• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=System Permissions
2page.tags=permissions
3@jd:body
4
5<div id="qv-wrapper">
6<div id="qv">
7
8<h2>In this document</h2>
9<ol>
10<li><a href="#arch">Security Architecture</a></li>
11<li><a href="#signing">Application Signing</a></li>
12<li><a href="#userid">User IDs and File Access</a></li>
13<li><a href="#permissions">Using Permissions</a></li>
14<li><a href="#normal-dangerous">Normal and Dangerous Permissions</a>
15  <ol>
16    <li><a href="#perm-groups">Permission Groups</a></li>
17  </ol>
18</li>
19<li><a href="#defining">Defining and Enforcing Permissions</a>
20	<ol>
21  <li><a href="#custom-recommendations">Custom permission recommendations</a></li>
22	<li><a href="#manifest">...in AndroidManifest.xml</a></li>
23	<li><a href="#broadcasts">...when Sending Broadcasts</a></li>
24	<li><a href="#enforcement">Other Permission Enforcement</a></li>
25	</ol></li>
26<li><a href="#uri">URI Permissions</a></li>
27</ol>
28
29  <h2>Key classes</h2>
30  <ol>
31    <li>{@link android.Manifest.permission}</li>
32    <li>{@link android.Manifest.permission_group}</li>
33  </ol>
34
35  <h2>See Also</h2>
36  <ol>
37    <li><a href="{@docRoot}training/permissions/index.html">Working with System
38        Permissions</a></li>
39  </ol>
40
41<!--
42  <h2>See also</h2>
43  <ol>
44    <li></li>
45  </ol>
46-->
47</div>
48</div>
49
50<a class="notice-designers"
51    href="https://www.google.com/design/spec/patterns/permissions.html">
52  <div>
53    <h3>Design Patterns</h3>
54    <p>Permissions</p>
55  </div>
56</a>
57
58<!-- video box -->
59<a class="notice-developers-video"
60    href="https://www.youtube.com/watch?v=f17qe9vZ8RM">
61<div>
62    <h3>Video</h3>
63    <p>Google I/O 2015—Android M Permissions: Best Practices for
64      Developers</p>
65</div>
66</a>
67
68<p>Android is a privilege-separated operating system, in which each
69application runs with a distinct system identity (Linux user ID and group
70ID).  Parts of the system are also separated into distinct identities.
71Linux thereby isolates applications from each other and from the system.</p>
72
73<p>Additional finer-grained security features are provided through a
74"permission" mechanism that enforces restrictions on the specific operations
75that a particular process can perform, and per-URI permissions for granting
76ad hoc access to specific pieces of data.</p>
77
78<p>This document describes how application developers can use the
79security features provided by Android.  A more general <a
80href="http://source.android.com/tech/security/index.html"
81class="external-link">Android Security
82Overview</a> is provided in the Android Open Source Project.</p>
83
84
85<a name="arch"></a>
86<h2>Security Architecture</h2>
87
88<p>A central design point of the Android security architecture is that no
89application, by default, has permission to perform any operations that would
90adversely impact other applications, the operating system, or the user.  This
91includes reading or writing the user's private data (such as contacts or
92emails), reading or writing another application's files, performing
93network access, keeping the device awake, and so on.</p>
94
95<p>Because each Android application operates in a process sandbox, applications
96must explicitly share resources and data. They do this by declaring the
97<em>permissions</em> they need for additional capabilities not provided by
98the basic sandbox. Applications statically declare the permissions they
99require, and the Android system prompts the user for consent.</p>
100
101<p>The application sandbox does not depend on the technology used to build
102an application. In particular the Dalvik VM is not a security boundary, and
103any app can run native code (see <a href="{@docRoot}tools/sdk/ndk/index.html">the Android
104NDK</a>). All types of applications &mdash; Java, native, and hybrid &mdash;
105are sandboxed in the same way and have the same degree of security from each
106other.</p>
107
108
109<a name="signing"></a>
110<h2>Application Signing</h2>
111
112<p>All APKs ({@code .apk} files) must be signed with a certificate
113whose private key is held by their developer.  This certificate identifies
114the author of the application.  The certificate does <em>not</em> need to be
115signed by a certificate authority; it is perfectly allowable, and typical,
116for Android applications to use self-signed certificates. The purpose of
117certificates in Android is to distinguish application authors. This allows
118the system to grant or deny applications access to <a
119href="{@docRoot}guide/topics/manifest/permission-element.html#plevel">signature-level
120permissions</a> and to grant or deny an application's <a
121href="{@docRoot}guide/topics/manifest/manifest-element.html#uid">request to be given
122the same Linux identity</a> as another application.</p>
123
124<a name="userid"></a>
125<h2>User IDs and File Access</h2>
126
127<p>At install time, Android gives each package a distinct Linux user ID. The
128identity remains constant for the duration of the package's life on that
129device. On a different device, the same package may have a different UID;
130what matters is that each package has a distinct UID on a given device.</p>
131
132<p>Because security enforcement happens at the
133process level, the code of any two packages cannot normally
134run in the same process, since they need to run as different Linux users.
135You can use the {@link android.R.attr#sharedUserId} attribute in the
136<code>AndroidManifest.xml</code>'s
137{@link android.R.styleable#AndroidManifest manifest} tag of each package to
138have them assigned the same user ID.  By doing this, for purposes of security
139the two packages are then treated as being the same application, with the same
140user ID and file permissions.  Note that in order to retain security, only two applications
141signed with the same signature (and requesting the same sharedUserId) will
142be given the same user ID.</p>
143
144<p>Any data stored by an application will be assigned that application's user
145ID, and not normally accessible to other packages.  When creating a new file
146with {@link android.content.Context#getSharedPreferences},
147{@link android.content.Context#openFileOutput}, or
148{@link android.content.Context#openOrCreateDatabase},
149you can use the
150{@link android.content.Context#MODE_WORLD_READABLE} and/or
151{@link android.content.Context#MODE_WORLD_WRITEABLE} flags to allow any other
152package to read/write the file.  When setting these flags, the file is still
153owned by your application, but its global read and/or write permissions have
154been set appropriately so any other application can see it.</p>
155
156
157<h2 id="permissions">Using Permissions</h2>
158
159<p>A basic Android application has no permissions associated with it by default,
160meaning it cannot do anything that would adversely impact the user experience
161or any data on the device.  To make use of protected features of the device,
162you must include one or more
163<a href="{@docRoot}guide/topics/manifest/uses-permission-element.html"
164    ><code>&lt;uses-permission&gt;</code></a>
165tags in your <a href="{@docRoot}guide/topics/manifest/manifest-intro.html">app
166manifest</a>.</p>
167
168<p>For example, an application that needs to monitor incoming SMS messages would
169specify:</p>
170
171<pre>&lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot;
172    package=&quot;com.android.app.myapp&quot; &gt;
173    &lt;uses-permission android:name=&quot;android.permission.RECEIVE_SMS&quot; /&gt;
174    ...
175&lt;/manifest&gt;</pre>
176
177<div class="sidebox-wrapper">
178<div class="sidebox">
179  <h3>Permission Levels</h3>
180  <p>For more information about the different protection levels for
181    permissions, see <a href="#normal-dangerous">Normal and Dangerous
182    Permissions</a>.</p>
183</div>
184</div>
185
186<p>
187  If your app lists <em>normal</em> permissions in its manifest (that is,
188  permissions that don't pose much risk to the user's privacy or the device's
189  operation), the system automatically grants those permissions.
190  If your app lists <em>dangerous</em> permissions in its manifest (that is,
191  permissions that could potentially affect the user's privacy or the device's
192  normal operation), the system asks the user to explicitly grant those
193  permissions. The way Android makes the requests depends on the system
194  version, and the system version targeted by your app:
195</p>
196
197<ul>
198  <li>If the device is running Android 6.0 (API level 23) or higher,
199  <em>and</em> the app's <a
200  href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target"
201  ><code>targetSdkVersion</code></a>
202  is 23 or higher, the app requests permissions from the user at run-time.
203  The user can revoke the permissions at any time, so the app needs to
204  check whether it has the permissions every time it runs.
205  For more information about requesting permissions in your app, see the
206  <a href="{@docRoot}training/permissions/index.html">Working with System
207  Permissions</a> training guide.
208  </li>
209
210  <li>If the device is running Android 5.1 (API level 22) or lower, <em>or</em>
211  the app's <a
212  href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target"
213  ><code>targetSdkVersion</code></a>
214  is 22 or lower, the system asks the user to grant the permissions when the
215  user installs the app. If you add a new permission to an updated version of
216  the app, the system asks the user to grant that permission when the user
217  updates the app. Once the user installs the app, the only way they can
218  revoke the permission is by uninstalling the app.
219  </li>
220</ul>
221
222<p>Often times a permission failure will result in a {@link
223java.lang.SecurityException} being thrown back to the application. However,
224this is not guaranteed to occur everywhere. For example, the {@link
225android.content.Context#sendBroadcast} method checks permissions as data is
226being delivered to each receiver, after the method call has returned, so you
227will not receive an exception if there are permission failures. In almost all
228cases, however, a permission failure will be printed to the system log.</p>
229
230<p>The permissions provided by the Android system can be found at {@link
231android.Manifest.permission}. Any application may also define and enforce its
232own permissions, so this is not a comprehensive list of all possible
233permissions.</p>
234
235<p>A particular permission may be enforced at a number of places during your
236program's operation:</p>
237
238<ul>
239<li>At the time of a call into the system, to prevent an application from
240executing certain functions.</li>
241<li>When starting an activity, to prevent applications from launching
242activities of other applications.</li>
243<li>Both sending and receiving broadcasts, to control who can receive
244your broadcast or who can send a broadcast to you.</li>
245<li>When accessing and operating on a content provider.</li>
246<li>Binding to or starting a service.</li>
247</ul>
248
249<h3 id="auto-adjustments">Automatic permission adjustments</h3>
250
251<p> Over time,
252new restrictions may be added to the platform such that, in order
253to use certain APIs, your app must request a permission that it previously did not need.
254Because existing apps assume access to those APIs is freely available,
255Android may apply the new permission request to the app's manifest to avoid
256breaking the app on the new platform version.
257Android makes the decision as to whether an app might need the permission based on
258the value provided for the <a
259href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a>
260attribute. If the value is lower than the version in which the permission was added, then
261Android adds the permission.</p>
262<p>For example, the {@link android.Manifest.permission#WRITE_EXTERNAL_STORAGE} permission was
263added in API level 4 to restrict access to the shared storage space. If your <a
264href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a>
265is 3 or lower, this permission is added to your app on newer versions of Android.</p>
266
267<p class="caution">
268  <strong>Caution:</strong> If a permission is automatically added to your app,
269  your app listing on Google Play lists these additional permissions even
270  though your app might not actually require them.
271</p>
272
273<p>To avoid this and remove the default permissions you don't need, always update your <a
274href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a>
275to be as high as possible. You can see which permissions were added with each release in the
276{@link android.os.Build.VERSION_CODES} documentation.</p>
277</div>
278
279<h2 id="normal-dangerous">Normal and Dangerous Permissions</h2>
280
281<p>
282  System permissions are divided into several protection levels. The two most
283  important protection levels to know about are <em>normal</em> and
284  <em>dangerous</em> permissions:
285</p>
286
287<ul>
288  <li>
289    <em>Normal</em> permissions cover areas where your app needs to access data
290    or resources outside the app's sandbox, but where there's very little risk
291    to the user's privacy or the operation of other apps. For example,
292    permission to set the time zone is a normal permission. If an app
293    declares that it needs a normal permission, the system automatically grants
294    the permission to the app. For a full listing of the current normal
295    permissions, see <a href="normal-permissions.html">Normal permissions</a>.
296  </li>
297
298  <li>
299    <em>Dangerous</em> permissions cover areas where the app wants data or
300    resources that involve the user's private information, or could potentially
301    affect the user's stored data or the operation of other apps. For example,
302    the ability to read the user's contacts is a dangerous permission. If an
303    app declares that it needs a dangerous permission, the user has to
304    explicitly grant the permission to the app.
305  </li>
306</ul>
307
308<div class="sidebox-wrapper">
309<div class="sidebox">
310  <h3 id="special_permissions">Special Permissions</h3>
311  <p>
312    There are a couple of permissions that don't behave like normal and
313    dangerous permissions. {@link android.Manifest.permission#SYSTEM_ALERT_WINDOW
314    SYSTEM_ALERT_WINDOW} and {@link android.Manifest.permission#WRITE_SETTINGS
315    WRITE_SETTINGS} are particularly sensitive, so most apps should not use
316    them. If an app needs one of these permissions, it must declare the
317    permission in the manifest, <em>and</em> send an intent requesting the
318    user's authorization. The system responds to the intent by showing a
319    detailed management screen to the user.
320  </p>
321
322  <p>
323    For details on how to request these permissions, see the {@link
324    android.Manifest.permission#SYSTEM_ALERT_WINDOW SYSTEM_ALERT_WINDOW} and
325    {@link android.Manifest.permission#WRITE_SETTINGS WRITE_SETTINGS} reference
326    entries.
327  </p>
328</div>
329</div>
330
331<h3 id="perm-groups">Permission groups</h3>
332
333<p>
334  All dangerous Android system permissions belong to permission groups.
335  If the device is running Android 6.0 (API level 23) and the app's <a href=
336  "{@docRoot}guide/topics/manifest/uses-sdk-element.html#target"
337  ><code>targetSdkVersion</code></a> is 23 or higher, the following system
338  behavior applies when your app requests a dangerous permission:
339</p>
340
341<ul>
342  <li>If an app requests a dangerous permission listed in its manifest, and the app
343  does not currently have any permissions in the permission group, the system
344  shows a dialog box to the user describing the permission group that the app
345  wants access to. The dialog box does not describe the specific permission
346  within that group. For example, if an app requests the {@link
347  android.Manifest.permission#READ_CONTACTS READ_CONTACTS} permission, the
348  system dialog box just says the app needs access to the device's contacts. If
349  the user grants approval, the system gives the app just the permission it
350  requested.
351  </li>
352
353  <li>If an app requests a dangerous permission listed in its manifest, and the app
354  already has another dangerous permission in the same permission group, the
355  system immediately grants the permission without any interaction with the
356  user. For example, if an app had previously requested and been granted the
357  {@link android.Manifest.permission#READ_CONTACTS READ_CONTACTS} permission,
358  and it then requests {@link android.Manifest.permission#WRITE_CONTACTS
359  WRITE_CONTACTS}, the system immediately grants that permission.
360  </li>
361</ul>
362
363<p class="aside">
364  Any permission can belong to a permission group, including normal permissions
365  and permissions defined by your app.
366  However, a permission's group only affects the user experience if the
367  permission is dangerous. You can ignore the permission group for normal
368  permissions.
369</p>
370
371<p>
372  If the device is running Android 5.1 (API level 22) or lower, or the app's
373  <a href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target"
374  ><code>targetSdkVersion</code></a> is 22 or lower, the system asks the user
375  to grant the permissions at install time. Once again, the system just tells
376  the user what permission <em>groups</em> the app needs, not the individual
377  permissions.
378</p>
379
380<p class="table-caption" id="permission-groups">
381  <strong>Table 1.</strong> Dangerous permissions and permission groups.</p>
382<table>
383  <tr>
384    <th scope="col">Permission Group</th>
385    <th scope="col">Permissions</th>
386  </tr>
387
388  <tr>
389    <td>{@link android.Manifest.permission_group#CALENDAR CALENDAR}</td>
390    <td>
391      <ul>
392        <li>
393          {@link android.Manifest.permission#READ_CALENDAR READ_CALENDAR}
394        </li>
395      </ul>
396      <ul>
397        <li>
398          {@link android.Manifest.permission#WRITE_CALENDAR WRITE_CALENDAR}
399        </li>
400      </ul>
401    </td>
402  </tr>
403
404  <tr>
405    <td>{@link android.Manifest.permission_group#CAMERA CAMERA}</td>
406    <td>
407      <ul>
408        <li>
409          {@link android.Manifest.permission#CAMERA CAMERA}
410        </li>
411      </ul>
412    </td>
413  </tr>
414
415  <tr>
416    <td>{@link android.Manifest.permission_group#CONTACTS CONTACTS}</td>
417    <td>
418      <ul>
419        <li>
420          {@link android.Manifest.permission#READ_CONTACTS READ_CONTACTS}
421        </li>
422        <li>
423          {@link android.Manifest.permission#WRITE_CONTACTS WRITE_CONTACTS}
424        </li>
425        <li>
426          {@link android.Manifest.permission#GET_ACCOUNTS GET_ACCOUNTS}
427        </li>
428      </ul>
429    </td>
430  </tr>
431
432  <tr>
433    <td>{@link android.Manifest.permission_group#LOCATION LOCATION}</td>
434    <td>
435      <ul>
436        <li>
437          {@link android.Manifest.permission#ACCESS_FINE_LOCATION ACCESS_FINE_LOCATION}
438        </li>
439        <li>
440          {@link android.Manifest.permission#ACCESS_COARSE_LOCATION ACCESS_COARSE_LOCATION}
441        </li>
442      </ul>
443    </td>
444  </tr>
445
446  <tr>
447    <td>{@link android.Manifest.permission_group#MICROPHONE MICROPHONE}</td>
448    <td>
449      <ul>
450        <li>
451          {@link android.Manifest.permission#RECORD_AUDIO RECORD_AUDIO}
452        </li>
453      </ul>
454    </td>
455  </tr>
456
457  <tr>
458    <td>{@link android.Manifest.permission_group#PHONE PHONE}</td>
459    <td>
460      <ul>
461        <li>
462          {@link android.Manifest.permission#READ_PHONE_STATE READ_PHONE_STATE}
463        </li>
464        <li>
465          {@link android.Manifest.permission#CALL_PHONE CALL_PHONE}
466        </li>
467        <li>
468          {@link android.Manifest.permission#READ_CALL_LOG READ_CALL_LOG}
469        </li>
470        <li>
471          {@link android.Manifest.permission#WRITE_CALL_LOG WRITE_CALL_LOG}
472        </li>
473        <li>
474          {@link android.Manifest.permission#ADD_VOICEMAIL ADD_VOICEMAIL}
475        </li>
476        <li>
477          {@link android.Manifest.permission#USE_SIP USE_SIP}
478        </li>
479        <li>
480          {@link android.Manifest.permission#PROCESS_OUTGOING_CALLS PROCESS_OUTGOING_CALLS}
481        </li>
482      </ul>
483    </td>
484  </tr>
485
486  <tr>
487    <td>{@link android.Manifest.permission_group#SENSORS SENSORS}</td>
488    <td>
489      <ul>
490        <li>
491          {@link android.Manifest.permission#BODY_SENSORS BODY_SENSORS}
492        </li>
493      </ul>
494    </td>
495  </tr>
496
497  <tr>
498    <td>{@link android.Manifest.permission_group#SMS SMS}</td>
499    <td>
500      <ul>
501        <li>
502          {@link android.Manifest.permission#SEND_SMS SEND_SMS}
503        </li>
504        <li>
505          {@link android.Manifest.permission#RECEIVE_SMS RECEIVE_SMS}
506        </li>
507        <li>
508          {@link android.Manifest.permission#READ_SMS READ_SMS}
509        </li>
510        <li>
511          {@link android.Manifest.permission#RECEIVE_WAP_PUSH RECEIVE_WAP_PUSH}
512        </li>
513        <li>
514          {@link android.Manifest.permission#RECEIVE_MMS RECEIVE_MMS}
515        </li>
516      </ul>
517    </td>
518  </tr>
519
520  <tr>
521    <td>
522      {@link android.Manifest.permission_group#STORAGE STORAGE}
523    </td>
524    <td>
525      <ul>
526        <li>
527          {@link android.Manifest.permission#READ_EXTERNAL_STORAGE
528              READ_EXTERNAL_STORAGE}
529        </li>
530        <li>
531          {@link android.Manifest.permission#WRITE_EXTERNAL_STORAGE
532              WRITE_EXTERNAL_STORAGE}
533        </li>
534      </ul>
535    </td>
536  </tr>
537
538</table>
539
540
541<a name="declaring"></a>
542<h2 id="defining">Defining and Enforcing Permissions</h2>
543
544<p>
545  To enforce your own permissions, you must first declare them in your
546  <code>AndroidManifest.xml</code> using one or more <a href=
547  "{@docRoot}guide/topics/manifest/permission-element.html"><code>&lt;permission&gt;</code></a>
548  elements.
549</p>
550
551<p>For example, an application that wants to control who can start one
552of its activities could declare a permission for this operation as follows:</p>
553
554<pre>&lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot;
555    package=&quot;com.example.myapp&quot; &gt;
556    &lt;permission android:name=&quot;com.example.myapp.permission.DEADLY_ACTIVITY&quot;
557        android:label=&quot;&#64;string/permlab_deadlyActivity&quot;
558        android:description=&quot;&#64;string/permdesc_deadlyActivity&quot;
559        android:permissionGroup=&quot;android.permission-group.COST_MONEY&quot;
560        android:protectionLevel=&quot;dangerous&quot; /&gt;
561    ...
562&lt;/manifest&gt;</pre>
563
564<p class="note">
565  <strong>Note:</strong> The system does not allow multiple packages to declare
566  a permission with the same name, unless all the packages are signed with the
567  same certificate. If a package declares a permission, the system does not permit
568  the user to install other packages with the same permission name, unless
569  those packages are signed with the same certificate as the first package. To
570  avoid naming collisions, we recommend using reverse-domain-style naming for custom
571  permissions, for example <code>com.example.myapp.ENGAGE_HYPERSPACE</code>.
572</p>
573
574<p>The {@link android.R.styleable#AndroidManifestPermission_protectionLevel
575protectionLevel} attribute is required, telling the system how the
576user is to be informed of applications requiring the permission, or who is
577allowed to hold that permission, as described in the linked documentation.</p>
578
579<p>
580  The <a href=
581  "{@docRoot}guide/topics/manifest/permission-group-element.html"
582  ><code>android:permissionGroup</code></a>
583  attribute is optional, and only used to help the system display permissions
584  to the user. In most cases you will want to set this to a standard system
585  group (listed in {@link android.Manifest.permission_group
586  android.Manifest.permission_group}), although you can define a group yourself.
587  It is preferable to use an existing group, as this simplifies the
588  permission UI shown to the user.
589</p>
590
591<p>You need to supply both a label and description for the
592permission. These are string resources that the user can see when
593they are viewing a list of permissions
594(<code>{@link android.R.styleable#AndroidManifestPermission_label android:label}</code>)
595or details on a single permission (
596<code>{@link android.R.styleable#AndroidManifestPermission_description android:description}</code>).
597The label should be short; a few words
598describing the key piece of functionality the permission is protecting. The
599description should be a couple of sentences describing what the permission allows
600a holder to do. Our convention is a two-sentence description:
601the first sentence describes the permission, and the second sentence warns the
602user of the type of things that can go wrong if an application is granted the
603permission.</p>
604
605<p>Here is an example of a label and description for the CALL_PHONE
606permission:</p>
607
608<pre>
609&lt;string name=&quot;permlab_callPhone&quot;&gt;directly call phone numbers&lt;/string&gt;
610&lt;string name=&quot;permdesc_callPhone&quot;&gt;Allows the application to call
611    phone numbers without your intervention. Malicious applications may
612    cause unexpected calls on your phone bill. Note that this does not
613    allow the application to call emergency numbers.&lt;/string&gt;
614</pre>
615
616<p>You can view at the permissions currently defined in the system using the
617Settings app and the shell command <code>adb shell pm list permissions</code>.
618To use the Settings app, go to <b>Settings</b> &gt; <b>Applications</b>.  Pick an app and
619scroll down to see the permissions that the app uses. For developers, the adb '-s'
620option displays the permissions in a form similar to how the user will see them:</p>
621
622<pre class="no-pretty-print">
623$ adb shell pm list permissions -s
624All Permissions:
625
626Network communication: view Wi-Fi state, create Bluetooth connections, full
627Internet access, view network state
628
629Your location: access extra location provider commands, fine (GPS) location,
630mock location sources for testing, coarse (network-based) location
631
632Services that cost you money: send SMS messages, directly call phone numbers
633
634...</pre>
635
636<h3 id="custom-recommendations">
637  Custom permission recommendations
638</h3>
639
640<p>
641  Apps can define their own custom permissions and request custom permissions
642  from other apps by defining <a href=
643  "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code
644  >&lt;uses-permission&gt;</code></a> elements.
645  However, you should carefully assess whether it is necessary for your app to
646  do so.
647</p>
648
649<ul>
650  <li>If you are designing a suite of apps that expose functionality to one
651  another, try to design the apps so that each permission is defined only once.
652  You must do this if the apps are not all signed with the same certificate.
653  Even if the apps are all signed with the same certificate, it's a
654  best practice to define each permission once only.
655  </li>
656
657  <li>If the functionality is only available to apps signed with the same
658  signature as the providing app, you may be able to avoid defining custom
659  permissions by using signature checks. When one of your apps makes a request
660  of another of your apps, the second app can verify that both apps are signed
661  with the same certificate before complying with the request.
662  </li>
663
664  <li>If you are developing a suite of apps runs only on your own
665  devices, you should develop and install a package that
666  manages permissions for all the apps in the suite. This package does not need
667  to provide any services itself. It just declares all the permissions, and the
668  other apps in the suite request those permissions with the <a href=
669  "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code
670  >&lt;uses-permission&gt;</code></a>
671  element.
672  </li>
673</ul>
674
675<a name="manifest"></a>
676<h3>Enforcing Permissions in AndroidManifest.xml</h3>
677
678<p>You can apply high-level permissions restricting access to entire components
679of the system or application through your
680<code>AndroidManifest.xml</code>. To do this, include an {@link
681android.R.attr#permission android:permission} attribute on the desired
682component, naming the permission that controls access to
683it.</p>
684
685<p><strong>{@link android.app.Activity}</strong> permissions
686(applied to the
687{@link android.R.styleable#AndroidManifestActivity &lt;activity&gt;} tag)
688restrict who can start the associated
689activity.  The permission is checked during
690{@link android.content.Context#startActivity Context.startActivity()} and
691{@link android.app.Activity#startActivityForResult Activity.startActivityForResult()};
692if the caller does not have
693the required permission then {@link java.lang.SecurityException} is thrown
694from the call.</p>
695
696<p><strong>{@link android.app.Service}</strong> permissions
697(applied to the
698{@link android.R.styleable#AndroidManifestService &lt;service&gt;} tag)
699restrict who can start or bind to the
700associated service.  The permission is checked during
701{@link android.content.Context#startService Context.startService()},
702{@link android.content.Context#stopService Context.stopService()} and
703{@link android.content.Context#bindService Context.bindService()};
704if the caller does not have
705the required permission then {@link java.lang.SecurityException} is thrown
706from the call.</p>
707
708<p><strong>{@link android.content.BroadcastReceiver}</strong> permissions
709(applied to the
710{@link android.R.styleable#AndroidManifestReceiver &lt;receiver&gt;} tag)
711restrict who can send broadcasts to the associated receiver.
712The permission is checked <em>after</em>
713{@link android.content.Context#sendBroadcast Context.sendBroadcast()} returns,
714as the system tries
715to deliver the submitted broadcast to the given receiver.  As a result, a
716permission failure will not result in an exception being thrown back to the
717caller; it will just not deliver the intent.  In the same way, a permission
718can be supplied to
719{@link android.content.Context#registerReceiver(android.content.BroadcastReceiver, android.content.IntentFilter, String, android.os.Handler)
720Context.registerReceiver()}
721to control who can broadcast to a programmatically registered receiver.
722Going the other way, a permission can be supplied when calling
723{@link android.content.Context#sendBroadcast(Intent, String) Context.sendBroadcast()}
724to restrict which BroadcastReceiver objects are allowed to receive the broadcast (see
725below).</p>
726
727<p><strong>{@link android.content.ContentProvider}</strong> permissions
728(applied to the
729{@link android.R.styleable#AndroidManifestProvider &lt;provider&gt;} tag)
730restrict who can access the data in
731a {@link android.content.ContentProvider}.  (Content providers have an important
732additional security facility available to them called
733<a href="#uri">URI permissions</a> which is described later.)
734Unlike the other components,
735there are two separate permission attributes you can set:
736{@link android.R.attr#readPermission android:readPermission} restricts who
737can read from the provider, and
738{@link android.R.attr#writePermission android:writePermission} restricts
739who can write to it.  Note that if a provider is protected with both a read
740and write permission, holding only the write permission does not mean
741you can read from a provider.  The permissions are checked when you first
742retrieve a provider (if you don't have either permission, a SecurityException
743will be thrown), and as you perform operations on the provider.  Using
744{@link android.content.ContentResolver#query ContentResolver.query()} requires
745holding the read permission; using
746{@link android.content.ContentResolver#insert ContentResolver.insert()},
747{@link android.content.ContentResolver#update ContentResolver.update()},
748{@link android.content.ContentResolver#delete ContentResolver.delete()}
749requires the write permission.
750In all of these cases, not holding the required permission results in a
751{@link java.lang.SecurityException} being thrown from the call.</p>
752
753
754<a name="broadcasts"></a>
755<h3>Enforcing Permissions when Sending Broadcasts</h3>
756
757<p>In addition to the permission enforcing who can send Intents to a
758registered {@link android.content.BroadcastReceiver} (as described above), you
759can also specify a required permission when sending a broadcast. By calling {@link
760android.content.Context#sendBroadcast(android.content.Intent,String)
761Context.sendBroadcast()} with a
762permission string, you require that a receiver's application must hold that
763permission in order to receive your broadcast.</p>
764
765<p>Note that both a receiver and a broadcaster can require a permission. When
766this happens, both permission checks must pass for the Intent to be delivered
767to the associated target.</p>
768
769
770<a name="enforcement"></a>
771<h3>Other Permission Enforcement</h3>
772
773<p>Arbitrarily fine-grained permissions can be enforced at any call into a
774service. This is accomplished with the {@link
775android.content.Context#checkCallingPermission Context.checkCallingPermission()}
776method. Call with a desired
777permission string and it will return an integer indicating whether that
778permission has been granted to the current calling process. Note that this can
779only be used when you are executing a call coming in from another process,
780usually through an IDL interface published from a service or in some other way
781given to another process.</p>
782
783<p>There are a number of other useful ways to check permissions. If you have
784the pid of another process, you can use the Context method {@link
785android.content.Context#checkPermission(String, int, int) Context.checkPermission(String, int, int)}
786to check a permission against that pid. If you have the package name of another
787application, you can use the direct PackageManager method {@link
788android.content.pm.PackageManager#checkPermission(String, String)
789PackageManager.checkPermission(String, String)}
790to find out whether that particular package has been granted a specific permission.</p>
791
792
793<a name="uri"></a>
794<h2>URI Permissions</h2>
795
796<p>The standard permission system described so far is often not sufficient
797when used with content providers.  A content provider may want to
798protect itself with read and write permissions, while its direct clients
799also need to hand specific URIs to other applications for them to operate on.
800A typical example is attachments in a mail application.  Access to the mail
801should be protected by permissions, since this is sensitive user data.  However,
802if a URI to an image attachment is given to an image viewer, that image viewer
803will not have permission to open the attachment since it has no reason to hold
804a permission to access all e-mail.</p>
805
806<p>The solution to this problem is per-URI permissions: when starting an
807activity or returning a result to an activity, the caller can set
808{@link android.content.Intent#FLAG_GRANT_READ_URI_PERMISSION
809Intent.FLAG_GRANT_READ_URI_PERMISSION} and/or
810{@link android.content.Intent#FLAG_GRANT_WRITE_URI_PERMISSION
811Intent.FLAG_GRANT_WRITE_URI_PERMISSION}.  This grants the receiving activity
812permission access the specific data URI in the Intent, regardless of whether
813it has any permission to access data in the content provider corresponding
814to the Intent.</p>
815
816<p>This mechanism allows a common capability-style model where user interaction
817(opening an attachment, selecting a contact from a list, etc) drives ad-hoc
818granting of fine-grained permission.  This can be a key facility for reducing
819the permissions needed by applications to only those directly related to their
820behavior.</p>
821
822<p>The granting of fine-grained URI permissions does, however, require some
823cooperation with the content provider holding those URIs.  It is strongly
824recommended that content providers implement this facility, and declare that
825they support it through the
826{@link android.R.styleable#AndroidManifestProvider_grantUriPermissions
827android:grantUriPermissions} attribute or
828{@link android.R.styleable#AndroidManifestGrantUriPermission
829&lt;grant-uri-permissions&gt;} tag.</p>
830
831<p>More information can be found in the
832{@link android.content.Context#grantUriPermission Context.grantUriPermission()},
833{@link android.content.Context#revokeUriPermission Context.revokeUriPermission()}, and
834{@link android.content.Context#checkUriPermission Context.checkUriPermission()}
835methods.</p>
836
837<div class="next-docs">
838<div class="col-6">
839  <h2 class="norule">Continue reading about:</h2>
840  <dl>
841    <dt><a href="{@docRoot}guide/topics/manifest/uses-feature-element.html#permissions"
842        >Permissions that Imply Feature Requirements</a></dt>
843    <dd>Information about how requesting some permissions will implicitly restrict your app
844    to devices that include the corresponding hardware or software feature.</dd>
845    <dt><a href="{@docRoot}guide/topics/manifest/uses-permission-element.html">{@code
846    <uses-permission>}</a></dt>
847    <dd>API reference for the manifest tag that declare's your app's required system permissions.
848    </dd>
849    <dt>{@link android.Manifest.permission}</dt>
850    <dd>API reference for all system permissions.</dd>
851  </dl>
852</div>
853<div class="col-6">
854  <h2 class="norule">You might also be interested in:</h2>
855  <dl>
856    <dt><a href="{@docRoot}guide/practices/compatibility.html"
857        >Device Compatibility</a></dt>
858    <dd>Information about Android works on different types of devices and an introduction
859    to how you can optimize your app for each device or restrict your app's availability
860    to different devices.</dd>
861    <dt><a href="http://source.android.com/devices/tech/security/index.html"
862        class="external-link">Android Security Overview</a></dt>
863    <dd>A detailed discussion about the Android platform's security model.</dd>
864  </dl>
865</div>
866</div>
867