2011-06-18

Android Permission Handling

This article is part 9 of 11 in the series Android Development
  1. Android Development: Database Upgrades
  2. Android Development: Missing API
  3. (Not) Integrating Application with Intents
  4. Android Activity Lifecycle
  5. URI Matching in Android’s IntentFilters
  6. Android Intent Sender Verification
  7. Android Jittery Scrolling Gallery
  8. Encryption on Android & BouncyCastle
  9. Android Permission Handling
  10. ContentProvider Curses Cursor
  11. ContentProvider Wasted Potential

Android includes a system for granting permissions that’s quite flexible and great in many ways. In other ways, it’s terrible. Let me run you through that.

Access Control Basics

When we’re talking about permissions, it makes sense to briefly talk about access control — that is, authorization in security terms1. Access control is a term very much used in the context of file systems, and it’s that context that also illustrate just how simple or complex you can make things:

  • Primitive file systems may have no access control, and everybody can read, write and modify anything.
  • Not even the old DOS file system is that primitive: files here have attributes, and the attributes determine whether or not you can e.g. write to a file. Unfortunately, DOS has no concept of authentication, therefore everyone also has the right to alter file attributes, making the DOS file system unsuitable for actual access control. If you have access to the access control system, you have access to everything.
  • UNIX file systems include a simple authentication component, in that in addition to attributes, files also have an owner and a user group. There are then three groups of attributes: one set for the owner, one for the group, and one for everyone who is not the owner nor in the group. UNIX systems also include the concept of a superuser who has access to everything at all times. With that, a lot of access control management is possible.
  • More advanced UNIX file systems then contain something called access control lists (or ACLs for short). They’re some extended meta-data that can list attributes for more individual users or user groups, finally allowing for very fine-grained control over who to grant access to which file.

But there’s one thing not even the most complex of ACL-based systems offer: the attributes that can be set per individual or group are fixed and have fixed semantics: you can read, write, or execute a file, or any combination of those bits. There’s (usually) no way to, say, allow appending to a file but no other write access.

This is a design choice in file systems, and you can argue all day about whether or not it’s good. The important points to take away are:

  1. The amounts of different types of access are regulated by the operating system.
  2. The semantics of what a given access type means are regulated by the operating system.

From a certain point of view, that’s also as it should be: after all, files are resources under the operating system’s control, and it only makes sense for the entity that has control to manage how to grant access to other participants in a system.

Android Permissions: The Good

Android’s designers have realized that they’re not so much dealing with access to data in their operating system, but with access to functionality. As the software that provides a given functionality is controlled by third party contributors, and the software that makes use of such functionality is controlled by a third party, there is simply no way to predict all the different means by which these software packages might interact.

Therefore, in Android, the semantics of a permission are not pre-determined by the operating system.

Instead, a permission in Android is nothing but a free-form string2 and some meta-data:

  • The free-form string acts as an identifier for the permission.
  • The meta-data acts as a description to the end user of the semantics of the permission.

As an example of the above, the android.permission.INTERNET permission grants applications to use networking sockets, and thereby also access the internet (if an internet connection exists).

Now this particular example isn’t necessarily the best because the permission is defined and enforced by the Android operating system. But it’s equally possible for one app to require a newly invented permission from another app before it decides to do something.

Permissions also don’t just grant themselves: the user of a phone explicitly grants permissions to apps they’re using, thereby gaining control over how much trust they assign to software packages.

  1. Authentication establishes who you are, authorization what you’re allowed to do. It’s generally best to consider the two as separate things. []
  2. There are conventions to how the string is to be formed, but they’re not enforced by the operating system []
Pages: 1 2
Next page »
15:03 | Filed under: programming |

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

  • Nicola Tuveri

    Hi! I’ve just come across your blog looking for some info on BouncyCastle and Android.
    I found the entire series very interesting, informative and pleasant to read, and also your other posts are quite interesting, so I’m going to add your RSS feed to my watch list!

    I’ve just a few notes that you may care (or maybe not) about, so that the blog may become more usable/enjoyable:

    1. the current blog design has some issues when used in browser with lower than standard resolutions: I tried to read some of the articles of the series from my Android phone (I tried with the default browser, Firefox and Opera Mobile) but the sidebar on the right partially covers the main section with the articles text. You might want to check width, position and floats attributes for those div.

    2. I’ve seen your domain is IPv6 enabled, but unfortunately your webserver is not responding at its IPv6 address! You can check with http://ipv6-test.com/validate.php that a DNS AAAA record exist, but that the webserver is not responding. I even tried to ping6 it and it isn’t reachable (or ping packets are being dropped). This is confusing if one has a fully working IPv4/6 dual stack as finding a DNS AAAA record the browser will try to connect to the webserver using IPv6 and it will fail.
    At some point Firefox became a little smarter and resolved it through IPv4 but it took a very long time and two “Unable to connect” screens.
    You might want to verify with your (IPv6) provider if there is any reachability issue, check your webserver configuration or remove the DNS AAAA record until this is fixed.

  • http://www.unwesen.de/ unwesen

    Hi!

    Yeah, I’m afraid I’m aware of the issues. I’m also not good at allocating time to this blog, so things will stay that way for a bit. I’m sure I’ll get around to fixing those issues some time this year :)

    Thanks for adding me. Do you have a blog?

    Jens

  • Nicola Tuveri

    Well, unfortunately no, I don’t have a blog, I’m more a consumer than a producer when we talk about valuable content, or maybe I just lack the blog approach, because usually I’m so focused on doing something that I forget to take a journal of the things I do.

    The funny, but annoying, thing is that I always regret that at the end, when I have to put projects on hold, because I quickly forget the details and need to almost start over again.

    Anyway, I’m very glad you’re aware of the issues and will work on them as time allows!

    Keep up the good work!