系統(tǒng)權限管理

https://developer.android.com/guide/topics/security/permissions.html

Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.

Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad hoc access to specific pieces of data.

安全架構


Android安全架構的一條中心設計原則是在默認條件下篇恒,應用沒有對其他應用镀梭、系統(tǒng)或用戶可能有不利影響的權限宪潮。如果要使用這些權限柒凉,該應用必須申請權限靠柑,用戶允許后才可使用隐砸。

應用簽名


All APKs (.apk files) must be signed with a certificate whose private key is held by their developer. This certificate identifies the author of the application.

User IDs and File Access


At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package's life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.

Any data stored by an application will be assigned that application's user ID, and not normally accessible to other packages. When creating a new file with [getSharedPreferences(String, int)](https://developer.android.com/reference/android/content/Context.html#getSharedPreferences(java.lang.String, int)), [openFileOutput(String, int)](https://developer.android.com/reference/android/content/Context.html#openFileOutput(java.lang.String, int)), or [openOrCreateDatabase(String, int, SQLiteDatabase.CursorFactory)](https://developer.android.com/reference/android/content/Context.html#openOrCreateDatabase(java.lang.String, int, android.database.sqlite.SQLiteDatabase.CursorFactory)), you can use the MODE_WORLD_READABLE and/or MODE_WORLD_WRITEABLE flags to allow any other package to read/write the file.

使用權限


To make use of protected features of the device, you must include one or more <uses-permission> tags in your app manifest.

Normal and Dangerous Permissions

權限分為 normal permissions 和 dangerous permissions(還有一種特殊的權限:special permissions扳炬,包括SYSTEM_ALERT_WINDOWWRITE_SETTINGS吏颖,一般使用不到)。normal permissions (Normal permissions cover areas where your app needs to access data or resources outside the app's sandbox, but where there's very little risk to the user's privacy or the operation of other apps. )不需要在 AndroidMenifest.xml 文件中申明恨樟,系統(tǒng)默認給你這些權限半醉。dangerous permissions (Dangerous permissions cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps.)需要在AndroidMenifest.xml文件中申明,根據(jù)API的不同可以分成兩種情況:

  • If the device is running Android 6.0 (API level 23) or higher, and the app's targetSdkVersion
    is 23 or higher, the app requests permissions from the user at run-time. The user can revoke the permissions at any time, so the app needs to check whether it has the permissions every time it runs.
  • If the device is running Android 5.1 (API level 22) or lower, or the app's targetSdkVersion
    is 22 or lower, the system asks the user to grant the permissions when the user installs the app. If you add a new permission to an updated version of the app, the system asks the user to grant that permission when the user updates the app. Once the user installs the app, the only way they can revoke the permission is by uninstalling the app.
Permission Groups

All dangerous Android system permissions belong to permission groups. If the device is running Android 6.0 (API level 23) and the app's targetSdkVersion
is 23 or higher, the following system behavior applies when your app requests a dangerous permission:

  • If an app requests a dangerous permission listed in its manifest, and the app does not currently have any permissions in the permission group, the system shows a dialog box to the user describing the permission group that the app wants access to. The dialog box does not describe the specific permission within that group.
  • If an app requests a dangerous permission listed in its manifest, and the app already has another dangerous permission in the same permission group, the system immediately grants the permission without any interaction with the user.

一共有9組權限組劝术,分別是CALENDAR, CAMERA, CONTACTS, LOCATION, MICROPHONE, PHONE, SENSORS, SMS, STORAGE. **

Defining and Enforcing Permissions


To enforce your own permissions, you must first declare them in your AndroidManifest.xml using one or more <permission> elements.

Custom permission recommendations

Apps can define their own custom permissions and request custom permissions from other apps by defining <uses-permission>
elements.

Enforcing Permissions in AndroidManifest.xml

主要講Activity缩多、Service呆奕、BroadcastReceiver、ContentProvider的權限使用時機衬吆。其中ContentProvider有一種比較特殊的權限URI Permissions.

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
  • 序言:七十年代末梁钾,一起剝皮案震驚了整個濱河市,隨后出現(xiàn)的幾起案子咆槽,更是在濱河造成了極大的恐慌陈轿,老刑警劉巖,帶你破解...
    沈念sama閱讀 211,496評論 6 491
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件秦忿,死亡現(xiàn)場離奇詭異麦射,居然都是意外死亡,警方通過查閱死者的電腦和手機灯谣,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 90,187評論 3 385
  • 文/潘曉璐 我一進店門潜秋,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人胎许,你說我怎么就攤上這事峻呛。” “怎么了辜窑?”我有些...
    開封第一講書人閱讀 157,091評論 0 348
  • 文/不壞的土叔 我叫張陵钩述,是天一觀的道長。 經(jīng)常有香客問我穆碎,道長牙勘,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 56,458評論 1 283
  • 正文 為了忘掉前任所禀,我火速辦了婚禮方面,結果婚禮上,老公的妹妹穿的比我還像新娘色徘。我一直安慰自己恭金,他們只是感情好,可當我...
    茶點故事閱讀 65,542評論 6 385
  • 文/花漫 我一把揭開白布褂策。 她就那樣靜靜地躺著横腿,像睡著了一般。 火紅的嫁衣襯著肌膚如雪斤寂。 梳的紋絲不亂的頭發(fā)上耿焊,一...
    開封第一講書人閱讀 49,802評論 1 290
  • 那天,我揣著相機與錄音扬蕊,去河邊找鬼搀别。 笑死,一個胖子當著我的面吹牛尾抑,可吹牛的內容都是我干的歇父。 我是一名探鬼主播蒂培,決...
    沈念sama閱讀 38,945評論 3 407
  • 文/蒼蘭香墨 我猛地睜開眼,長吁一口氣:“原來是場噩夢啊……” “哼榜苫!你這毒婦竟也來了护戳?” 一聲冷哼從身側響起,我...
    開封第一講書人閱讀 37,709評論 0 266
  • 序言:老撾萬榮一對情侶失蹤垂睬,失蹤者是張志新(化名)和其女友劉穎媳荒,沒想到半個月后,有當?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體驹饺,經(jīng)...
    沈念sama閱讀 44,158評論 1 303
  • 正文 獨居荒郊野嶺守林人離奇死亡钳枕,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內容為張勛視角 年9月15日...
    茶點故事閱讀 36,502評論 2 327
  • 正文 我和宋清朗相戀三年,在試婚紗的時候發(fā)現(xiàn)自己被綠了赏壹。 大學時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片鱼炒。...
    茶點故事閱讀 38,637評論 1 340
  • 序言:一個原本活蹦亂跳的男人離奇死亡,死狀恐怖蝌借,靈堂內的尸體忽然破棺而出昔瞧,到底是詐尸還是另有隱情,我是刑警寧澤菩佑,帶...
    沈念sama閱讀 34,300評論 4 329
  • 正文 年R本政府宣布自晰,位于F島的核電站,受9級特大地震影響稍坯,放射性物質發(fā)生泄漏酬荞。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點故事閱讀 39,911評論 3 313
  • 文/蒙蒙 一劣光、第九天 我趴在偏房一處隱蔽的房頂上張望袜蚕。 院中可真熱鬧糟把,春花似錦绢涡、人聲如沸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 30,744評論 0 21
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至缠犀,卻和暖如春数苫,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背辨液。 一陣腳步聲響...
    開封第一講書人閱讀 31,982評論 1 266
  • 我被黑心中介騙來泰國打工虐急, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留,地道東北人滔迈。 一個月前我還...
    沈念sama閱讀 46,344評論 2 360
  • 正文 我出身青樓止吁,卻偏偏與公主長得像被辑,于是被迫代替她去往敵國和親。 傳聞我的和親對象是個殘疾皇子敬惦,可洞房花燭夜當晚...
    茶點故事閱讀 43,500評論 2 348

推薦閱讀更多精彩內容