Sharing information securely between two signed apps

Some time ago we came with the need to create a secure communication of information between two applications on a device and Android and as one of the requirements was that the management should be done by the operative system, and after a search to see what the possibilities were, we decided to use a permission on the AndroidManifest.xml, tagging it with a android:protectionLevel attribute, which identifies and warns the user when installing the application of the risk, and also determines the procedure to be follow the system when managing the application.

&ltpermission android:name="permissionName” android:protectionLevel="levelofprotection"&gt

There are four different types of protection levels:

    • Normal: All the permissions have this level by default, it isn’t a risk for the system or the user, as the permission only allows the application to access its own resources. As there is not an implicit risk, the system provides access by default without displaying anything the user.
&ltpermission android:name="permissionName” android:protectionLevel="levelofprotection"&gt
    • Dangerous: It is the most risky permission for the device and the user, the permissions using this level are usually requesting private user information. This type of permissions are displayed explicitly and require a confirmation from the user, as they are accessing to private information.
&ltpermission android:name="permissionName” android:protectionLevel="dangerous" /&gt

This is how this type of permissions are displayed to the user when require confirmation:

Permissions are displayed

 

  • Signature: In this case the permission only gives access if the application requesting access to the resources is signed with the same credentials that the permission.

 

&ltpermission android:name="permissionName” android:protectionLevel="signature" /&gt

 

  • Signature or system: This level gives access to the applications having the same credentials, like the previous one, or if they are in the system image.

 

&ltpermission android:name="permissionName” android:protectionLevel="signatureOrSystem" /&gt

We used the third one (signature), by using that one, we were allowed to access the resources from an application from the other only if the credentials used to sign both applications were the same, avoiding third-party applications accessing the information we were exposing in the application resources, without using public places from the system such as a ContentProvider and without having the application you want to access the resource being listening to a BroadcastReciever event until the other application sends the information.

In addition, here it’s how to obtain programatically the protectionLevel of an application:

getAplicationContext().getPackageManager().getPermissionInfo(name,  0).protectionLevel

About Luis Revilla

Full Stack Developer / DevOps enamorado de las arquitecturas CLEAN. Me encanta automatizar y Dockerizar 🐋 todo. Probablemente ando por las nubes ⛅️⛅️ (Google Cloud, AWS y Azure)

Leave a Comment

Responsable » Solidgear.
Finalidad » Gestionar los comentarios.
Legitimación » Tu consentimiento.
Destinatarios » Los datos que me facilitas estarán ubicados en los servidores SolidgearGroup dentro de la UE.
Derechos » Podrás ejercer tus derechos, entre otros, a acceder, rectificar, limitar y suprimir tus datos.

¿Necesitas una estimación?

Calcula ahora