Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Roman Herasymenko] Android M Security Model

[Roman Herasymenko] Android M Security Model

Presentation from GDG DevFest Ukraine 2015 - the biggest Google related event in the country. October 23-24, Lviv. Learn more at http://devfest.gdg.org.ua/

Google Developers Group Lviv

October 23, 2015
Tweet

More Decks by Google Developers Group Lviv

Other Decks in Programming

Transcript

  1. #dfua Problems - Installing applications based on trust - Unnecessary

    permissions (related functionality won’t be ever used) - Dangerous permissions (especially with paid SMS & calls) Many users won’t even download the app.
  2. #dfua What is new here? - Permission groups - Normal

    permissions - Runtime permissions - Permissions can be accepted or denied in settings - We have to deal with denied permissions - User education
  3. #dfua Normal permissions - Permission rating - normal - no

    risk to user’s privacy or security - 37 permissions are in this group - INTERNET, VIBRATE, WRITE_EXTERNAL_STORAGE, RECEIVE_BOOT_COMPLETED are in this group
  4. #dfua Denied permission with targetSdk < 23 - Android 6.0

    won’t crash - Functions which need permissions will return an empty state value
  5. #dfua Denied permission with targetSdk >= 23 - If your

    app is not ready to work with permissions, it will crash - Implement the new permissions model before release it with targetSdk >= 23
  6. #dfua Intents without permissions - We can still use Intents

    without requesting permission for certain functions - ACTION_INSERT, ACTION_IMAGE_CAPTURE, ACTION_VIDEO_CAPTURE, etc.
  7. #dfua How do we need to ask for permission? if

    (checkSelfPermission(Manifest.permission.READ_CONTACTS) != PackageManager.PERMISSION_GRANTED) { // Should we show an explanation? if (shouldShowRequestPermissionRationale(thisActivity, Manifest.permission.READ_CONTACTS)) { // Show an expanation to the user *asynchronously* } // No explanation needed, we can request the permission. requestPermissions(thisActivity, new String[]{Manifest.permission.READ_CONTACTS}, MY_PERMISSIONS_REQUEST_READ_CONTACTS); } Asking for permission
  8. #dfua How do we need to manage the result? @Override

    public void onRequestPermissionsResult(int requestCode, String permissions[], int[] grantResults) { switch (requestCode) { case MY_PERMISSIONS_REQUEST_READ_CONTACTS: { // If request is cancelled, the result arrays are empty. if (grantResults.length > 0 && grantResults[0] == PackageManager.PERMISSION_GRANTED) { // permission was granted, yay! Do the // contacts-related task you need to do. } else { // permission denied, boo! Disable the functionality that depends on this permission. } return; } // other 'case' lines to check for other // permissions this app might request } } Handling result
  9. #dfua Asking for permission - Using the framework (targetSdk =

    23) - We have to check correct sdk version we’re using - Using v4 or v13 support libraries - v4 will check it internally
  10. #dfua Is it easy? - Implementation is easy, but the

    flow is a mess - User education adding more difficult to it - Reusing permissions in several parts of app makes this even more difficult
  11. #dfua ContextCompat.checkSelfPermission(Context context, String permission) Checking for permission ActivityCompat.requestPermissions(final Activity

    activity, final String[] permissions, final int requestCode) Requesting for permission ActivityCompat.shouldShowRequestPermissionRationale(Activity activity, String permission) Checking if permission was denied before
  12. #dfua - Best practices - Requesting permissions in runtime -

    Permission groups - Exploring new permission model - Design patterns - Handling permissions removal