Activity Permission Enforcement in Android

Activity Permission Enforcement in Android

Permissions can be used to protect application components. An activity is a component that interacts with the user and should be protected. To do that, we can define custom app permissions.

First, we need to declare custom permission in the app manifest file by using <permission> element. To control access to an activity, we can add the android:permission attribute to the activity's declaration.

app/src/main/AndroidManifest.xml (first application)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.app">

    <permission android:name="com.example.app.permission.CUSTOM_PERMISSION"
        android:label="Custom permission" android:protectionLevel="normal" />

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:name=".ProtectedActivity"
            android:permission="com.example.app.permission.CUSTOM_PERMISSION">
            <intent-filter>
                <action android:name="com.example.app.CUSTOM_ACTION" />
                <category android:name="android.intent.category.DEFAULT" />
            </intent-filter>
        </activity>
    </application>

</manifest>

Now we need to create a second application that will be used to open protected activity of the first application. In the layout XML file we added a Button which will used to open protected activity.

app/src/main/res/layout/activity_main.xml (second application)

<?xml version="1.0" encoding="utf-8"?>
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context=".MainActivity">

    <Button
        android:id="@+id/myButton"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_centerInParent="true"
        android:text="Open" />

</RelativeLayout>

In the second application, we created an Intent object. We specified its action and category. The permission is checked when activity is started by using startActivity() or startActivityForResult() method.

app/src/main/java/com/example/app/MainActivity.kt (second application)

package com.example.app2

import android.content.Intent
import androidx.appcompat.app.AppCompatActivity
import android.os.Bundle
import kotlinx.android.synthetic.main.activity_main.*

class MainActivity : AppCompatActivity()
{
    override fun onCreate(savedInstanceState: Bundle?)
    {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)
        myButton.setOnClickListener { start() }
    }

    private fun start()
    {
        val intent = Intent()
        intent.action = "com.example.app.CUSTOM_ACTION"
        intent.addCategory("android.intent.category.DEFAULT")
        startActivity(intent)
    }
}

The SecurityException is thrown if the caller doesn't have the required permission.

java.lang.SecurityException: Permission Denial: starting Intent ...
requires com.example.app.permission.CUSTOM_PERMISSION

To request a permission, a second application must include a <uses-permission> element in its manifest file.

app/src/main/AndroidManifest.xml (second application)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.app">

    <uses-permission android:name="com.example.app.permission.CUSTOM_PERMISSION" />

    <application>
        ...
    </application>

</manifest>

Leave a Comment

Cancel reply

Your email address will not be published.