newer versions of Android.</p> 266 267<p class="caution"> 268 <strong>Caution:</strong> If a permission is automatically added to your app, 269 your app listing on Google Play lists these additional permissions even 270 though your app might not actually require them. 271</p> 272 273<p>To avoid this and remove the default permissions you don't need, always update your <a 274href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 275to be as high as possible. You can see which permissions were added with each release in the 276{@link android.os.Build.VERSION_CODES} documentation.</p> 277</div> 278 279<h2 id="normal-dangerous">Normal and Dangerous Permissions</h2> 280 281<p> 282 System permissions are divided into several protection levels. The two most 283 important protection levels to know about are <em>normal</em> and 284 <em>dangerous</em> permissions: 285</p> 286 287<ul> 288 <li> 289 <em>Normal</em> permissions cover areas where your app needs to access data 290 or resources outside the app's sandbox, but where there's very little risk 291 to the user's privacy or the operation of other apps. For example, 292 permission to set the time zone is a normal permission. If an app 293 declares that it needs a normal permission, the system automatically grants 294 the permission to the app. For a full listing of the current normal 295 permissions, see <a href="normal-permissions.html">Normal permissions</a>. 296 </li> 297 298 <li> 299 <em>Dangerous</em> permissions cover areas where the app wants data or 300 resources that involve the user's private information, or could potentially 301 affect the user's stored data or the operation of other apps. For example, 302 the ability to read the user's contacts is a dangerous permission. If an 303 app declares that it needs a dangerous permission, the user has to 304 explicitly grant the permission to the app. 305 </li> 306</ul> 307 308<div class="sidebox-wrapper"> 309<div class="sidebox"> 310 <h3 id="special_permissions">Special Permissions</h3> 311 <p> 312 There are a couple of permissions that don't behave like normal and 313 dangerous permissions. {@link android.Manifest.permission#SYSTEM_ALERT_WINDOW 314 SYSTEM_ALERT_WINDOW} and {@link android.Manifest.permission#WRITE_SETTINGS 315 WRITE_SETTINGS} are particularly sensitive, so most apps should not use 316 them. If an app needs one of these permissions, it must declare the 317 permission in the manifest, <em>and</em> send an intent requesting the 318 user's authorization. The system responds to the intent by showing a 319 detailed management screen to the user. 320 </p> 321 322 <p> 323 For details on how to request these permissions, see the {@link 324 android.Manifest.permission#SYSTEM_ALERT_WINDOW SYSTEM_ALERT_WINDOW} and 325 {@link android.Manifest.permission#WRITE_SETTINGS WRITE_SETTINGS} reference 326 entries. 327 </p> 328</div> 329</div> 330 331<h3 id="perm-groups">Permission groups</h3> 332 333<p> 334 All dangerous Android system permissions belong to permission groups. 335 If the device is running Android 6.0 (API level 23) and the app's <a href= 336 "{@docRoot}guide/topics/manifest/uses-sdk-element.html#target" 337 ><code>targetSdkVersion</code></a> is 23 or higher, the following system 338 behavior applies when your app requests a dangerous permission: 339</p> 340 341<ul> 342 <li>If an app requests a dangerous permission listed in its manifest, and the app 343 does not currently have any permissions in the permission group, the system 344 shows a dialog box to the user describing the permission group that the app 345 wants access to. The dialog box does not describe the specific permission 346 within that group. For example, if an app requests the {@link 347 android.Manifest.permission#READ_CONTACTS READ_CONTACTS} permission, the 348 system dialog box just says the app needs access to the device's contacts. If 349 the user grants approval, the system gives the app just the permission it 350 requested. 351 </li> 352 353 <li>If an app requests a dangerous permission listed in its manifest, and the app 354 already has another dangerous permission in the same permission group, the 355 system immediately grants the permission without any interaction with the 356 user. For example, if an app had previously requested and been granted the 357 {@link android.Manifest.permission#READ_CONTACTS READ_CONTACTS} permission, 358 and it then requests {@link android.Manifest.permission#WRITE_CONTACTS 359 WRITE_CONTACTS}, the system immediately grants that permission. 360 </li> 361</ul> 362 363<p class="aside"> 364 Any permission can belong to a permission group, including normal permissions 365 and permissions defined by your app. 366 However, a permission's group only affects the user experience if the 367 permission is dangerous. You can ignore the permission group for normal 368 permissions. 369</p> 370 371<p> 372 If the device is running Android 5.1 (API level 22) or lower, or the app's 373 <a href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target" 374 ><code>targetSdkVersion</code></a> is 22 or lower, the system asks the user 375 to grant the permissions at install time. Once again, the system just tells 376 the user what permission <em>groups</em> the app needs, not the individual 377 permissions. 378</p> 379 380<p class="table-caption" id="permission-groups"> 381 <strong>Table 1.</strong> Dangerous permissions and permission groups.</p> 382<table> 383 <tr> 384 <th scope="col">Permission Group</th> 385 <th scope="col">Permissions</th> 386 </tr> 387 388 <tr> 389 <td>{@link android.Manifest.permission_group#CALENDAR CALENDAR}</td> 390 <td> 391 <ul> 392 <li> 393 {@link android.Manifest.permission#READ_CALENDAR READ_CALENDAR} 394 </li> 395 </ul> 396 <ul> 397 <li> 398 {@link android.Manifest.permission#WRITE_CALENDAR WRITE_CALENDAR} 399 </li> 400 </ul> 401 </td> 402 </tr> 403 404 <tr> 405 <td>{@link android.Manifest.permission_group#CAMERA CAMERA}</td> 406 <td> 407 <ul> 408 <li> 409 {@link android.Manifest.permission#CAMERA CAMERA} 410 </li> 411 </ul> 412 </td> 413 </tr> 414 415 <tr> 416 <td>{@link android.Manifest.permission_group#CONTACTS CONTACTS}</td> 417 <td> 418 <ul> 419 <li> 420 {@link android.Manifest.permission#READ_CONTACTS READ_CONTACTS} 421 </li> 422 <li> 423 {@link android.Manifest.permission#WRITE_CONTACTS WRITE_CONTACTS} 424 </li> 425 <li> 426 {@link android.Manifest.permission#GET_ACCOUNTS GET_ACCOUNTS} 427 </li> 428 </ul> 429 </td> 430 </tr> 431 432 <tr> 433 <td>{@link android.Manifest.permission_group#LOCATION LOCATION}</td> 434 <td> 435 <ul> 436 <li> 437 {@link android.Manifest.permission#ACCESS_FINE_LOCATION ACCESS_FINE_LOCATION} 438 </li> 439 <li> 440 {@link android.Manifest.permission#ACCESS_COARSE_LOCATION ACCESS_COARSE_LOCATION} 441 </li> 442 </ul> 443 </td> 444 </tr> 445 446 <tr> 447 <td>{@link android.Manifest.permission_group#MICROPHONE MICROPHONE}</td> 448 <td> 449 <ul> 450 <li> 451 {@link android.Manifest.permission#RECORD_AUDIO RECORD_AUDIO} 452 </li> 453 </ul> 454 </td> 455 </tr> 456 457 <tr> 458 <td>{@link android.Manifest.permission_group#PHONE PHONE}</td> 459 <td> 460 <ul> 461 <li> 462 {@link android.Manifest.permission#READ_PHONE_STATE READ_PHONE_STATE} 463 </li> 464 <li> 465 {@link android.Manifest.permission#CALL_PHONE CALL_PHONE} 466 </li> 467 <li> 468 {@link android.Manifest.permission#READ_CALL_LOG READ_CALL_LOG} 469 </li> 470 <li> 471 {@link android.Manifest.permission#WRITE_CALL_LOG WRITE_CALL_LOG} 472 </li> 473 <li> 474 {@link android.Manifest.permission#ADD_VOICEMAIL ADD_VOICEMAIL} 475 </li> 476 <li> 477 {@link android.Manifest.permission#USE_SIP USE_SIP} 478 </li> 479 <li> 480 {@link android.Manifest.permission#PROCESS_OUTGOING_CALLS PROCESS_OUTGOING_CALLS} 481 </li> 482 </ul> 483 </td> 484 </tr> 485 486 <tr> 487 <td>{@link android.Manifest.permission_group#SENSORS SENSORS}</td> 488 <td> 489 <ul> 490 <li> 491 {@link android.Manifest.permission#BODY_SENSORS BODY_SENSORS} 492 </li> 493 </ul> 494 </td> 495 </tr> 496 497 <tr> 498 <td>{@link android.Manifest.permission_group#SMS SMS}</td> 499 <td> 500 <ul> 501 <li> 502 {@link android.Manifest.permission#SEND_SMS SEND_SMS} 503 </li> 504 <li> 505 {@link android.Manifest.permission#RECEIVE_SMS RECEIVE_SMS} 506 </li> 507 <li> 508 {@link android.Manifest.permission#READ_SMS READ_SMS} 509 </li> 510 <li> 511 {@link android.Manifest.permission#RECEIVE_WAP_PUSH RECEIVE_WAP_PUSH} 512 </li> 513 <li> 514 {@link android.Manifest.permission#RECEIVE_MMS RECEIVE_MMS} 515 </li> 516 </ul> 517 </td> 518 </tr> 519 520 <tr> 521 <td> 522 {@link android.Manifest.permission_group#STORAGE STORAGE} 523 </td> 524 <td> 525 <ul> 526 <li> 527 {@link android.Manifest.permission#READ_EXTERNAL_STORAGE 528 READ_EXTERNAL_STORAGE} 529 </li> 530 <li> 531 {@link android.Manifest.permission#WRITE_EXTERNAL_STORAGE 532 WRITE_EXTERNAL_STORAGE} 533 </li> 534 </ul> 535 </td> 536 </tr> 537 538</table> 539 540 541<a name="declaring"></a> 542<h2 id="defining">Defining and Enforcing Permissions</h2> 543 544<p> 545 To enforce your own permissions, you must first declare them in your 546 <code>AndroidManifest.xml</code> using one or more <a href= 547 "{@docRoot}guide/topics/manifest/permission-element.html"><code><permission></code></a> 548 elements. 549</p> 550 551<p>For example, an application that wants to control who can start one 552of its activities could declare a permission for this operation as follows:</p> 553 554<pre><manifest xmlns:android="http://schemas.android.com/apk/res/android" 555 package="com.example.myapp" > 556 <permission android:name="com.example.myapp.permission.DEADLY_ACTIVITY" 557 android:label="@string/permlab_deadlyActivity" 558 android:description="@string/permdesc_deadlyActivity" 559 android:permissionGroup="android.permission-group.COST_MONEY" 560 android:protectionLevel="dangerous" /> 561 ... 562</manifest></pre> 563 564<p class="note"> 565 <strong>Note:</strong> The system does not allow multiple packages to declare 566 a permission with the same name, unless all the packages are signed with the 567 same certificate. If a package declares a permission, the system does not permit 568 the user to install other packages with the same permission name, unless 569 those packages are signed with the same certificate as the first package. To 570 avoid naming collisions, we recommend using reverse-domain-style naming for custom 571 permissions, for example <code>com.example.myapp.ENGAGE_HYPERSPACE</code>. 572</p> 573 574<p>The {@link android.R.styleable#AndroidManifestPermission_protectionLevel 575protectionLevel} attribute is required, telling the system how the 576user is to be informed of applications requiring the permission, or who is 577allowed to hold that permission, as described in the linked documentation.</p> 578 579<p> 580 The <a href= 581 "{@docRoot}guide/topics/manifest/permission-group-element.html" 582 ><code>android:permissionGroup</code></a> 583 attribute is optional, and only used to help the system display permissions 584 to the user. In most cases you will want to set this to a standard system 585 group (listed in {@link android.Manifest.permission_group 586 android.Manifest.permission_group}), although you can define a group yourself. 587 It is preferable to use an existing group, as this simplifies the 588 permission UI shown to the user. 589</p> 590 591<p>You need to supply both a label and description for the 592permission. These are string resources that the user can see when 593they are viewing a list of permissions 594(<code>{@link android.R.styleable#AndroidManifestPermission_label android:label}</code>) 595or details on a single permission ( 596<code>{@link android.R.styleable#AndroidManifestPermission_description android:description}</code>). 597The label should be short; a few words 598describing the key piece of functionality the permission is protecting. The 599description should be a couple of sentences describing what the permission allows 600a holder to do. Our convention is a two-sentence description: 601the first sentence describes the permission, and the second sentence warns the 602user of the type of things that can go wrong if an application is granted the 603permission.</p> 604 605<p>Here is an example of a label and description for the CALL_PHONE 606permission:</p> 607 608<pre> 609<string name="permlab_callPhone">directly call phone numbers</string> 610<string name="permdesc_callPhone">Allows the application to call 611 phone numbers without your intervention. Malicious applications may 612 cause unexpected calls on your phone bill. Note that this does not 613 allow the application to call emergency numbers.</string> 614</pre> 615 616<p>You can view at the permissions currently defined in the system using the 617Settings app and the shell command <code>adb shell pm list permissions</code>. 618To use the Settings app, go to <b>Settings</b> > <b>Applications</b>. Pick an app and 619scroll down to see the permissions that the app uses. For developers, the adb '-s' 620option displays the permissions in a form similar to how the user will see them:</p> 621 622<pre class="no-pretty-print"> 623$ adb shell pm list permissions -s 624All Permissions: 625 626Network communication: view Wi-Fi state, create Bluetooth connections, full 627Internet access, view network state 628 629Your location: access extra location provider commands, fine (GPS) location, 630mock location sources for testing, coarse (network-based) location 631 632Services that cost you money: send SMS messages, directly call phone numbers 633 634...</pre> 635 636<h3 id="custom-recommendations"> 637 Custom permission recommendations 638</h3> 639 640<p> 641 Apps can define their own custom permissions and request custom permissions 642 from other apps by defining <a href= 643 "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code 644 ><uses-permission></code></a> elements. 645 However, you should carefully assess whether it is necessary for your app to 646 do so. 647</p> 648 649<ul> 650 <li>If you are designing a suite of apps that expose functionality to one 651 another, try to design the apps so that each permission is defined only once. 652 You must do this if the apps are not all signed with the same certificate. 653 Even if the apps are all signed with the same certificate, it's a 654 best practice to define each permission once only. 655 </li> 656 657 <li>If the functionality is only available to apps signed with the same 658 signature as the providing app, you may be able to avoid defining custom 659 permissions by using signature checks. When one of your apps makes a request 660 of another of your apps, the second app can verify that both apps are signed 661 with the same certificate before complying with the request. 662 </li> 663 664 <li>If you are developing a suite of apps runs only on your own 665 devices, you should develop and install a package that 666 manages permissions for all the apps in the suite. This package does not need 667 to provide any services itself. It just declares all the permissions, and the 668 other apps in the suite request those permissions with the <a href= 669 "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code 670 ><uses-permission></code></a> 671 element. 672 </li> 673</ul> 674 675<a name="manifest"></a> 676<h3>Enforcing Permissions in AndroidManifest.xml</h3> 677 678<p>You can apply high-level permissions restricting access to entire components 679of the system or application through your 680<code>AndroidManifest.xml</code>. To do this, include an {@link 681android.R.attr#permission android:permission} attribute on the desired 682component, naming the permission that controls access to 683it.</p> 684 685<p><strong>{@link android.app.Activity}</strong> permissions 686(applied to the 687{@link android.R.styleable#AndroidManifestActivity <activity>} tag) 688restrict who can start the associated 689activity. The permission is checked during 690{@link android.content.Context#startActivity Context.startActivity()} and 691{@link android.app.Activity#startActivityForResult Activity.startActivityForResult()}; 692if the caller does not have 693the required permission then {@link java.lang.SecurityException} is thrown 694from the call.</p> 695 696<p><strong>{@link android.app.Service}</strong> permissions 697(applied to the 698{@link android.R.styleable#AndroidManifestService <service>} tag) 699restrict who can start or bind to the 700associated service. The permission is checked during 701{@link android.content.Context#startService Context.startService()}, 702{@link android.content.Context#stopService Context.stopService()} and 703{@link android.content.Context#bindService Context.bindService()}; 704if the caller does not have 705the required permission then {@link java.lang.SecurityException} is thrown 706from the call.</p> 707 708<p><strong>{@link android.content.BroadcastReceiver}</strong> permissions 709(applied to the 710{@link android.R.styleable#AndroidManifestReceiver <receiver>} tag) 711restrict who can send broadcasts to the associated receiver. 712The permission is checked <em>after</em> 713{@link android.content.Context#sendBroadcast Context.sendBroadcast()} returns, 714as the system tries 715to deliver the submitted broadcast to the given receiver. As a result, a 716permission failure will not result in an exception being thrown back to the 717caller; it will just not deliver the intent. In the same way, a permission 718can be supplied to 719{@link android.content.Context#registerReceiver(android.content.BroadcastReceiver, android.content.IntentFilter, String, android.os.Handler) 720Context.registerReceiver()} 721to control who can broadcast to a programmatically registered receiver. 722Going the other way, a permission can be supplied when calling 723{@link android.content.Context#sendBroadcast(Intent, String) Context.sendBroadcast()} 724to restrict which BroadcastReceiver objects are allowed to receive the broadcast (see 725below).</p> 726 727<p><strong>{@link android.content.ContentProvider}</strong> permissions 728(applied to the 729{@link android.R.styleable#AndroidManifestProvider <provider>} tag) 730restrict who can access the data in 731a {@link android.content.ContentProvider}. (Content providers have an important 732additional security facility available to them called 733<a href="#uri">URI permissions</a> which is described later.) 734Unlike the other components, 735there are two separate permission attributes you can set: 736{@link android.R.attr#readPermission android:readPermission} restricts who 737can read from the provider, and 738{@link android.R.attr#writePermission android:writePermission} restricts 739who can write to it. Note that if a provider is protected with both a read 740and write permission, holding only the write permission does not mean 741you can read from a provider. The permissions are checked when you first 742retrieve a provider (if you don't have either permission, a SecurityException 743will be thrown), and as you perform operations on the provider. Using 744{@link android.content.ContentResolver#query ContentResolver.query()} requires 745holding the read permission; using 746{@link android.content.ContentResolver#insert ContentResolver.insert()}, 747{@link android.content.ContentResolver#update ContentResolver.update()}, 748{@link android.content.ContentResolver#delete ContentResolver.delete()} 749requires the write permission. 750In all of these cases, not holding the required permission results in a 751{@link java.lang.SecurityException} being thrown from the call.</p> 752 753 754<a name="broadcasts"></a> 755<h3>Enforcing Permissions when Sending Broadcasts</h3> 756 757<p>In addition to the permission enforcing who can send Intents to a 758registered {@link android.content.BroadcastReceiver} (as described above), you 759can also specify a required permission when sending a broadcast. By calling {@link 760android.content.Context#sendBroadcast(android.content.Intent,String) 761Context.sendBroadcast()} with a 762permission string, you require that a receiver's application must hold that 763permission in order to receive your broadcast.</p> 764 765<p>Note that both a receiver and a broadcaster can require a permission. When 766this happens, both permission checks must pass for the Intent to be delivered 767to the associated target.</p> 768 769 770<a name="enforcement"></a> 771<h3>Other Permission Enforcement</h3> 772 773<p>Arbitrarily fine-grained permissions can be enforced at any call into a 774service. This is accomplished with the {@link 775android.content.Context#checkCallingPermission Context.checkCallingPermission()} 776method. Call with a desired 777permission string and it will return an integer indicating whether that 778permission has been granted to the current calling process. Note that this can 779only be used when you are executing a call coming in from another process, 780usually through an IDL interface published from a service or in some other way 781given to another process.</p> 782 783<p>There are a number of other useful ways to check permissions. If you have 784the pid of another process, you can use the Context method {@link 785android.content.Context#checkPermission(String, int, int) Context.checkPermission(String, int, int)} 786to check a permission against that pid. If you have the package name of another 787application, you can use the direct PackageManager method {@link 788android.content.pm.PackageManager#checkPermission(String, String) 789PackageManager.checkPermission(String, String)} 790to find out whether that particular package has been granted a specific permission.</p> 791 792 793<a name="uri"></a> 794<h2>URI Permissions</h2> 795 796<p>The standard permission system described so far is often not sufficient 797when used with content providers. A content provider may want to 798protect itself with read and write permissions, while its direct clients 799also need to hand specific URIs to other applications for them to operate on. 800A typical example is attachments in a mail application. Access to the mail 801should be protected by permissions, since this is sensitive user data. However, 802if a URI to an image attachment is given to an image viewer, that image viewer 803will not have permission to open the attachment since it has no reason to hold 804a permission to access all e-mail.</p> 805 806<p>The solution to this problem is per-URI permissions: when starting an 807activity or returning a result to an activity, the caller can set 808{@link android.content.Intent#FLAG_GRANT_READ_URI_PERMISSION 809Intent.FLAG_GRANT_READ_URI_PERMISSION} and/or 810{@link android.content.Intent#FLAG_GRANT_WRITE_URI_PERMISSION 811Intent.FLAG_GRANT_WRITE_URI_PERMISSION}. This grants the receiving activity 812permission access the specific data URI in the Intent, regardless of whether 813it has any permission to access data in the content provider corresponding 814to the Intent.</p> 815 816<p>This mechanism allows a common capability-style model where user interaction 817(opening an attachment, selecting a contact from a list, etc) drives ad-hoc 818granting of fine-grained permission. This can be a key facility for reducing 819the permissions needed by applications to only those directly related to their 820behavior.</p> 821 822<p>The granting of fine-grained URI permissions does, however, require some 823cooperation with the content provider holding those URIs. It is strongly 824recommended that content providers implement this facility, and declare that 825they support it through the 826{@link android.R.styleable#AndroidManifestProvider_grantUriPermissions 827android:grantUriPermissions} attribute or 828{@link android.R.styleable#AndroidManifestGrantUriPermission 829<grant-uri-permissions>} tag.</p> 830 831<p>More information can be found in the 832{@link android.content.Context#grantUriPermission Context.grantUriPermission()}, 833{@link android.content.Context#revokeUriPermission Context.revokeUriPermission()}, and 834{@link android.content.Context#checkUriPermission Context.checkUriPermission()} 835methods.</p> 836 837<div class="next-docs"> 838<div class="col-6"> 839 <h2 class="norule">Continue reading about:</h2> 840 <dl> 841 <dt><a href="{@docRoot}guide/topics/manifest/uses-feature-element.html#permissions" 842 >Permissions that Imply Feature Requirements</a></dt> 843 <dd>Information about how requesting some permissions will implicitly restrict your app 844 to devices that include the corresponding hardware or software feature.</dd> 845 <dt><a href="{@docRoot}guide/topics/manifest/uses-permission-element.html">{@code 846 <uses-permission>}</a></dt> 847 <dd>API reference for the manifest tag that declare's your app's required system permissions. 848 </dd> 849 <dt>{@link android.Manifest.permission}</dt> 850 <dd>API reference for all system permissions.</dd> 851 </dl> 852</div> 853<div class="col-6"> 854 <h2 class="norule">You might also be interested in:</h2> 855 <dl> 856 <dt><a href="{@docRoot}guide/practices/compatibility.html" 857 >Device Compatibility</a></dt> 858 <dd>Information about Android works on different types of devices and an introduction 859 to how you can optimize your app for each device or restrict your app's availability 860 to different devices.</dd> 861 <dt><a href="http://source.android.com/devices/tech/security/index.html" 862 class="external-link">Android Security Overview</a></dt> 863 <dd>A detailed discussion about the Android platform's security model.</dd> 864 </dl> 865</div> 866</div> 867