From 4fe4d4c91cdfa59bb8161625be85252e187667a2 Mon Sep 17 00:00:00 2001 From: Chris Palmer Date: Mon, 11 Oct 2010 15:27:42 -0700 Subject: [PATCH] Update the documentation for content provider security. Without this documentation fix, developers will not know that apps on pre-Gingercomb devices will inadvertantly export their content providers. With knowledge of the solid workaround, they can make their apps secure. Change-Id: I1f096aff19500cd3d3fd2955a9dec59d8e7c6a73 --- .../guide/topics/manifest/provider-element.jd | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/html/guide/topics/manifest/provider-element.jd b/docs/html/guide/topics/manifest/provider-element.jd index c80b20742cc28..bee87e6933447 100644 --- a/docs/html/guide/topics/manifest/provider-element.jd +++ b/docs/html/guide/topics/manifest/provider-element.jd @@ -96,10 +96,19 @@ If "{@code false}", the provider is available only to components of the same application or applications with the same user ID. The default value is "{@code true}". -

-You can export a content provider but still limit access to it with the -permission attribute. -

+

You can export a content provider but still limit access to it with the +permission +attribute. Note that due to a bug in versions of Android prior to {@link +android.os.Build.VERSION_CODES#VERSION_GINGERBREAD} providers were exported +even if {@code android:exported} were set to {@code false}. Therefore, for +provider security on all devices, protect your provider with a +signature-level permission. For information on defining a permission, see +the permission +element. For information on using the permission, see the uses-permission +element.

{@code android:grantUriPermissions}
Whether or not those who ordinarily would not have permission to