What's the difference of /system/app/ and /system/priv-app in Kitkat?

24,191 views
Skip to first unread message

Yong

unread,
Dec 2, 2013, 4:23:04 AM12/2/13
to android-...@googlegroups.com

What's the difference of /system/app/ and /system/priv-app in Kitkat? Which app should be put in /system/priv-app ??

Christopher Tate

unread,
Dec 2, 2013, 12:36:30 PM12/2/13
to android-...@googlegroups.com

Only apks in /system/priv-app can use "system"-level permissions. Prior to Kitkat, all apks on the system partition could use those permissions.

This change gives the manufacturer more control over access to sensitive permissions by bundled software.

--
christopher tate
android framework engineer

On Dec 2, 2013 8:52 AM, "Yong" <ito...@gmail.com> wrote:

What's the difference of /system/app/ and /system/priv-app in Kitkat? Which app should be put in /system/priv-app ??

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platfo...@googlegroups.com.
To post to this group, send email to android-...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-platform.
For more options, visit https://groups.google.com/groups/opt_out.

siva ramakrishna kv

unread,
Dec 4, 2013, 12:09:58 PM12/4/13
to android-...@googlegroups.com
Hi Chrostopher,

Thanks for the clarification.
I just want to get more clarity on this,  when you say "system" -level permission. For ex: i have a system app in which i am enabling the gps directly by modifying settings db. Will this behavior get effected if i keep my apk in /system/app folder?

thanks in advance
Siva ramakrishna

Christopher Tate

unread,
Dec 4, 2013, 2:37:15 PM12/4/13
to android-...@googlegroups.com
When you say "directly by modifying settings db" do you really mean you are opening the settings database via SQL yourself, independently of the OS's settings provider, or do you mean you're using the correct Settings API for making the change?  Nothing but the settings provider should ever write to its underlying data store.

Assuming you're talking about using the Settings API to write the Settings.Secure.LOCATION_MODE datum, the ability to do that is protected by the "android.permission.WRITE_SECURE_SETTINGS" permission, which is traditionally "signature or system" and in KK is "signature|system|development".  It's that specific use of "system" that I mean when I wrote '"system"-level permission.'

Your apk will *not* be granted the WRITE_SECURE_SETTINGS permission if it is bundled in /system/app.  As of KK, it is only eligible for "system" permissions if it is bundled in /system/priv-app.

--
christopher tate
android framework engineer

siva ramakrishna kv

unread,
Dec 4, 2013, 11:58:03 PM12/4/13
to android-...@googlegroups.com
i am using Settings provider API to modify the secure settings.
Anyway thank you for clarifying my doubt and now i am clear about system level permission.

Thanks
Siva ramakrishna

Zahid Gill

unread,
May 14, 2014, 5:01:33 AM5/14/14
to android-...@googlegroups.com
Hi, in my JB 4.1.2, there is obviously no folder /priv-app. How can I use GoogleDialer.apk or other kitkat APKs?

Gonzo Bot

unread,
Oct 19, 2014, 7:58:39 AM10/19/14
to android-...@googlegroups.com
Of course... Nope /priv-app is a KK-Development feature.
For thouse which easily integrate some apps to the OS can use this apps:

whatever...

Artur Piecyk

unread,
Mar 29, 2018, 7:53:18 PM3/29/18
to android-platform
Due to a very small internal storage (just 4 GB) on my ZTE V5 I've been struggling for more space so I un-installed Google Play Store with System App Remover https://play.google.com/store/apps/details?id=com.jumobile.manager.systemapp but could re-install it (in version 4.5.10 working with my  Google Play Services 12.2.21 (036-188803320) only as a system app (in /system/priv-app/)  so it still occupies my internal storage - is there any way to get it working when installed as user app on SD-card ?

A J

unread,
Oct 10, 2019, 1:21:41 PM10/10/19
to android-platform

Hello Christopher,

I've been trying to understand the system and privileged level apps on Android (latest 10). And, looking to find an answer to confirm my understanding of the following queries related to the same.


1. What makes an app as "system" or "privileged" apps? Does the

               a. OEM signing and android.uid.system mandatory, or

               b. Just putting inside the /system/app and /system/priv-app is enough.

2. What's the difference between the system (/system/app) and privileged (/system/priv-app)?

3. Do they share the same or different uid?

4. Basic principle in introducing priv-app, when system app concept was already present?

5. What does OR means in "SignatureORSystem"? Why can't it just be "System"?

 

 

My understanding so far:

1. "SignatureOrSystem" permissions are only granted to apps present inside /system/priv-app and whitelisted in /etc/permissions. It need not be OEM signed or contains an android.uid.system.

2. "Signature" permissions are only be granted if an app is OEM signed (for pre-defined permissions). It need not be inside /system/priv-app or contains android.uid.system.

3. Declaring android.uid.system in Manifest does not make an app as a system app.

    It's more of a reverse, only apps already satisfying system privilege conditions can ask for android.uid.system.

4. If an app is needed for a device to work but, doesn't hold any sensitive permissions then it can be placed in /system/app.

   If it holds the sensitive permissions then it's placed inside /system/priv-app.

5. Apps inside /system/priv-app and whitelisted in /etc/permission is implicitly granted system privilege.

6. Apps inside /system/app is just like 3rd party apps unless it's OEM signed. (except the uninstallation part)


Could you help me in understanding it better.


On Thursday, December 5, 2013 at 1:07:15 AM UTC+5:30, Christopher Tate wrote:
When you say "directly by modifying settings db" do you really mean you are opening the settings database via SQL yourself, independently of the OS's settings provider, or do you mean you're using the correct Settings API for making the change?  Nothing but the settings provider should ever write to its underlying data store.

Assuming you're talking about using the Settings API to write the Settings.Secure.LOCATION_MODE datum, the ability to do that is protected by the "android.permission.WRITE_SECURE_SETTINGS" permission, which is traditionally "signature or system" and in KK is "signature|system|development".  It's that specific use of "system" that I mean when I wrote '"system"-level permission.'

Your apk will *not* be granted the WRITE_SECURE_SETTINGS permission if it is bundled in /system/app.  As of KK, it is only eligible for "system" permissions if it is bundled in /system/priv-app.

--
christopher tate
android framework engineer

On Wed, Dec 4, 2013 at 9:09 AM, siva ramakrishna kv <kra...@gmail.com> wrote:
Hi Chrostopher,

Thanks for the clarification.
I just want to get more clarity on this,  when you say "system" -level permission. For ex: i have a system app in which i am enabling the gps directly by modifying settings db. Will this behavior get effected if i keep my apk in /system/app folder?

thanks in advance
Siva ramakrishna
On Mon, Dec 2, 2013 at 11:06 PM, Christopher Tate <ct...@google.com> wrote:

Only apks in /system/priv-app can use "system"-level permissions. Prior to Kitkat, all apks on the system partition could use those permissions.

This change gives the manufacturer more control over access to sensitive permissions by bundled software.

--
christopher tate
android framework engineer

On Dec 2, 2013 8:52 AM, "Yong" <ito...@gmail.com> wrote:

What's the difference of /system/app/ and /system/priv-app in Kitkat? Which app should be put in /system/priv-app ??

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-...@googlegroups.com.

To post to this group, send email to android-...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-platform.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-...@googlegroups.com.

To post to this group, send email to android-...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-platform.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages