ABSTRACT

The program declares a permission with the normal protection level.

EXPLANATION

When declaring a custom permission, there are four options for specifying permission's protection level: normal, dangerous, signature, and signature or system. Normal permissions are granted to any application that requests them. Dangerous permissions are granted only after user confirmation. Signature permissions are granted only to applications signed by the same developer key as the package that defines the permission. Signature or system permissions are similar to signature permissions, but are also granted to packages in the Android system image.

Example 1: Below is an example of a custom permission declared with the normal protection level.

 <permission android:name="custom.PERMISSION"
android:label="@string/label_permission"
android:description="@string/desc_permission"
android:protectionLevel="normal">
</permission>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[5] Jesse Burns Developing Secure Mobile Applications for Android

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Permission Element

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1

[10] William Enck, Machigar Ongtang, and Patrick McDaniel Understanding Android Security

[11] William Enck and Patrick McDaniel Understanding Android's Security Framework

[12] Using Permissions