A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
The idea is to have a main app for displaying data, and multiple modules supplying the data. Permissions only work with one of the four application components:
ContentProvider is the logical choice for serving data.
Loading sqlite database from resource
It is a bit of a pain to write a
ContentProvider, though. Since all I wanted was to test the permissions, I took a shortcut: I followed this tutorial and loaded a sqlite database from resource. To automate the database creation, I wrote a script to load the data from a tab-delimited file.
It took me many tries to get the permissions right. I know that the
<provider> need to request the permission, but where do I declare it? I tried both in the module and the main app, but no luck, the main app could use the
ContentProvider no matter how I signed the apps. Turns out it was a stupid error: I declared the permission with the
<provider>, inside of the
<application> block. It should go outside!
So the formula looks like this:
- Declare the permission in the provider app
- Request the permission in the provider app
- Use the permission in the consumer app
When everything was setup properly, it was very satisfying to see my app throwing
java.lang.SecurityException when I sign it with a non-matching certificate.
I uploaded some sample code to github: http://github.com/chiuki/android-protected-provider. Hope you found it useful!