Pampapathi February 2016

Android-Permission: Backward compatibility. Give access only to apps which are using old version of my app(new version permission enforced)

How to give access to applications which are using my updated application(newer version) where permissions are enforced.

Suppose my application name is ABC and version is 0.1

There are few applications on the device which uses service(Let say XZ) offered by ABC application.

Now, my company thinks that we should expose a permission to use our XZ service.

According to that we have enforced the permission PQ in Version 0.2. Now onwards applications which are using our service XZ, they should mention the PQ permission in their manifest file.

But problem is,after upgrade, applications which are using Version 0.1 will no longer able to use our service.

I know what are all applications which are using XZ service.

How we can solve the backward compatibility issue ?

I have checked enough on the net but no luck.

If you were faced the same issue and found the solution, please help me...

Any work around solutions are welcome.

Answers


CommonsWare February 2016

How we can solve the backward compatibility issue ?

Contact the developers of those apps, warn them of the impending permission requirement, and encourage them to update their apps ahead of time.

Or, do not defend your app via a permission. If there is a known finite set of client apps, and you are using a compatible communications mechanism (e.g., AIDL-based binding), you can use getCallingUid() to find out who the client is for a request, and validate it against a whitelist of known apps. You can even check to see if the public signing key matches the expected value, to help defend against hacked editions of the clients.

Another possibility is to have two separate service entry points to the same functionality:

  • the 0.1 version works as it does today, without the permission

  • the 0.2 version requires not only the <uses-permission> element, but also changing the identity of the service (e.g., a different action string for the Intent used to look up the service)

This allows you to start tightening up security without breaking the older apps. You can then offer a deprecation window, to give time for the 0.1 clients to move to 0.2, before eventually removing the 0.1 entry point entirely (or, at least, defending it with the same permission).

Most likely, there are other patterns as well — these are the ones off the top of my head.

Post Status

Asked in February 2016
Viewed 1,989 times
Voted 12
Answered 1 times

Search




Leave an answer