Sharing information securely between two signed apps

by

Some time ago we came with the need to create a secure communication of information between two applications on a device and Android and as one of the requirements was that the management should be done by the operative system, and after a search to see what the possibilities were, we decided to use a permission on the AndroidManifest.xml, tagging it with a android:protectionLevel attribute, which identifies and warns the user when installing the application of the risk, and also determines the procedure to be follow the system when managing the application.

&ltpermission android:name="permissionName” android:protectionLevel="levelofprotection"&gt

There are four different types of protection levels:

    • Normal: All the permissions have this level by default, it isn’t a risk for the system or the user, as the permission only allows the application to access its own resources. As there is not an implicit risk, the system provides access by default without displaying anything the user.
&ltpermission android:name="permissionName” android:protectionLevel="levelofprotection"&gt
    • Dangerous: It is the most risky permission for the device and the user, the permissions using this level are usually requesting private user information. This type of permissions are displayed explicitly and require a confirmation from the user, as they are accessing to private information.
&ltpermission android:name="permissionName” android:protectionLevel="dangerous" /&gt

This is how this type of permissions are displayed to the user when require confirmation:

Permissions are displayed

 

  • Signature: In this case the permission only gives access if the application requesting access to the resources is signed with the same credentials that the permission.

 

&ltpermission android:name="permissionName” android:protectionLevel="signature" /&gt

 

  • Signature or system: This level gives access to the applications having the same credentials, like the previous one, or if they are in the system image.

 

&ltpermission android:name="permissionName” android:protectionLevel="signatureOrSystem" /&gt

We used the third one (signature), by using that one, we were allowed to access the resources from an application from the other only if the credentials used to sign both applications were the same, avoiding third-party applications accessing the information we were exposing in the application resources, without using public places from the system such as a ContentProvider and without having the application you want to access the resource being listening to a BroadcastReciever event until the other application sends the information.

In addition, here it’s how to obtain programatically the protectionLevel of an application:

getAplicationContext().getPackageManager().getPermissionInfo(name,  0).protectionLevel

Leave a Comment

¿Necesitas una estimación?

Calcula ahora

Privacy Preference Center

Consent Management

We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them by clicking "Privacy Preferences". If you continue to use this site, you consent to our use of cookies.

Política de cookies

Cookies Policy

Own cookies

Cookies Used

Required
__unam, gdpr 1P_JAR, DV, NID, _icl_current_language

Analytics Cookies

This cookies help us to understand how users interact with our site

Cookies Used

_ga, _gat_UA-42883984-1, _gid, _hjIncludedInSample,

Subscription Cookies

These cookies are used to execute functions of the Web, such as not displaying the advertising banner and / or remembering the user's settings within the session.

Cookies Used

tl_3832_3832_2 tl_5886_5886_12 tve_leads_unique

Other