preface
The difference between uses-permission and permission
Permission Defines permission.
Uses-permission Indicates the permission to apply for
Uses-permission
introduce
Android apps must request access to sensitive user data, such as contacts and text messages, or to certain system functions, such as cameras and Internet access. Each permission is identified by a unique label. For example, applications that need to send SMS messages and access the Internet must include the following lines in the manifest:
<manifest . >
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.INTERNET" />.</manifest>
Copy the codeAdd custom permissions. For example:
<manifest . >
<uses-permission android:name="com.scc.userprovider.permissionread"/>
<uses-permission android:name="com.scc.userprovider.permissionwrite"/>.</manifest>
Copy the codePermissions are not only used to request system functions. You can also limit how other applications interact with your application components. See below for details on how to customize permissions.
Official Permissions
Or go to the end of the article
Permission (custom permission)
introduce
Your application can use declarative security permissions, which can be used to restrict access to specific components or functions of this application or other applications, such as contentProviders.
<permission
android:description="string resource"
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permissionGroup="string"
android:protectionLevel=["normal"|"dangerous"|"signature"|.] / >
Copy the codeAndroid :description: permission description. This property must be set to a reference to a string resource.
Such as:
<permission
android:description="Ha ha readable instructions"
./>
Copy the codeAAPT: error: ‘Ha ha readable description’ is incompatible with attribute description (attR) reference
-
Android :icon: indicates a permission icon.
-
Android :label: indicates the name of the permission displayed to the user.
-
Android :name: indicates the name of the reference permission. (For example, in the permission attribute of elements and application components)
-
Android :permissionGroup: Assigns this permission to a group. If this property is not set, the permission does not belong to a group.
-
Android: protectionLevel:
Describes the potential risks implied in permissions and indicates the process the system should follow when deciding whether to grant permissions to applications requesting authorization. The following table lists all basic permission types.
- Normal: default value. Has a low-risk permission. Applications that request authorization at installation time are automatically granted such permissions without the user’s explicit permission (though users can always choose to view these permissions before installation).
- Dangerous: indicates high-risk permissions. Due to the potential risks associated with such permissions, the system may not automatically grant such permissions to applications that request authorization.
- Signature Permission granted by the system only if the application requesting authorization is signed with the same certificate as the application claiming permission. If the certificate matches, the system automatically grants permission to the user without notifying the user or obtaining the user’s explicit permission.
- SignatureOrSystem: Do not use this option, because the Signature protection level should be sufficient for most requirements and should function normally no matter where the application is installed. SignatureOrSystem permissions are used in cases where multiple vendors have applications built into a system image and need to explicitly share specific capabilities because they are built together.
Permission for the sample
Application Demo(com.sc.cp) and other applications (com.sc.ha)
1. Define a permission
<permission android:description="@string/permission_description"
android:icon="@mipmap/ic_launcher"
android:label="permissionLabel"
android:name="com.scc.userprovider.permission"
android:protectionLevel="normal"/>
Copy the code2. Set permissions for the provider component
<provider
android:authorities="com.scc.userprovider"
android:name="com.scc.cp.UserProvider"
android:permission="com.scc.userprovider.permission"
android:exported="true"/>
Copy the code3. Other applications (com.sc. ha) use the UserProvider with the com.sc. cp package and permission
Direct operation without doing anything:
Process: com.scc.ha, PID: 14922
java.lang.SecurityException: Permission Denial: opening provider com.scc.cp.UserProvider from
ProcessRecord{5d7db58 14922:com.scc.ha/u0a889} (pid=14922, uid=10889)
requires com.scc.userprovider.permission or com.scc.userprovider.permission
Copy the codeAn error shows lack of com. SCC. Userprovider. Permission access
If we don’t have access, we apply for access
<uses-permission android:name="com.scc.userprovider.permission"/>
Copy the codeThen you can happily use the provider data in the com.scc.cp package.
Permission Official documents
Permission-group (custom permission group)
introduce
<permission-group
android:description="string resource"
android:icon="drawable resource"
android:label="string resource"
android:name="string" />
Copy the codeThe name of the logical group that declares the related permissions. Each permission is added to the permissionGroup through the element’s permissionGroup attribute. All the members in the permission group are displayed on the page.
Note: This element does not declare the permissions themselves, but only the categories on which permissions can be placed.
The permission-group attribute is similar to permission.
Permission – group sample
Application Demo(com.sc.cp) and other applications (com.sc.ha)
1. Define a permission group
<permission-group
android:name="com.scc.userprovider.permissiongroup"
android:description="@string/userprovider_permission_group_description"
android:icon="@mipmap/ic_launcher"
android:label="GroupLabel"/>
Copy the code2. Add a group
<permission
android:name="com.scc.userprovider.permissionread"
android:description="@string/userprovider_permission_read_description"
android:icon="@mipmap/ic_launcher"
android:label="readLabel"
android:permissionGroup="com.scc.userprovider.permissiongroup"
android:protectionLevel="normal"/>
<permission
android:name="com.scc.userprovider.permissionwrite"
android:description="@string/userprovider_permission_write_description"
android:icon="@mipmap/ic_launcher"
android:label="writeLabel"
android:permissionGroup="com.scc.userprovider.permissiongroup"
android:protectionLevel="normal"/>
Copy the code3. Set permissions for the provider component
<provider
android:authorities="com.scc.userprovider"
android:name="com.scc.cp.UserProvider"
android:writePermission="com.scc.userprovider.permissionwrite"
android:readPermission="com.scc.userprovider.permissionread"
android:exported="true"/>
Copy the code4. Other applications (com.sc. ha) use the UserProvider with the com.sc. cp package and permission
Doing nothing directly will also report the above lack of permission error.
Let’s get permission first
<uses-permission android:name="com.scc.userprovider.permissionread"/>
<uses-permission android:name="com.scc.userprovider.permissionwrite"/>
Copy the codeThen you can happily use the provider data in the com.scc.cp package.
Permission-group Official document
Qi Huo, where the question, welcome guidance.
Allows the calling application to keep track of calls initiated in another application.
ACCESS_BACKGROUND_LOCATION: allows applications to access the location in the background.
ACCESS_BLOBS_ACROSS_USERS: Allows applications to access data bloBs across users. 31 new API
ACCESS_CHECKIN_PROPERTIES: Allows read/write access to the Properties table in the check-in database to change uploaded values.
ACCESS_COARSE_LOCATION: Allows the application to access the approximate location.
ACCESS_FINE_LOCATION: allows the application to access the exact location.
ACCESS_LOCATION_EXTRA_COMMANDS: Allows applications to access additional location provider commands.
ACCESS_MEDIA_LOCATION: Allows an application to access any geographic location stored in a user’s shared collection.
ACCESS_NETWORK_STATE: Allows applications to access information about the network.
ACCESS_NOTIFICATION_POLICY: Flag permission for applications that want to access notification policies.
ACCESS_WIFI_STATE: Allows applications to access information about the Wi-Fi network.
ACCOUNT_MANAGER: Allows the application to call AccountAuthenticators.
ACTIVITY_RECOGNITION: Allows applications to recognize physical activity.
ADD_VOICEMAIL: allows an application to add voice mail to the system.
ANSWER_PHONE_CALLS: Allows the application to answer incoming calls.
BATTERY_STATS: Allows an application to collect battery statistics
The level of protection: signature | ring | development
BIND_ACCESSIBILITY_SERVICE: Must be AccessibilityService to ensure that only the system can bind to it.
BIND_APPWIDGET: Allows an application to tell the AppWidget service which application can access the AppWidget’s data.
BIND_AUTOFILL_SERVICE: Must be AutofillService to ensure that only the system can bind to it.
BIND_CALL_REDIRECTION_SERVICE: Must be CallRedirectionService to ensure that only the system can bind to it.
BIND_CARRIER_MESSAGING_CLIENT_SERVICE: CarrierMessagingClientService must use the rights protection of subclasses.
BIND_CARRIER_SERVICES: System processes that are allowed to bind to services in carrier applications have this permission.
BIND_CHOOSER_TARGET_SERVICE: This constant is deprecated at API level 30. You can use the Sharing Shortcuts API.
Bind_self-expressive DEVICe_service: Must be required by any self-expressive Deviceservices to ensure only the system can be bound to it. 31 new API
BIND_CONDITION_PROVIDER_SERVICE: must be ConditionProviderService, to ensure that only the system can bind to it.
BIND_CONTROLS: Allows SystemUI to request third-party controls.
BIND_DEVICE_ADMIN: The device must manage the sink requirements to ensure that only the system can interact with them.
BIND_DREAM_SERVICE: Must be DreamService to ensure that only the system can bind to it.
BIND_INCALL_SERVICE: Must be InCallService to ensure that only the system can bind to it.
BIND_INPUT_METHOD: Must be InputMethodService to ensure that only the system can bind to it.
BIND_MIDI_DEVICE_SERVICE: Must be MidiDeviceService to ensure that only the system can bind to it.
BIND_NFC_SERVICE: must be HostApduService or require OffHostApduService to ensure that only the system can bind to it.
BIND_NOTIFICATION_LISTENER_SERVICE: must be NotificationListenerService, to ensure that only the system can bind to it.
BIND_PRINT_SERVICE: Must be PrintService to ensure that only the system can bind to it.
BIND_QUICK_ACCESS_WALLET_SERVICE: QuickAccessWalletService must be required by A to ensure that only the system can bind to it.
BIND_QUICK_SETTINGS_TILE: allows applications to bind to third party quick Settings tiles.
BIND_REMOTEVIEWS: Must be RemoteViewsService to ensure that only the system can bind to it.
BIND_SCREENING_SERVICE: Must be CallScreeningService to ensure that only the system can bind to it.
BIND_TELECOM_CONNECTION_SERVICE: Must be a ConnectionService to ensure that only the system can bind to it.
BIND_TEXT_SERVICE: Must be required by TextService (such as SpellCheckerService) to ensure that only the system can bind to it.
BIND_TV_INPUT: Must be required by TvInputService to ensure that only the system can bind to it.
BIND_VISUAL_VOICEMAIL_SERVICE: VisualVoicemailService must be requested by the link to ensure that only the system can bind to it.
BIND_VOICE_INTERACTION: Must be VoiceInteractionService to ensure that only the system can bind to it.
BIND_VPN_SERVICE: Must be VpnService to ensure that only the system can bind to it.
BIND_VR_LISTENER_SERVICE: Must be VrListenerService to ensure that only the system can bind to it.
BIND_WALLPAPER: Must be WallpaperService to ensure that only the system can bind to it.
BLUETOOTH: Allows applications to connect to paired BLUETOOTH devices.
BLUETOOTH_ADMIN: allows applications to discover and pair Bluetooth devices.
BLUETOOTH_ADVERTISE: need to be able to advertise to nearby Bluetooth devices. 31 new API
BLUETOOTH_CONNECT: Need to be able to connect to paired Bluetooth devices. 31 new API
BLUETOOTH_PRIVILEGED: Allows applications to pair Bluetooth devices without user interaction and allows or disables phone book access or message access.
BLUETOOTH_SCAN: Need to be able to find and pair nearby Bluetooth devices. 31 new API
BODY_SENSORS: Allows apps to access data from sensors that users use to measure things happening inside their bodies, such as heart rate.
BROADCAST_PACKAGE_REMOVED: Allows an application to broadcast notification that an application package has been removed.
BROADCAST_SMS: allows applications to broadcast SMS to receive notifications.
BROADCAST_STICKY: allows applications to broadcast sticky intents.
BROADCAST_WAP_PUSH: allows applications to broadcast WAP pushes to receive notifications.
Call_self-expressive APP: The application that implements InCallServiceAPI is eligible to be enabled as a companion application for the call.
CALL_PHONE: allows the application to initiate a phone call without going through the dialer user interface for the user to confirm the call.
CALL_PRIVILEGED: Allows the application to call any phone number, including emergency numbers, without having the user confirm the call being dialed through the dialer user interface.
CAMERA: You need to be able to access CAMERA equipment.
CAPTURE_AUDIO_OUTPUT: allows an application to capture audio output.
CHANGE_COMPONENT_ENABLED_STATE: Allows an application to change whether to enable application components (other than its own components).
CHANGE_CONFIGURATION: Allows applications to modify current configurations, such as the locale.
CHANGE_NETWORK_STATE: Allows applications to change network connection state.
CHANGE_WIFI_MULTICAST_STATE: Allows applications to enter Wi-Fi multicast mode.
CHANGE_WIFI_STATE: allows applications to change wi-fi connection status.
CLEAR_APP_CACHE: allows applications to clear the cache of all installed applications on the device.
CONTROL_LOCATION_UPDATES: Allows enabling/disabling location update notifications from radio.
DELETE_CACHE_FILES: Removes the old permissions on the application cache files and is no longer used, but the signal tells us to quietly ignore the call rather than throw an exception.
DELETE_PACKAGES: allows applications to remove packages.
DIAGNOSTIC: Allows applications to read and write DIAGNOSTIC resources.
DISABLE_KEYGUARD: Allows applications to disable keyboard locks in unsafe situations.
DUMP: Allows applications to retrieve state DUMP information from system services.
EXPAND_STATUS_BAR: allows an application to expand or collapse the status bar.
FACTORY_TEST: Runs as a manufacturer test application, running as root.
FOREGROUND_SERVICE: Allows regular applications to use service.startforeground.
GET_ACCOUNTS: Allows access to a list of accounts in the account service.
GET_ACCOUNTS_PRIVILEGED: Allows access to the account list in the account service.
GET_PACKAGE_SIZE: allows the application to find out the space used by any package.
GLOBAL_SEARCH: This permission can be used by content providers to allow global search systems to access their data.
HIDE_OVERLAY_WINDOWS: allows applications to prevent non-system overwrite Windows from being drawn on it. 31 new API
HIGH_SAMPLING_RATE_SENSORS: Allows applications to access sensor data at sampling rates greater than 200 Hz. 31 new API
INSTALL_LOCATION_PROVIDER: allows applications to install location providers into the location manager.
INSTALL_PACKAGES: Allows application installation packages.
INSTALL_SHORTCUT: Allows an application to install shortcuts in the Launcher.
INSTANT_APP_FOREGROUND_SERVICE: allows applications to create foreground services without installation.
INTERACT_ACROSS_PROFILES: Allows interaction between profiles in the same profile group.
INTERNET: Allows applications to open network sockets.
KILL_BACKGROUND_PROCESSES: ActivityManager allows the application to call killBackgroundProcesses (String).
LOADER_USAGE_STATS: Allows the data loader to read the access log of the package.
LOCATION_HARDWARE: Allows applications to use location features in hardware, such as geofencing apis.
MANAGE_DOCUMENTS: Allows applications to manage access to documents, usually as part of a document selector.
MANAGE_EXTERNAL_STORAGE: Allows applications extensive access to external storage in the scope store.
MANAGE_MEDIA: Allows applications to modify and delete media files on this device or any connected storage device without user approval. 31 new API
MANAGE_ONGOING_CALLS: Allows you to query details about ongoing calls and manage ongoing calls. API 31 is new. The level of authority: signature | appop
MANAGE_OWN_CALLS: Allows calling applications to manage their own calls through the self-managed ConnectionServiceAPI.
MASTER_CLEAR: not available for third-party applications.
MEDIA_CONTENT_CONTROL: Allows the application to know what is being played and control its playback.
MODIFY_AUDIO_SETTINGS: Allows applications to modify global audio Settings.
MODIFY_PHONE_STATE: Allows to change the phone state – power-on, MMI, etc.
MOUNT_FORMAT_FILESYSTEMS: file system that allows formatting of removable storage.
MOUNT_UNMOUNT_FILESYSTEMS: allows file systems to be installed and uninstalled for removable storage.
NFC: Allows applications to perform I/O operations through NFC.
NFC_PREFERRED_PAYMENT_INFO: allows an application to receive NFC preferred payment service information.
NFC_TRANSACTION_EVENT: Allows applications to receive NFC transaction events.
PACKAGE_USAGE_STATS: Allows applications to collect component usage statistics
Declaring permissions means the intent to use the API, and device users can set up applications to grant permissions.
PROCESS_OUTGOING_CALLS: This constant is deprecated at API level 29. Applications should broadcast CallRedirectionService instead of Intent.action_new_outgoing_call.
QUERY_ALL_PACKAGES: Allows you to query any common application on the device, regardless of the manifest declaration.
READ_CALENDAR: Allows the application to read the user’s calendar data.
READ_CALL_LOG: allows applications to read call records of users.
READ_CONTACTS: Allows the application to read the user’s contact data.
READ_EXTERNAL_STORAGE: allows applications to read from external storage.
READ_LOGS: Allows applications to read low-level system log files.
READ_PHONE_NUMBERS: indicates the phone number that can be read from the device.
READ_PHONE_STATE: Allows read-only access to the phone state, including the current cellular network information, the status of any ongoing calls, and a list of any S registered on the PhoneAccount device.
READ_PRECISE_PHONE_STATE: Allows read-only access to the precise state of the mobile phone.
READ_SMS: Allows applications to read SMS messages.
READ_SYNC_SETTINGS: Allows applications to read synchronization Settings.
READ_SYNC_STATS: Allows applications to read synchronization statistics.
READ_VOICEMAIL: allows the application to read voice mail in the system.
REBOOT: Restart the device.
RECEIVE_BOOT_COMPLETED: Indicates that the Intent.ACTION_BOOT_COMPLETED is allowed to receive broadcasts after the system starts.
RECEIVE_MMS: allows applications to monitor incoming MMS messages.
RECEIVE_SMS: Allows applications to receive SMS messages.
RECEIVE_WAP_PUSH: Allows applications to receive WAP push messages.
RECORD_AUDIO: Allows an application to record audio.
REORDER_TASKS: Allows an application to change the Z-order of tasks.
Request_self-expressive PROFile_watch: The application is allowed to companion the device with the self-expressive devicemanager as the watch. API 31 is new. Permission level: Normal
Request_self-expressive _RUN_IN_BACKGROUND: The companion application is allowed to run in the background.
Request_start_foreground_services_from_background: indicates that the companion application is allowed to start the foreground service from the background. 31 new API
Request_use_data_in_background: indicates that the companion application is allowed to use data in the background.
REQUEST_DELETE_PACKAGES: allows applications to request package removal.
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS: Applications must have permissions to use settings. ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
REQUEST_INSTALL_PACKAGES: allows applications to request installation packages.
Request_observe_self-expressive DEVICE_PRESENCE: Allows an application to subscribe to notifications about online status changes for its associated companion devices. 31 new API
REQUEST_PASSWORD_COMPLEXITY: Allows an application to request screen lock complexity and prompt the user to update the screen lock to a certain complexity level.
SCHEDULE_EXACT_ALARM: Allows applications to use precise alarm apis. 31 new API
SEND_RESPOND_VIA_MESSAGE: Allows an application (phone) to send requests to other applications to handle response via message operations during incoming calls.
SEND_SMS: Allows applications to send SMS messages.
SET_ALARM: allows an application to broadcast an Intent to set an alert for the user.
SET_ALWAYS_FINISH: allows the application to control whether the activity is completed immediately when it is put in the background.
SET_ANIMATION_SCALE modifies the global animation scale factor.
SET_DEBUG_APP configures the application for debugging.
SET_PROCESS_LIMIT: Allows an application to set the maximum number of (unwanted) application processes that can run.
SET_TIME: allows applications to set the system time directly.
SET_TIME_ZONE: allows applications to set the system time zone directly.
SET_WALLPAPER: Allows applications to set wallpapers.
SET_WALLPAPER_HINTS: Allows applications to set wallpaper hints.
SIGNAL_PERSISTENT_PROCESSES: Allows application requests to send signals to all persistent processes.
SMS_FINANCIAL_TRANSACTIONS: This constant is deprecated at API level 31. Apis that use this permission are no longer in effect.
START_FOREGROUND_SERVICES_FROM_BACKGROUND: Allows applications to start foreground services from the background at any time.
START_VIEW_PERMISSION_USAGE: Allows the holder permission to start the application using the screen.
STATUS_BAR: Allows applications to turn on, off, or disable the status bar and its ICONS.
SYSTEM_ALERT_WINDOW: allow applications to use WindowManager. LayoutParams. TYPE_APPLICATION_OVERLAY appear in all other applications to create a window at the top of the type.
TRANSMIT_IR: Permission to use infrared transmitter of device (if available).
Uninstall_shortcut Do not use this permission in your application.
UPDATE_DEVICE_STATS: allows applications to update device statistics.
UPDATE_PACKAGES_WITHOUT_USER_ACTION: allow applications to PackageInstaller. SessionParams. SetRequireUserAction (int) application update does not require user action to instructions. 31 new API
USE_BIOMETRIC: allows applications to use the biometric mode supported by the device.
USE_FINGERPRINT: This constant is deprecated at API level 28. The application should request USE_BIOMETRIC instead
USE_FULL_SCREEN_INTENT: Use notification full screen intents for build.version_codes. Q.
USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER: Allows device identifiers to be read and ICC based authentication to be used, such as EAP-AKA. API 31 is new. The level of authority: signature | appop
USE_SIP: allows applications to use SIP services.
UWB_RANGING: Need to be able to cover devices that use ultra broadband. API 31 is new. Permission level: Dangerous
VIBRATE: Allows access to the vibrator.
WAKE_LOCK: Allows the use of PowerManager WakeLocks to prevent processor sleep or screen darkening.
WRITE_APN_SETTINGS: Allows applications to write APN Settings and read sensitive fields of existing APN Settings, such as user and password.
WRITE_CALENDAR: Allows applications to write user calendar data.
WRITE_CALL_LOG: Allows applications to write (but not read) call record data of users.
WRITE_CONTACTS: Allows the application to write the user’s contact data.
WRITE_EXTERNAL_STORAGE: allows applications to write to external storage.
WRITE_GSERVICES: Allows applications to modify Google services maps.
WRITE_SECURE_SETTINGS: Allows applications to read or write security system Settings.
WRITE_SETTINGS: Allows applications to read or write system Settings.
WRITE_SYNC_SETTINGS: Allows applications to write synchronization Settings.
WRITE_VOICEMAIL: allows applications to modify and delete existing voicemail messages in the system.