SecurityException: Permission Denial: While launching Activity via explicit intent

Question

I was reading about declaring permissions in activity . According to the documentation

You can use the manifest's tag to control which apps can start a particular activity. A parent activity cannot launch a child activity unless both activities have the same permissions in their manifest. If you declare a element for a particular activity, the calling activity must have a matching element.

To try this out, I created 2 sample Apps. First App will try to directly launch an activity of the second App, using an explicit intent, Also, the Second App will declare a permission for the particular activity which I'm launching from first App.

These are the steps I followed

1. Created 2 Apps (Say Sender And Receiver)
2. Added the permission <uses-permission android:name="permission.SHARE_POST"/> in the Manifest of sender

3. Now , from a button click of Sender App, I'm calling Receivers Activity called ShareActivity as follows

       Intent intent = new Intent();
       intent.setComponent(new ComponentName("basics.android.com.androidbasics","basics.android.com.androidbasics.ShareActivity"));
       startActivity(intent);
   

   NOTE: basics.android.com.androidbasics is the package name of the receiver

4. Below given is the activity declaration in Second App's (Receiver) Manifest

          <activity
           android:name=".ShareActivity"
           android:exported="true"
           android:permission="permission.SHARE_POST"/>
   

Now, when I run both the Apps, and try to lauch ShareActivity from sender, I get the following error

Caused by: java.lang.SecurityException: Permission Denial: starting Intent { cmp=basics.android.com.androidbasics/.ShareActivity } from ProcessRecord{e09a1fc 26267:sender.android.com.sender/u0a925} (pid=26267, uid=10925) requires permission.SHARE_POST

Seems like the sender does't have the permission permission.SHARE_POST yet. But I have already declared it in the manifest of sender. Whats happening here?

Answer 1

Using custom permissions is a fairly advanced thing to do in Android. The basic recipe is:

1. Decide what you want the permission name to be. It needs to be unique on the device. So, permission.SHARE_POST is not a good choice — add a prefix that is tied to your domain name or whatever else it is that you are using as the basis for your apps' applicationId values.
2. In the app that is defending itself with the permission, declare a <permission> element, with an android:name attribute holding the permission name from step #1. Optionally, give it an android:protectionLevel attribute (e.g., signature, so only apps signed by the same signing key can work together).
3. In the app that is defending itself with the permission, add an android:permission attribute on the component (e.g., <activity>), with a value of your permission name from step #1.
4. In the app that is looking to communicate with the app from step #3, add the <uses-permission> attribute, with an android:name attribute holding the permission name from step #1.
5. In both apps, set your minSdkVersion to 21, as there are security problems with custom permissions on older versions.

This will work, if the defender (step #2 and #3) will always be installed before the client (step #4). If you want the apps to be installable in either order, replace step #2 from above with:

2. In both apps, declare a <permission> element, with an android:name attribute holding the permission name from step #1. Optionally, give it an android:protectionLevel attribute (e.g., signature, so only apps signed by the same signing key can work together). Also, ensure that both apps are always signed by the same signing key, as otherwise they cannot both define the same permission.