Data security changes in JB break OI Notepad access to OI Shopping List
12 views
Skip to first unread message
aap
Sep 1, 2013, 12:37:23 AM9/1/13
to openi...@googlegroups.com
Recently bought my wife a Nexus 7 (2012 edition) which has Android 4.3. She installed OI Shopping List which I built from the ui_update branch, and OI Notepad from the Play store. Upon clicking on a note icon in one of her shopping lists, OI Shopping List tried to run OI Notepad, which promptly failed with a security exception. The same builds work together fine on our phones, which are running CM10 / Android 4.1.2.
It turns out there are changes to the default security of ContentProviders in Android 4.2, and they are in effect for ContentProviders owned by any app built against SDK 17 or later. OI Shopping List switched to SDK 17 in this commit. If I am reading the documentation correctly, this should mean that if we had released any subsequent version in the Play Store, people would start having permission problems.
There seem to be a few approaches we could take to resolve the issue:
(0) go back to SDK 15... probably not desirable though
(1) set the Shopping ContentProvider as "exported" explicitly -- probably returns our security roughly where it was before
(2) declare explicit read and write permissions for the ContentProvider, and have OI Notepad require them
Any preference? Note that OI Shopping List's AndroidManifest has some permission names for the ContentProvider but they are commented out. If we add them, we would probably have to release updates for OI Notepad and OI Shopping List around the same time.
-- Aaron
Friedger Müffke
Sep 1, 2013, 3:39:37 AM9/1/13
to OpenIntents
I vote for (1). We want the shopping provider to be as open as possible.
--
You received this message because you are subscribed to the Google Groups "OpenIntents" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openintents...@googlegroups.com.
To post to this group, send email to openi...@googlegroups.com.
Visit this group at http://groups.google.com/group/openintents.
For more options, visit https://groups.google.com/groups/opt_out.
pjv
Sep 2, 2013, 6:40:19 PM9/2/13
to openi...@googlegroups.com
Just weighing in: I have been using (2) in Collectionista (and its
extensions). Doesn't seem less open to me. Just a matter of the user
accepting it in his app install permissions popup.
Friedger Müffke schreef op zo 01-09-2013 om 09:39 [+0200]:
Pieter-Jan Vandormael
extensions). Doesn't seem less open to me. Just a matter of the user
accepting it in his app install permissions popup.
Friedger Müffke schreef op zo 01-09-2013 om 09:39 [+0200]:
Friedger Müffke
Sep 3, 2013, 4:40:33 AM9/3/13
to OpenIntents
With (2) you prevent that an app can delegate using mime-types. All app must know the permission of all shopping apps that they potentially want to delegate to.
I know that there are not a lot of delegation going on at all but that is why we are here :-)
Cheers
Friedger
pjv
Sep 4, 2013, 4:37:58 PM9/4/13
to openi...@googlegroups.com
Hi Friedger,
So you are saying that regular intents don't work? The app does not show
up in the list?
Do you have a reference for that. AFAIK, the permissions are only to
protect the content providers.
Best regards,
Friedger Müffke schreef op di 03-09-2013 om 10:40 [+0200]:
--
Pieter-Jan Vandormael
So you are saying that regular intents don't work? The app does not show
up in the list?
Do you have a reference for that. AFAIK, the permissions are only to
protect the content providers.
Best regards,
Friedger Müffke schreef op di 03-09-2013 om 10:40 [+0200]:
Pieter-Jan Vandormael
Friedger Müffke
Sep 4, 2013, 5:06:53 PM9/4/13
to OpenIntents .
You are right.
I mixed that up. So, wenn you know the URI format to access the content provider then you probably also know the permissions.
So, lets go with 2 ) then.
Cheers
Friedger
Reply all
Reply to author
Forward
0 new messages