Want to keep learning?

This content is taken from the University of Southampton's online course, Secure Android App Development. Join the course to learn more.

Creating permissions

Android provides a standard set of permissions that your app can use to control access to its components, but you can also create your own permissions.

An app can create a permission by adding a <permission> element to its AndroidManifest.xml file. The protection level can be set via the android:protectionLevel attribute.

<manifest >
  <permission android:name="com.example.myamazingapp.SOME_PERMISSION"

In the above example the myamazingapp creates the dangerous permission SOME_PERMISSION.

In the next step we will show how myamazingapp can use this permission to protect its components, and how other apps can request this permission.

Choosing the protection level

When defining your own permissions you must carefully consider the protection level you give them.

Normal permissions are automatically granted to any app that requests them, therefore the protection they offer is more at the level of limiting the consequences of an app breach to those capabilities for which the app has requested permission, rather than preventing a malicious app from accessing your app’s components.

For permissions that will only be used by apps from the same developer (you) it is recommended to set the protection level to signature.

Signature protection level permissions are automatically granted to any requesting app signed with the same key (as the app that defines the permission). This improves the user experience, as the user does not have to explicitly grant the permission to a requesting app, whilst at the same time it prevents other apps (not by the same developer) from acquiring the permission.

If you want to allow other developers to access your app’s components, but also want to strongly protect against malicious apps accessing your data, then you must set the protection level to dangerous. Doing so will require the user to explicitly grant the permission to any app that requests it.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton