Loading...

android-developers@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [android-developers] Why explicit need for Permissions to be specified in Manifest File Kristopher Micinski Sun Feb 26 03:00:07 2012

On Thu, Feb 23, 2012 at 6:57 AM, Raja Nagendra Kumar
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> Looking for some inputs why Android explicitly expects all the
> permissions need to be declared in Android Manifest file..
>
> Can Android Run time introspect at run time or during compile time and
> prepare such info based on the API used by the application...
>
> Can it made redundant..through automatic application introspection..
>
> Basically looking for why android is designed for explicit permissions
> declaration.. when it can be automatically discovered at compiler time
> or at run time..
>

There are a number of reasons.  The first is just simplicity.
Integrating a good enough static analysis to make permissions
inference technically feasible would be possible, but perhaps not that
useful.  Consider a situation where a programmer uses an API call
which maps to some permission, but this call is in a piece of code
which can never be executed.  The fact that it's dead code may be
highly nontrivial to ascertain.  Another difficulty lies in the fact
that permissions don't always map onto calls: sometimes they map to
content providers, guards on intents, etc... So it's not really
possible without doing some very heavy static analysis to determine
the possible range of inputs to these intents is.  Unfortunately
static analysis may be inherently imprecise to the point that you'd
have to assume that all permissions (which gate content providers)
were required when someone did a query to a content provider, for
instance.

In other words, the idea that you can statically determine permissions
is inherently incorrect: while it's probably technically possible,
it's a nontrivial area of static analysis and an active topic of
research..

Kris

-- 
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to
[EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en