Android provides a standard set of permissions that your app can use to control access to its components, but you can also create your own permissions.
An app can create a permission by adding a
<permission> element to its
AndroidManifest.xml file. The protection level can be set via the
<manifest …> <permission android:name="com.example.myamazingapp.SOME_PERMISSION" android:protectionLevel="dangerous"> … </manifest>
In the above example the
myamazingapp creates the dangerous permission
In the next step we will show how
myamazingapp can use this permission to protect its components, and how other apps can request this permission.
Choosing the protection level
When defining your own permissions you must carefully consider the protection level you give them.
Normal permissions are automatically granted to any app that requests them, therefore the protection they offer is more at the level of limiting the consequences of an app breach to those capabilities for which the app has requested permission, rather than preventing a malicious app from accessing your app’s components.
For permissions that will only be used by apps from the same developer (you) it is recommended to set the protection level to signature.
Signature protection level permissions are automatically granted to any requesting app signed with the same key (as the app that defines the permission). This improves the user experience, as the user does not have to explicitly grant the permission to a requesting app, whilst at the same time it prevents other apps (not by the same developer) from acquiring the permission.
If you want to allow other developers to access your app’s components, but also want to strongly protect against malicious apps accessing your data, then you must set the protection level to dangerous. Doing so will require the user to explicitly grant the permission to any app that requests it.
© University of Southampton 2017