Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This compliant solution shows the permissions set in the manifest that prevent the service shown in the noncompliant code example from being started by an inappropriate application:

Disclaimer: the code below is preliminary. and modifed from an answer from stackoverflow.

Code Block
bgColor#CCCCFF
//base app manifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <permission android:name="customPermission" android:protectionLevel="dangerous" ...></permission>
    <application ...>
        <activity
            android:permission="customPermission"
            ... >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
            <intent-filter >
                <action android:name="package_name.MyAction" />
                <category android:name="android.intent.category.DEFAULT" />                
            </intent-filter>
        </activity>
    </application>
</manifest>
 
//apps who wish to use base app manifest
<manifest ...>
<uses-permission
     android:name="customPermission"
     android:maxSdkVersion=.. />
...
</manifest>
 
//in the activities of these apps where we want to use the base-app's activity under protection
Intent in = new Intent();
in.setAction("package_name.MyAction");
in.addCategory("android.intent.category.DEFAULT");
startActivity(in);

The above is a general example on how to use custom permission. There are also other types of permissions aside from "dangerous" .  Please note that the order the  of how the apps are started also affect how permission works [Murphy 2011].

Risk Assessment

Failing to protect an exported service with strong permissions may lead to sensitive data being revealed or to denial of service.

...

TODO: edit code section, add bibliography

...



...