1 page.title=System Permissions 2 @jd:body 3 4 <div id="qv-wrapper"> 5 <div id="qv"> 6 7 <h2>In this document</h2> 8 <ol> 9 <li><a href="#arch">Security Architecture</a></li> 10 <li><a href="#signing">Application Signing</a></li> 11 <li><a href="#userid">User IDs and File Access</a></li> 12 <li><a href="#permissions">Using Permissions</a></li> 13 <li><a href="#declaring">Declaring and Enforcing Permissions</a> 14 <ol> 15 <li><a href="#manifest">...in AndroidManifest.xml</a></li> 16 <li><a href="#broadcasts">...when Sending Broadcasts</a></li> 17 <li><a href="#enforcement">Other Permission Enforcement</a></li> 18 </ol></li> 19 <li><a href="#uri">URI Permissions</a></li> 20 </ol> 21 </div> 22 </div> 23 24 <p>Android is a privilege-separated operating system, in which each 25 application runs with a distinct system identity (Linux user ID and group 26 ID). Parts of the system are also separated into distinct identities. 27 Linux thereby isolates applications from each other and from the system.</p> 28 29 <p>Additional finer-grained security features are provided through a 30 "permission" mechanism that enforces restrictions on the specific operations 31 that a particular process can perform, and per-URI permissions for granting 32 ad hoc access to specific pieces of data.</p> 33 34 <p>This document describes how application developers can use the 35 security features provided by Android. A more general <a 36 href="http://source.android.com/tech/security/index.html"> Android Security 37 Overview</a> is provided in the Android Open Source Project.</p> 38 39 40 <a name="arch"></a> 41 <h2>Security Architecture</h2> 42 43 <p>A central design point of the Android security architecture is that no 44 application, by default, has permission to perform any operations that would 45 adversely impact other applications, the operating system, or the user. This 46 includes reading or writing the user's private data (such as contacts or 47 emails), reading or writing another application's files, performing 48 network access, keeping the device awake, and so on.</p> 49 50 <p>Because each Android application operates in a process sandbox, applications 51 must explicitly share resources and data. They do this by declaring the 52 <em>permissions</em> they need for additional capabilities not provided by 53 the basic sandbox. Applications statically declare the permissions they 54 require, and the Android system prompts the user for consent at the time the 55 application is installed.</p> 56 57 <p>The application sandbox does not depend on the technology used to build 58 an application. In particular the Dalvik VM is not a security boundary, and 59 any app can run native code (see <a href="/sdk/ndk/index.html">the Android 60 NDK</a>). All types of applications — Java, native, and hybrid — 61 are sandboxed in the same way and have the same degree of security from each 62 other.</p> 63 64 65 <a name="signing"></a> 66 <h2>Application Signing</h2> 67 68 <p>All APKs ({@code .apk} files) must be signed with a certificate 69 whose private key is held by their developer. This certificate identifies 70 the author of the application. The certificate does <em>not</em> need to be 71 signed by a certificate authority; it is perfectly allowable, and typical, 72 for Android applications to use self-signed certificates. The purpose of 73 certificates in Android is to distinguish application authors. This allows 74 the system to grant or deny applications access to <a 75 href="/guide/topics/manifest/permission-element.html#plevel">signature-level 76 permissions</a> and to grant or deny an application's <a 77 href="/guide/topics/manifest/manifest-element.html#uid">request to be given 78 the same Linux identity</a> as another application.</p> 79 80 <a name="userid"></a> 81 <h2>User IDs and File Access</h2> 82 83 <p>At install time, Android gives each package a distinct Linux user ID. The 84 identity remains constant for the duration of the package's life on that 85 device. On a different device, the same package may have a different UID; 86 what matters is that each package has a distinct UID on a given device.</p> 87 88 <p>Because security enforcement happens at the 89 process level, the code of any two packages cannot normally 90 run in the same process, since they need to run as different Linux users. 91 You can use the {@link android.R.attr#sharedUserId} attribute in the 92 <code>AndroidManifest.xml</code>'s 93 {@link android.R.styleable#AndroidManifest manifest} tag of each package to 94 have them assigned the same user ID. By doing this, for purposes of security 95 the two packages are then treated as being the same application, with the same 96 user ID and file permissions. Note that in order to retain security, only two applications 97 signed with the same signature (and requesting the same sharedUserId) will 98 be given the same user ID.</p> 99 100 <p>Any data stored by an application will be assigned that application's user 101 ID, and not normally accessible to other packages. When creating a new file 102 with {@link android.content.Context#getSharedPreferences}, 103 {@link android.content.Context#openFileOutput}, or 104 {@link android.content.Context#openOrCreateDatabase}, 105 you can use the 106 {@link android.content.Context#MODE_WORLD_READABLE} and/or 107 {@link android.content.Context#MODE_WORLD_WRITEABLE} flags to allow any other 108 package to read/write the file. When setting these flags, the file is still 109 owned by your application, but its global read and/or write permissions have 110 been set appropriately so any other application can see it.</p> 111 112 113 <a name="permissions"></a> 114 <h2>Using Permissions</h2> 115 116 <p>A basic Android application has no permissions associated with it by default, 117 meaning it cannot do anything that would adversely impact the user experience 118 or any data on the device. To make use of protected features of the device, 119 you must include in your <code>AndroidManifest.xml</code> one or more 120 <code>{@link android.R.styleable#AndroidManifestUsesPermission <uses-permission>}</code> 121 tags declaring the permissions that your application needs.</p> 122 123 <p>For example, an application that needs to monitor incoming SMS messages would 124 specify:</p> 125 126 <pre><manifest xmlns:android="http://schemas.android.com/apk/res/android"; 127 package="com.android.app.myapp" > 128 <uses-permission android:name="android.permission.RECEIVE_SMS" /> 129 ... 130 </manifest></pre> 131 132 <p>At application install time, permissions requested by the application are 133 granted to it by the package installer, based on checks against the 134 signatures of the applications declaring those permissions and/or interaction 135 with the user. <em>No</em> checks with the user 136 are done while an application is running; the app is either granted a particular 137 permission when installed, and can use that feature as desired, or the 138 permission is not granted and any attempt to use the feature fails 139 without prompting the user.</p> 140 141 <p>Often times a permission failure will result in a {@link 142 java.lang.SecurityException} being thrown back to the application. However, 143 this is not guaranteed to occur everywhere. For example, the {@link 144 android.content.Context#sendBroadcast} method checks permissions as data is 145 being delivered to each receiver, after the method call has returned, so you 146 will not receive an exception if there are permission failures. In almost all 147 cases, however, a permission failure will be printed to the system log.</p> 148 149 <p>However, in a normal user situation (such as when the app is installed 150 from Google Play Store), an app cannot be installed if the user does not grant the app 151 each of the requested permissions. So you generally don't need to worry about runtime failures 152 caused by missing permissions because the mere fact that the app is installed at all 153 means that your app has been granted its desired permissions.</p> 154 155 <p>The permissions provided by the Android system can be found at {@link 156 android.Manifest.permission}. Any application may also define and enforce its 157 own permissions, so this is not a comprehensive list of all possible 158 permissions.</p> 159 160 <p>A particular permission may be enforced at a number of places during your 161 program's operation:</p> 162 163 <ul> 164 <li>At the time of a call into the system, to prevent an application from 165 executing certain functions.</li> 166 <li>When starting an activity, to prevent applications from launching 167 activities of other applications.</li> 168 <li>Both sending and receiving broadcasts, to control who can receive 169 your broadcast or who can send a broadcast to you.</li> 170 <li>When accessing and operating on a content provider.</li> 171 <li>Binding to or starting a service.</li> 172 </ul> 173 174 175 176 <div class="caution"> 177 <p><strong>Caution:</strong> Over time, 178 new restrictions may be added to the platform such that, in order 179 to use certain APIs, your app must request a permission that it previously did not need. 180 Because existing apps assume access to those APIs is freely available, 181 Android may apply the new permission request to the app's manifest to avoid 182 breaking the app on the new platform version. 183 Android makes the decision as to whether an app might need the permission based on 184 the value provided for the <a 185 href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 186 attribute. If the value is lower than the version in which the permission was added, then 187 Android adds the permission.</p> 188 <p>For example, the {@link android.Manifest.permission#WRITE_EXTERNAL_STORAGE} permission was 189 added in API level 4 to restrict access to the shared storage space. If your <a 190 href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 191 is 3 or lower, this permission is added to your app on newer versions of Android.</p> 192 <p>Beware that if this happens to your app, your app listing on Google Play will show these 193 required permissions even though your app might not actually require them.</p> 194 <p>To avoid this and remove the default permissions you don't need, always update your <a 195 href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code targetSdkVersion}</a> 196 to be as high as possible. You can see which permissions were added with each release in the 197 {@link android.os.Build.VERSION_CODES} documentation.</p> 198 </div> 199 200 201 202 <a name="declaring"></a> 203 <h2>Declaring and Enforcing Permissions</h2> 204 205 <p>To enforce your own permissions, you must first declare them in your 206 <code>AndroidManifest.xml</code> using one or more 207 <code>{@link android.R.styleable#AndroidManifestPermission <permission>}</code> 208 tags.</p> 209 210 <p>For example, an application that wants to control who can start one 211 of its activities could declare a permission for this operation as follows:</p> 212 213 <pre><manifest xmlns:android="http://schemas.android.com/apk/res/android"; 214 package="com.me.app.myapp" > 215 <permission android:name="com.me.app.myapp.permission.DEADLY_ACTIVITY" 216 android:label="@string/permlab_deadlyActivity" 217 android:description="@string/permdesc_deadlyActivity" 218 android:permissionGroup="android.permission-group.COST_MONEY" 219 android:protectionLevel="dangerous" /> 220 ... 221 </manifest></pre> 222 223 <p>The {@link android.R.styleable#AndroidManifestPermission_protectionLevel 224 <protectionLevel>} attribute is required, telling the system how the 225 user is to be informed of applications requiring the permission, or who is 226 allowed to hold that permission, as described in the linked documentation.</p> 227 228 <p>The {@link android.R.styleable#AndroidManifestPermission_permissionGroup 229 <permissionGroup>} attribute is optional, and only used to help the system display 230 permissions to the user. You will usually want to set this to either a standard 231 system group (listed in {@link android.Manifest.permission_group 232 android.Manifest.permission_group}) or in more rare cases to one defined by 233 yourself. It is preferred to use an existing group, as this simplifies the 234 permission UI shown to the user.</p> 235 236 <p>Note that both a label and description should be supplied for the 237 permission. These are string resources that can be displayed to the user when 238 they are viewing a list of permissions 239 (<code>{@link android.R.styleable#AndroidManifestPermission_label android:label}</code>) 240 or details on a single permission ( 241 <code>{@link android.R.styleable#AndroidManifestPermission_description android:description}</code>). 242 The label should be short, a few words 243 describing the key piece of functionality the permission is protecting. The 244 description should be a couple sentences describing what the permission allows 245 a holder to do. Our convention for the description is two sentences, the first 246 describing the permission, the second warning the user of what bad things 247 can happen if an application is granted the permission.</p> 248 249 <p>Here is an example of a label and description for the CALL_PHONE 250 permission:</p> 251 252 <pre> 253 <string name="permlab_callPhone">directly call phone numbers</string> 254 <string name="permdesc_callPhone">Allows the application to call 255 phone numbers without your intervention. Malicious applications may 256 cause unexpected calls on your phone bill. Note that this does not 257 allow the application to call emergency numbers.</string> 258 </pre> 259 260 <p>You can look at the permissions currently defined in the system with the 261 Settings app and the shell command <code>adb shell pm list permissions</code>. 262 To use the Settings app, go to Settings > Applications. Pick an app and 263 scroll down to see the permissions that the app uses. For developers, the adb '-s' 264 option displays the permissions in a form similar to how the user will see them:</p> 265 266 <pre> 267 $ adb shell pm list permissions -s 268 All Permissions: 269 270 Network communication: view Wi-Fi state, create Bluetooth connections, full 271 Internet access, view network state 272 273 Your location: access extra location provider commands, fine (GPS) location, 274 mock location sources for testing, coarse (network-based) location 275 276 Services that cost you money: send SMS messages, directly call phone numbers 277 278 ...</pre> 279 280 <a name="manifest"></a> 281 <h3>Enforcing Permissions in AndroidManifest.xml</h3> 282 283 <p>High-level permissions restricting access to entire components of the 284 system or application can be applied through your 285 <code>AndroidManifest.xml</code>. All that this requires is including an {@link 286 android.R.attr#permission android:permission} attribute on the desired 287 component, naming the permission that will be used to control access to 288 it.</p> 289 290 <p><strong>{@link android.app.Activity}</strong> permissions 291 (applied to the 292 {@link android.R.styleable#AndroidManifestActivity <activity>} tag) 293 restrict who can start the associated 294 activity. The permission is checked during 295 {@link android.content.Context#startActivity Context.startActivity()} and 296 {@link android.app.Activity#startActivityForResult Activity.startActivityForResult()}; 297 if the caller does not have 298 the required permission then {@link java.lang.SecurityException} is thrown 299 from the call.</p> 300 301 <p><strong>{@link android.app.Service}</strong> permissions 302 (applied to the 303 {@link android.R.styleable#AndroidManifestService <service>} tag) 304 restrict who can start or bind to the 305 associated service. The permission is checked during 306 {@link android.content.Context#startService Context.startService()}, 307 {@link android.content.Context#stopService Context.stopService()} and 308 {@link android.content.Context#bindService Context.bindService()}; 309 if the caller does not have 310 the required permission then {@link java.lang.SecurityException} is thrown 311 from the call.</p> 312 313 <p><strong>{@link android.content.BroadcastReceiver}</strong> permissions 314 (applied to the 315 {@link android.R.styleable#AndroidManifestReceiver <receiver>} tag) 316 restrict who can send broadcasts to the associated receiver. 317 The permission is checked <em>after</em> 318 {@link android.content.Context#sendBroadcast Context.sendBroadcast()} returns, 319 as the system tries 320 to deliver the submitted broadcast to the given receiver. As a result, a 321 permission failure will not result in an exception being thrown back to the 322 caller; it will just not deliver the intent. In the same way, a permission 323 can be supplied to 324 {@link android.content.Context#registerReceiver(android.content.BroadcastReceiver, android.content.IntentFilter, String, android.os.Handler) 325 Context.registerReceiver()} 326 to control who can broadcast to a programmatically registered receiver. 327 Going the other way, a permission can be supplied when calling 328 {@link android.content.Context#sendBroadcast(Intent, String) Context.sendBroadcast()} 329 to restrict which BroadcastReceiver objects are allowed to receive the broadcast (see 330 below).</p> 331 332 <p><strong>{@link android.content.ContentProvider}</strong> permissions 333 (applied to the 334 {@link android.R.styleable#AndroidManifestProvider <provider>} tag) 335 restrict who can access the data in 336 a {@link android.content.ContentProvider}. (Content providers have an important 337 additional security facility available to them called 338 <a href="#uri">URI permissions</a> which is described later.) 339 Unlike the other components, 340 there are two separate permission attributes you can set: 341 {@link android.R.attr#readPermission android:readPermission} restricts who 342 can read from the provider, and 343 {@link android.R.attr#writePermission android:writePermission} restricts 344 who can write to it. Note that if a provider is protected with both a read 345 and write permission, holding only the write permission does not mean 346 you can read from a provider. The permissions are checked when you first 347 retrieve a provider (if you don't have either permission, a SecurityException 348 will be thrown), and as you perform operations on the provider. Using 349 {@link android.content.ContentResolver#query ContentResolver.query()} requires 350 holding the read permission; using 351 {@link android.content.ContentResolver#insert ContentResolver.insert()}, 352 {@link android.content.ContentResolver#update ContentResolver.update()}, 353 {@link android.content.ContentResolver#delete ContentResolver.delete()} 354 requires the write permission. 355 In all of these cases, not holding the required permission results in a 356 {@link java.lang.SecurityException} being thrown from the call.</p> 357 358 359 <a name="broadcasts"></a> 360 <h3>Enforcing Permissions when Sending Broadcasts</h3> 361 362 <p>In addition to the permission enforcing who can send Intents to a 363 registered {@link android.content.BroadcastReceiver} (as described above), you 364 can also specify a required permission when sending a broadcast. By calling {@link 365 android.content.Context#sendBroadcast(android.content.Intent,String) 366 Context.sendBroadcast()} with a 367 permission string, you require that a receiver's application must hold that 368 permission in order to receive your broadcast.</p> 369 370 <p>Note that both a receiver and a broadcaster can require a permission. When 371 this happens, both permission checks must pass for the Intent to be delivered 372 to the associated target.</p> 373 374 375 <a name="enforcement"></a> 376 <h3>Other Permission Enforcement</h3> 377 378 <p>Arbitrarily fine-grained permissions can be enforced at any call into a 379 service. This is accomplished with the {@link 380 android.content.Context#checkCallingPermission Context.checkCallingPermission()} 381 method. Call with a desired 382 permission string and it will return an integer indicating whether that 383 permission has been granted to the current calling process. Note that this can 384 only be used when you are executing a call coming in from another process, 385 usually through an IDL interface published from a service or in some other way 386 given to another process.</p> 387 388 <p>There are a number of other useful ways to check permissions. If you have 389 the pid of another process, you can use the Context method {@link 390 android.content.Context#checkPermission(String, int, int) Context.checkPermission(String, int, int)} 391 to check a permission against that pid. If you have the package name of another 392 application, you can use the direct PackageManager method {@link 393 android.content.pm.PackageManager#checkPermission(String, String) 394 PackageManager.checkPermission(String, String)} 395 to find out whether that particular package has been granted a specific permission.</p> 396 397 398 <a name="uri"></a> 399 <h2>URI Permissions</h2> 400 401 <p>The standard permission system described so far is often not sufficient 402 when used with content providers. A content provider may want to 403 protect itself with read and write permissions, while its direct clients 404 also need to hand specific URIs to other applications for them to operate on. 405 A typical example is attachments in a mail application. Access to the mail 406 should be protected by permissions, since this is sensitive user data. However, 407 if a URI to an image attachment is given to an image viewer, that image viewer 408 will not have permission to open the attachment since it has no reason to hold 409 a permission to access all e-mail.</p> 410 411 <p>The solution to this problem is per-URI permissions: when starting an 412 activity or returning a result to an activity, the caller can set 413 {@link android.content.Intent#FLAG_GRANT_READ_URI_PERMISSION 414 Intent.FLAG_GRANT_READ_URI_PERMISSION} and/or 415 {@link android.content.Intent#FLAG_GRANT_WRITE_URI_PERMISSION 416 Intent.FLAG_GRANT_WRITE_URI_PERMISSION}. This grants the receiving activity 417 permission access the specific data URI in the Intent, regardless of whether 418 it has any permission to access data in the content provider corresponding 419 to the Intent.</p> 420 421 <p>This mechanism allows a common capability-style model where user interaction 422 (opening an attachment, selecting a contact from a list, etc) drives ad-hoc 423 granting of fine-grained permission. This can be a key facility for reducing 424 the permissions needed by applications to only those directly related to their 425 behavior.</p> 426 427 <p>The granting of fine-grained URI permissions does, however, require some 428 cooperation with the content provider holding those URIs. It is strongly 429 recommended that content providers implement this facility, and declare that 430 they support it through the 431 {@link android.R.styleable#AndroidManifestProvider_grantUriPermissions 432 android:grantUriPermissions} attribute or 433 {@link android.R.styleable#AndroidManifestGrantUriPermission 434 <grant-uri-permissions>} tag.</p> 435 436 <p>More information can be found in the 437 {@link android.content.Context#grantUriPermission Context.grantUriPermission()}, 438 {@link android.content.Context#revokeUriPermission Context.revokeUriPermission()}, and 439 {@link android.content.Context#checkUriPermission Context.checkUriPermission()} 440 methods.</p> 441 442 443 444 445 446 <div class="next-docs"> 447 <div class="col-6"> 448 <h2 class="norule">Continue reading about:</h2> 449 <dl> 450 <dt><a href="{@docRoot}guide/topics/manifest/uses-feature-element.html#permissions" 451 >Permissions that Imply Feature Requirements</a></dt> 452 <dd>Information about how requesting some permissions will implicitly restrict your app 453 to devices that include the corresponding hardware or software feature.</dd> 454 <dt><a href="{@docRoot}guide/topics/manifest/uses-permission-element.html">{@code 455 <uses-permission>}</a></dt> 456 <dd>API reference for the manifest tag that declare's your app's required system permissions. 457 </dd> 458 <dt>{@link android.Manifest.permission}</dt> 459 <dd>API reference for all system permissions.</dd> 460 </dl> 461 </div> 462 <div class="col-6"> 463 <h2 class="norule">You might also be interested in:</h2> 464 <dl> 465 <dt><a href="{@docRoot}guide/practices/compatibility.html" 466 >Device Compatibility</a></dt> 467 <dd>Information about Android works on different types of devices and an introduction 468 to how you can optimize your app for each device or restrict your app's availability 469 to different devices.</dd> 470 <dt><a href="{@docRoot}http://source.android.com/devices/tech/security/index.html" 471 class="external-link">Android Security Overview</a></dt> 472 <dd>A detailed discussion about the Android platform's security model.</dd> 473 </dl> 474 </div> 475 </div> 476
