article

Amelia@Amazon avatar image
Amelia@Amazon posted

Android security changes requires uniquely defined custom permissions   

Summary

As a part of the security changes in Android 5.0, any application that declares a custom permission to application level resources must be signed with the same SSL certificate as all other apps declaring the same permission.

Issue

Prior to Android 5.0, apps that declared custom permissions had the permission ignored on installation when signed with a different SSL certificate than the first app declaring the permissions. This behavior has changed so that installation is prevented if there is a change in signature.

Resolution

This treatment is the exact same as if you are using an android:sharedUserId element of the manifest element. If you declare a permission to use with your application you will need to be aware of it as you test and deploy applications that utilize app-level permissions. For more information about app-level permissions check out these references:

Permission Element: http://developer.android.com/guide/topics/manifest/permission-element.html

Android Permissions Introduction: http://developer.android.com/guide/topics/manifest/manifest-intro.html#perms

If you are trying to validate app interaction with custom permissions you will need to make sure the same certificate signs all apps. When testing apps that are going to interact with apps downloaded from an app store you need to have those apps signed with the same certificate for the installation process to work. Otherwise, your ADB Install process will fail.

By default, apps in the Amazon Appstore for Android are signed using a developer certificate that is unique to your account. If you are using custom permissions targeting only Amazon devices, or are primarily in our Appstore, then you can leverage our Live App Testing service to validate that your apps interact correctly together. Live App Testing will sign your apps using the same certificate as your live apps published by Amazon.

However, if you have a presence in both the Amazon Appstore and other distribution channels you will also need to keep in mind that your certificates may be different, potentially impacting your customers. For more information about signing apps in the Amazon Appstore feel free to Contact Us.

Keywords: Permissions, SSL, Security

[KB_0034]

androidlollipop
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Article

Contributors

rossbria contributed to this article brizzlebrazzle contributed to this article