Login/Register
What is the difference between system apps and privileged apps on Android?
Asked Answered
Solved androidandroid-source
C

1

79

So in 4.3 there was a concept of System applications. APKs that were placed in /system/app were given system privileges. As of 4.4, there is a new concept of "privileged app". Privileged apps are stored in /system/priv-app directory and seem to be treated differently. If you look in the AOSP Source code, under PackageManagerService, you will see new methods such as

static boolean locationIsPrivileged(File path) {
    try {
        final String privilegedAppDir = new File(Environment.getRootDirectory(), "priv-app")
                .getCanonicalPath();
        return path.getCanonicalPath().startsWith(privilegedAppDir);
    } catch (IOException e) {
        Slog.e(TAG, "Unable to access code path " + path);
    }
    return false;
}

So here is an example of a situation where these differ.

public final void addActivity(PackageParser.Activity a, String type) {
...
if (!systemApp && intent.getPriority() > 0 && "activity".equals(type)) {
                intent.setPriority(0);
                Log.w(TAG, "Package " + a.info.applicationInfo.packageName + " has activity "
                        + a.className + " with priority > 0, forcing to 0");
            }
...

This affects the priority of any activities that are not defined as system applications. This seems to imply you can not add an activity to the package manager whose priority is higher than 0, unless you are a system app. This does not preclude privileged apps as far as I can tell (there is a lot of logic here, I may be wrong.).

My question is what exactly does this imply? If my app is privileged, but not system, what difference will that make? In PackageManagerService you can find various things that differ between system and privileged apps, they are not exactly the same. There should be some kind of ideology behind privileged apps, otherwise they would have just said:

if locationIsPrivileged: app.flags |= FLAG_SYSTEM

and been done with it. This is a new concept, and I think it would be important to know the difference between these kinds of apps for anyone who is doing AOSP development as of 4.4.

Copra answered 8/11, 2013 at 20:41 Comment(0)
C
102

So after some digging, it's clear that apps in priv-app are eligible for system permissions, the same way that old apps used to be eligible to claim system permissions by being in system-app. The only official Google documentation I could find on this came in the form of a commit message: Commit hash: ccbf84f44c9e6a5ed3c08673614826bb237afc54

Some system apps are more system than others

"signatureOrSystem" permissions are no longer available to all apps residing en the /system partition. Instead, there is a new /system/priv-app directory, and only apps whose APKs are in that directory are allowed to use signatureOrSystem permissions without sharing the platform cert. This will reduce the surface area for possible exploits of system- bundled applications to try to gain access to permission-guarded operations.

The ApplicationInfo.FLAG_SYSTEM flag continues to mean what it is says in the documentation: it indicates that the application apk was bundled on the /system partition. A new hidden flag FLAG_PRIVILEGED has been introduced that reflects the actual right to access these permissions.

Update: As of Android 8.0 priv-app has changed slightly with the addition of Privileged Permission Whitelisting. Beyond just being in priv-app, your app must also be added to a whitelist in order to gain various system permissions. Information on this can be found here: https://source.android.com/devices/tech/config/perms-whitelist

Copra answered 20/11, 2013 at 18:49 Comment(14)
So if from 4.4, only /system/priv-app applications can get SignatureOrSystem permissions, what's the implication for privileges of apps that are kept in /system/app/ ? Thanks.Elah
More specifically, what's the purpose of /system/app/ folder in 4.4 ? Thanks.Elah
@Elah Apps put in system/app are typically things that you might want to have less permissions. for instance, you probably don't want your email client or random vendor bloatware to be able to change your system security settings.Copra
What category of permissions do apps in /system/app have ? From the commit description, its claimed that SigOrSystem permissions are not available to those apps. So, how are these apps different from 3rd party apps user installs ? Is there any difference in the privileges provided to 3rd party apps v/s /system/app apps ? Also could you tell which methods in PackageManagerService.java helped you understand the difference between /system/priv-app and /system/app better ? Thanks.Elah
Apps in system/app have no special permissions. They don't differ from 3rd party apps unless they are signed with the system key (hence SigOrSystem check). As for the methods that helped, theres a variety. I started grepping for priv-app, and then followed that to PackageManagerService which now refers to Privilleged packages.Copra
Suggest an edit: "So after some digging, it's clear that apps in priv-app get system privileges," --> "So after some digging, it's clear that apps in priv-app are eligible for system privileges,". A signature permission that depends on the platform key won't be bypassed just by getting into the /system/priv-app/ dir.Lumpish
I'm working on a System App for Android Tv in collaboration with Google developers and it seems like there are also some specific Google APIs accessible only to system apps.Tenstrike
Yup! Google is capable of restricting their permissions so that only privileged apps can claim them, and I believe anyone can do that. That would mean that only system-privileged apps would be able to claim your permissions and use your APIsCopra
looks legit to me, time to validate it practically.Kephart
how to tell the system to move the app to priv-app folder during ROM building?Acceptant
@Acceptant LOCAL_PRIVILEGED_MODULE := trueCopra
@AndrewT. If I put my app to priv-app folder, that needs android.permission.INTERACT_ACROSS_USERS permission, does it granted? For what I'm going to do, please look at: stackoverflow.com/questions/40397443Boucicault
If the app is privileged (in the priv-app folder) and the app requests the permission in it's manifest it will get it. Just be aware that being privileged will allow you to get System permissions, but it will not grant you "Signature" permissions unless you are signed with the same key as the entity which owns the permission (i.e. INTERACT_ACROSS_USERS_FULL is a signature permission and you must also be signed with the system key) @Mr.HydeCopra
@AndrewT. But I want to add GApps to my AOSP, so I should keep their sign, otherwise I get error about signature. How about this?!Boucicault

© 2022 - 2024 — McMap. All rights reserved.