Discussion:
[android-security-discuss] Issue in accessing content provider which is protected by custom permission
senthilnathan subramanian
2016-11-22 20:06:05 UTC
Permalink
I have a content provider class implemented as a static Java library, and
App-A is linking to the library and storing the data in the provider.
App-A is defining the content provider in its manifest as below with
custom read and write permission. Everything is fine with App-A.

APP-A Manifest:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.Arithmetic.app">

<uses-sdk
android:minSdkVersion="16"
android:targetSdkVersion="23" />

<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:supportsRtl="true"
android:theme="@style/AppTheme">


<activity android:name=".MyArithmeticActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />

<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>

<permission
android:name="com.example.database.MyContentProvider.READ"

android:label= "MyContentProvider_READ_label"
android:protectionLevel="normal"/>

<permission
android:name="com.example.database.MyContentProvider.WRITE"

android:label= "MyContentProvider_WRITE_label"
android:protectionLevel="normal"/>

<provider android:name="com.example.database.MyContentProvider"

android:authorities="com.example.database.MyContentProvider"
android:enabled="true"
android:exported="true"
android:grantUriPermissions="true"
android:protectionLevel="normal"
android:readPermission="com.example.database.MyContentProvider.READ"

android:writePermission="com.example.database.MyContentProvider.WRITE"
</application>
</manifest>


And in App-B, I want to access the content provider
(com.example.database.MyContentProvider) so I have included that custom
permission in the App-B manifest as below.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.equation.android.helloword"
android:versionCode="1"
android:versionName="1.0" >

<uses-sdk
android:minSdkVersion="16"
android:targetSdkVersion="23" />

<uses-permission
android:name="com.example.database.MyContentProvider.READ"/>
<uses-permission
android:name="com.example.database.MyContentProvider.WRITE"/>

<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >

<activity
android:name="com.equation.android.helloword.MainActivity"
android:label="@string/title_activity_main" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />

<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>

</manifest>


But when App-B access content provider, below security exception was thrown
at run time. What I am doing wrong?, just for testing, if I change the
permission of the content provider to any of the system defined permission
(e.g android.permission.READ_USER_DICTIONARY) like below App-B able to
access the provider using android.permission.READ_USER_DICTIONARY
permission, Similarly if App-A don't define any permission for the content
provider, App-B is able to access the provider (expected obviously), so why
App-B is NOT able to access provider when its protected by custom
permission.

<provider android:name="com.example.database.MyContentProvider"

android:authorities="com.example.database.MyContentProvider"
android:enabled="true"
android:exported="true"
android:grantUriPermissions="true"
android:protectionLevel="normal"
android:readPermission="android.permission.READ_USER_DICTIONARY"
android:writePermission="android.permission.READ_USER_DICTIONARY"
Exception I get from App-B when its accessing content provider is below.

01-01 02:20:14.381 4594 4594 E AndroidRuntime: FATAL EXCEPTION: main
01-01 02:20:14.381 4594 4594 E AndroidRuntime: Process:
com.equation.android.helloword, PID: 4594
01-01 02:20:14.381 4594 4594 E AndroidRuntime:
java.lang.SecurityException: Permission Denial: opening provider
com.example.database.MyContentProvider from ProcessR
ecord{734d867 4594:com.equation.android.helloword/u0a88} (pid=4594,
uid=10088) requires com.example.database.MyContentProvider.READ or
com.example.database.MyContentProvider.WRITE

MY development environment is Android M, SDK version 23.

Regards,
Senthil.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Loading...