In the previous step we looked at how to create permissions, now we will look at how to use them.
To request a permission an app must include a
<uses-permission> tag in its
<manifest …> <uses-permission android:name="com.example.myamazingapp.SOME_PERMISSION"> … </manifest>
This example requests the permission
SOME_PERMISSION in order to access some capability provided by
Android has many built-in permissions that an app can request. For example, an app can request access to the internet as follows:
<manifest …> <uses-permission android:name="android.permission.INTERNET"> … </manifest>
If the requested permission is a dangerous permission the user will have to agree to grant the app that permission.
To use a permission to control access to a component an app can add an
android:permission attribute to the component’s declaration in the app’s
<manifest …> <application …> <activity android:name="com.example.myamazingapp.SomeActivity" android:permission="com.example.myamazingapp.SOME_PERMISSION"> </activity> </application> </manifest>
In the above example, for an app to start
SomeActivity (a component of
myamazingapp) it must have requested, and been granted, the permission
android:permission attribute can also be set for the
<application> element in the app’s
AndroidManifest.xml file. This becomes the overall default permission for all the app’s components that do not have their own
Permissions and the Principle of Least Privilege
<uses-permission> is used to request a permission, and the attribute
android:permission is used to enforce a permission.
If a component enforces a particular permission, then your app must request that permission if it wants to access that component.
Following the Principle of Least Privilege, only request those permissions that your app really needs to perform its function.
Dangerous permissions and Android 6.0
From Android 6.0 (API level 23) onwards the user is asked to grant dangerous permissions requested by an app when that app is run, not when it is installed.
If your app’s target SDK is 23 or higher, and the device is running Android 6.0 or higher, then in addition to requesting permissions in your app’s
AndroidManifest.xml file your app must also call
requestPermissions() to request them at runtime.
Moreover, the user can revoke an app’s permissions at anytime, so your app should call
checkSelfPermission() to determine if it has the permissions it needs whenever it performs an operation that needs a dangerous permission. See the Android documentation for further details.
© University of Southampton 2017