6

I know that Google Play applications cannot do anything that is not spelled out in their AndroidManifest.xml and will be blocked from doing so. I want to know if non-Google Play applications are locked down with the same security measure.

Will Android tell me what permissions they require before installation and block functions that use permissions not noted in the manifest of non-Google Play apps? Because Google says:

In the event that an application attempts to use a protected feature which has not been declared in the application's manifest, the permission failure will typically result in a security exception being thrown back to the application. Protected API permission checks are enforced at the lowest possible level to prevent circumvention. An example of the user messaging when an application is installed while requesting access to protected APIs is shown in Figure 2.

Does this apply to non-Google Play apps?

Andrew T.
  • 16,898
  • 10
  • 77
  • 134
munchschair
  • 163
  • 1
  • 6

2 Answers2

7

Will Android tell me what permissions they require before installation?

In general, yes. In most (if not all) Android devices, there's a system app called "Package installer" which handles the installation/upgrade of an app. When you install an APK file from unknown source, this app will run and show all permissions the app requests, which looks like this:

Package installer on KitKat

Package installer on KitKat

Will Android block functions that use permissions not noted in the manifest of non-Google Play apps?

During installation, Android doesn't check/test if a function requires specific permission to run. In other word, user can still install the app. However, the app will throw SecurityException (that may crash/behave unpredictably/do nothing, depends on how it's handled) when running the function that needs a permission, but is not declared in the manifest file. This applies to all apps, regardless from where it's installed.

Example: doing network operation without declaring <uses-permission android:name="android.permission.INTERNET" /> will crash the app with stack trace:

E/AndroidRuntime(18698): Caused by: java.lang.SecurityException: Permission denied (missing INTERNET permission?)

.

Andrew T.
  • 16,898
  • 10
  • 77
  • 134
4

An app has to declare all its permissions requirements, because they are granted to it at installation.

See the section "Using Permissions" here: http://developer.android.com/guide/topics/security/permissions.html

Jason D.
  • 134
  • 4