I have a sync adapter in my app and a corresponding sync service. I have declared everything, including the sync service, according to Google example code. The greater picture looks something like this:
<service android:name="com.myapp.SyncService" android:exported="true" android:process=":sync"> <intent-filter> <action android:name="android.content.SyncAdapter"/> </intent-filter> <meta-data android:name="android.content.SyncAdapter" android:resource="@xml/syncadapter" /> </service>
While it makes sense to set the
android:exported attribute to
true on the service (enabling the Android system to reach it), I’m a bit puzzled on how to tie it down in terms of access rights. I don’t want anyone else but my app and the Android system to have access to the service.
Maybe a bit naively I have created my own permission for this:
<permission android:name="com.myapp.permission.SYNC_ADAPTER" android:protectionLevel="signatureOrSystem" />
But reading up a bit on the
protectionLevel makes me wonder even more. Google says:
Please avoid using this option […] “signatureOrSystem” permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.
The described scenario is far from my use case. The question then remains:
How do I secure my sync service so that the Android system, but no third party apps, can access it?
Any clarification would be greatly appreciated!
It doesn’t look like there is a SyncAdapter permission. I’m guessing that we can safely ignore the error. See the bug filed here: https://code.google.com/p/android/issues/detail?id=37280