Geek Answers Handbook

When checking permissions dynamically in Android apps

Following the previous question regarding android permissions at runtime, I found that there are many different ways in android that an application can check with the calling (client) application. This includes calls like checkCallingPermission, checkCallingOrSelfPermission, checkCallingUriPermission, checkCallingOrSelfUriPermission, checkPermission, checkUriPermission. Since I went through the android documentation , I can only find these calls related to checking permissions at runtime. My questions:

  • Is there another way (instead of using the above calls) to check caller permissions dynamically? If there are such calls, please provide information / links or list them.
  • Description checkCallingOrSelfPermission says

it provides your own permissions if you are not currently processing IPC. Use with care !

This seems risky because it can facilitate the delegation of (dangerous) permissions to the calling process, which can lead to escalation of privileges (if used carelessly). Please let me know if I say correctly that this can lead to an escalation of privileges.

  • I could not understand why the process (the running application) checks if it has a certain permission (does he know very well what he has the right to do?). Please let me know the intuition behind the design of this particular method: checkCallingOrSelfPermission. (Assuming this is just why / when do I need to checkCallingOrSelfPermission?)
+3
android android permissions android manifest permissions
source share
1 answer

In Android, there are two types of permission checking mechanisms.

One of them is a dynamic check of execution for each process, and the other is a static check of a package. What you mentioned is everything related to runtime-dynamic, implemented in Context, another version in PackageManager. - checkPermission

That you want to check whether a particular package has a specific permission, checkPermission is the answer. For a more detailed description, there is an article on this topic on the Android developer site. - http://developer.android.com/guide/topics/security/permissions.html#declaring

In many cases, you do not need to use dynamic permissions verification methods, this is only necessary if you work with one provider to exchange some private files with a specific client, remote service or some widgets - something related to the system for providing temporary permissions via Intent or IPC .

And one more question for your previous question about multiple permissions in android: permisson . There is a way that an application defines the list of permissions that they want inside the manifest.

check-in http://developer.android.com/guide/topics/manifest/uses-permission-element.html

+3
source share

More articles:


All Articles