Sync adapter service exported but unprotected

Fellow Developers!

I have a sync adapter in my app and a corresponding sync service. I have declared everything, including the sync service, according to Google example code. The greater picture looks something like this:

<service
    android:name="com.myapp.SyncService"
    android:exported="true"
    android:process=":sync">

    <intent-filter>
        <action
            android:name="android.content.SyncAdapter"/>
    </intent-filter>

    <meta-data
        android:name="android.content.SyncAdapter"
        android:resource="@xml/syncadapter" />

</service>

While it makes sense to set the android:exported attribute to true on the service (enabling the Android system to reach it), I’m a bit puzzled on how to tie it down in terms of access rights. I don’t want anyone else but my app and the Android system to have access to the service.

Maybe a bit naively I have created my own permission for this:

<permission
    android:name="com.myapp.permission.SYNC_ADAPTER"
    android:protectionLevel="signatureOrSystem" />

But reading up a bit on the protectionLevel makes me wonder even more. Google says:

Please avoid using this option […] “signatureOrSystem” permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.

The described scenario is far from my use case. The question then remains:

How do I secure my sync service so that the Android system, but no third party apps, can access it?

Any clarification would be greatly appreciated!

Answer

It doesn’t look like there is a SyncAdapter permission. I’m guessing that we can safely ignore the error. See the bug filed here: https://code.google.com/p/android/issues/detail?id=37280

Leave a Reply

Your email address will not be published. Required fields are marked *