diff --git a/docs/html/guide/topics/manifest/permission-element.jd b/docs/html/guide/topics/manifest/permission-element.jd
index 4bb5f6affe9dc..d8dbf4096f839 100644
--- a/docs/html/guide/topics/manifest/permission-element.jd
+++ b/docs/html/guide/topics/manifest/permission-element.jd
@@ -10,70 +10,80 @@ parent.link=manifest-intro.html
             android:<a href="#label">label</a>="<i>string resource</i>"
             android:<a href="#nm">name</a>="<i>string</i>"
             android:<a href="#pgroup">permissionGroup</a>="<i>string</i>"
-            android:<a href="#plevel">protectionLevel</a>=["normal" | "dangerous" | 
+            android:<a href="#plevel">protectionLevel</a>=["normal" | "dangerous" |
                                      "signature" | "signatureOrSystem"] /&gt;</pre></dd>
 
 <dt>contained in:</dt>
-<dd><code><a href="{@docRoot}guide/topics/manifest/manifest-element.html">&lt;manifest&gt;</a></code></dd>
+<dd><code><a href="{@docRoot}guide/topics/manifest/manifest-element.html"
+  >&lt;manifest&gt;</a></code></dd>
 
 <dt>description:</dt>
-<dd itemprop="description">Declares a security permission that can be used to limit access
-to specific components or features of this or other applications.  
-See the <a href="{@docRoot}guide/topics/manifest/manifest-intro.html#perms">Permissions</a>
-section in the introduction,
-and the <a href="{@docRoot}guide/topics/security/security.html">Security and Permissions</a> 
-document for more information on how permissions work.</dd>
+<dd itemprop="description">Declares a security permission that can be used to
+limit access to specific components or features of this or other applications.
+See the <a href="{@docRoot}guide/topics/manifest/manifest-intro.html#perms"
+>Permissions</a> section in the introduction, and the <a
+href="{@docRoot}guide/topics/security/security.html">Security and
+Permissions</a> document for more information on how permissions work.</dd>
 
 <dt>attributes:</dt>
 <dd><dl class="attr">
 <dt><a name="desc"></a>{@code android:description}</dt>
-<dd>A user-readable description of the permission, longer and more 
-informative than the label.  It may be displayed to explain the 
-permission to the user &mdash; for example, when the user is asked 
+<dd>A user-readable description of the permission, longer and more
+informative than the label.  It may be displayed to explain the
+permission to the user &mdash; for example, when the user is asked
 whether to grant the permission to another application.
 
 <p>
-This attribute must be set as a reference to a string resource; 
+This attribute must be set as a reference to a string resource;
 unlike the {@code label} attribute, it cannot be a raw string.
 </p></dd>
 
 <dt><a name="icon"></a>{@code android:icon}</dt>
-<dd>A reference to a drawable resource for an icon that represents the 
+<dd>A reference to a drawable resource for an icon that represents the
 permission.</dd>
 
 <dt><a name="label"></a>{@code android:label}</dt>
-<dd>A name for the permission, one that can be displayed to users. 
+<dd>A name for the permission, one that can be displayed to users.
 
 <p>
-As a convenience, the label can be directly set 
-as a raw string while you're developing the application.  However, 
-when the application is ready to be published, it should be set as a 
-reference to a string resource, so that it can be localized like other 
+As a convenience, the label can be directly set
+as a raw string while you're developing the application.  However,
+when the application is ready to be published, it should be set as a
+reference to a string resource, so that it can be localized like other
 strings in the user interface.
 </p></dd>
 
 <dt><a name="nm"></a>{@code android:name}</dt>
-<dd>The name of the permission.  This is the name that will be used in 
-code to refer to the permission &mdash; for example, in a 
-<code><a href="{@docRoot}guide/topics/manifest/uses-permission-element.html">&lt;uses-permission&gt;</a></code> element and the
+<dd>The name of the permission.  This is the name that will be used in
+code to refer to the permission &mdash; for example, in a
+<code><a href="{@docRoot}guide/topics/manifest/uses-permission-element.html"
+  >&lt;uses-permission&gt;</a></code> element and the
 {@code permission} attributes of application components.
 
-<p>
-The name must be unique, so it should use Java-style scoping &mdash; 
-for example, "{@code com.example.project.PERMITTED_ACTION}".
-</p></dd>
+
+<p class="note">
+  <strong>Note:</strong> The system does not allow multiple packages to declare
+  a permission with the same name, unless all the packages are signed with the
+  same certificate. If a package declares a permission, the system does not permit
+  the user to install other packages with the same permission name, unless
+  those packages are signed with the same certificate as the first package. To
+  avoid naming collisions, we recommend using reverse-domain-style naming for custom
+  permissions, for example <code>com.example.myapp.ENGAGE_HYPERSPACE</code>.
+</p>
+</dd>
 
 <dt><a name="pgroup"></a>{@code android:permissionGroup}</dt>
-<dd>Assigns this permission to a group.  The value of this attribute is 
-the name of the group, which must be declared with the 
-<code><a href="{@docRoot}guide/topics/manifest/permission-group-element.html">&lt;permission-group&gt;</a></code> element in this 
+<dd>Assigns this permission to a group.  The value of this attribute is
+the name of the group, which must be declared with the
+<code><a href="{@docRoot}guide/topics/manifest/permission-group-element.html"
+  >&lt;permission-group&gt;</a></code> element in this
 or another application.  If this attribute is not set, the permission
 does not belong to a group.</dd>
 
 <dt><a name="plevel"></a>{@code android:protectionLevel}</dt>
 <dd>Characterizes the potential risk implied in the permission and
 indicates the procedure the system should follow when determining
-whether or not to grant the permission to an application requesting it. 
+whether or not to grant the permission to an application requesting it.
 The value can be set to one of the following strings:
 
 <table>
@@ -82,9 +92,9 @@ The value can be set to one of the following strings:
    <th>Meaning</th>
 </tr><tr>
    <td>"{@code normal}"</td>
-   <td>The default value.  A lower-risk permission that gives requesting 
-       applications access to isolated application-level features, with 
-       minimal risk to other applications, the system, or the user.  
+   <td>The default value.  A lower-risk permission that gives requesting
+       applications access to isolated application-level features, with
+       minimal risk to other applications, the system, or the user.
        The system automatically grants this type
        of permission to a requesting application at installation, without
        asking for the user's explicit approval (though the user always
@@ -109,11 +119,11 @@ The value can be set to one of the following strings:
        asking for the user's explicit approval.
 </tr><tr>
    <td>"{@code signatureOrSystem}"</td>
-   <td>A permission that the system grants only to applications that are 
+   <td>A permission that the system grants only to applications that are
        in the Android system image <em>or</em> that are signed with the same
-       certificate as the application that declared the permission. Please avoid using this 
-       option, as the {@code signature} protection level should be sufficient 
-       for most needs and works regardless of exactly where applications are 
+       certificate as the application that declared the permission. Please avoid using this
+       option, as the {@code signature} protection level should be sufficient
+       for most needs and works regardless of exactly where applications are
        installed.  The "{@code signatureOrSystem}"
        permission is used for certain special situations where multiple
        vendors have applications built into a system image and need
diff --git a/docs/html/guide/topics/security/permissions.jd b/docs/html/guide/topics/security/permissions.jd
index ecbe33ab4abbc..c6a12f66db9f0 100644
--- a/docs/html/guide/topics/security/permissions.jd
+++ b/docs/html/guide/topics/security/permissions.jd
@@ -18,6 +18,7 @@ page.tags=permissions
 </li>
 <li><a href="#defining">Defining and Enforcing Permissions</a>
 	<ol>
+  <li><a href="#custom-recommendations">Custom permission recommendations</a></li>
 	<li><a href="#manifest">...in AndroidManifest.xml</a></li>
 	<li><a href="#broadcasts">...when Sending Broadcasts</a></li>
 	<li><a href="#enforcement">Other Permission Enforcement</a></li>
@@ -540,17 +541,19 @@ to be as high as possible. You can see which permissions were added with each re
 <a name="declaring"></a>
 <h2 id="defining">Defining and Enforcing Permissions</h2>
 
-<p>To enforce your own permissions, you must first declare them in your
-<code>AndroidManifest.xml</code> using one or more
-<code>{@link android.R.styleable#AndroidManifestPermission &lt;permission&gt;}</code>
-tags.</p>
+<p>
+  To enforce your own permissions, you must first declare them in your
+  <code>AndroidManifest.xml</code> using one or more <a href=
+  "{@docRoot}guide/topics/manifest/permission-element.html"><code>&lt;permission&gt;</code></a>
+  elements.
+</p>
 
 <p>For example, an application that wants to control who can start one
 of its activities could declare a permission for this operation as follows:</p>
 
 <pre>&lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot;
-    package=&quot;com.me.app.myapp&quot; &gt;
-    &lt;permission android:name=&quot;com.me.app.myapp.permission.DEADLY_ACTIVITY&quot;
+    package=&quot;com.example.myapp&quot; &gt;
+    &lt;permission android:name=&quot;com.example.myapp.permission.DEADLY_ACTIVITY&quot;
         android:label=&quot;&#64;string/permlab_deadlyActivity&quot;
         android:description=&quot;&#64;string/permdesc_deadlyActivity&quot;
         android:permissionGroup=&quot;android.permission-group.COST_MONEY&quot;
@@ -558,50 +561,65 @@ of its activities could declare a permission for this operation as follows:</p>
     ...
 &lt;/manifest&gt;</pre>
 
+<p class="note">
+  <strong>Note:</strong> The system does not allow multiple packages to declare
+  a permission with the same name, unless all the packages are signed with the
+  same certificate. If a package declares a permission, the system does not permit
+  the user to install other packages with the same permission name, unless
+  those packages are signed with the same certificate as the first package. To
+  avoid naming collisions, we recommend using reverse-domain-style naming for custom
+  permissions, for example <code>com.example.myapp.ENGAGE_HYPERSPACE</code>.
+</p>
+
 <p>The {@link android.R.styleable#AndroidManifestPermission_protectionLevel
-&lt;protectionLevel&gt;} attribute is required, telling the system how the
+protectionLevel} attribute is required, telling the system how the
 user is to be informed of applications requiring the permission, or who is
 allowed to hold that permission, as described in the linked documentation.</p>
 
-<p>The {@link android.R.styleable#AndroidManifestPermission_permissionGroup
-&lt;permissionGroup&gt;} attribute is optional, and only used to help the system display
-permissions to the user.  You will usually want to set this to either a standard
-system group (listed in {@link android.Manifest.permission_group
-android.Manifest.permission_group}) or in more rare cases to one defined by
-yourself.  It is preferred to use an existing group, as this simplifies the
-permission UI shown to the user.</p>
+<p>
+  The <a href=
+  "{@docRoot}guide/topics/manifest/permission-group-element.html"
+  ><code>android:permissionGroup</code></a>
+  attribute is optional, and only used to help the system display permissions
+  to the user. In most cases you will want to set this to a standard system
+  group (listed in {@link android.Manifest.permission_group
+  android.Manifest.permission_group}), although you can define a group yourself.
+  It is preferable to use an existing group, as this simplifies the
+  permission UI shown to the user.
+</p>
 
-<p>Note that both a label and description should be supplied for the
-permission. These are string resources that can be displayed to the user when
+<p>You need to supply both a label and description for the
+permission. These are string resources that the user can see when
 they are viewing a list of permissions
 (<code>{@link android.R.styleable#AndroidManifestPermission_label android:label}</code>)
 or details on a single permission (
 <code>{@link android.R.styleable#AndroidManifestPermission_description android:description}</code>).
-The label should be short, a few words
+The label should be short; a few words
 describing the key piece of functionality the permission is protecting. The
-description should be a couple sentences describing what the permission allows
-a holder to do. Our convention for the description is two sentences, the first
-describing the permission, the second warning the user of what bad things
-can happen if an application is granted the permission.</p>
+description should be a couple of sentences describing what the permission allows
+a holder to do. Our convention is a two-sentence description:
+the first sentence describes the permission, and the second sentence warns the
+user of the type of things that can go wrong if an application is granted the
+permission.</p>
 
 <p>Here is an example of a label and description for the CALL_PHONE
 permission:</p>
 
 <pre>
-    &lt;string name=&quot;permlab_callPhone&quot;&gt;directly call phone numbers&lt;/string&gt;
-    &lt;string name=&quot;permdesc_callPhone&quot;&gt;Allows the application to call
-        phone numbers without your intervention. Malicious applications may
-        cause unexpected calls on your phone bill. Note that this does not
-        allow the application to call emergency numbers.&lt;/string&gt;
+&lt;string name=&quot;permlab_callPhone&quot;&gt;directly call phone numbers&lt;/string&gt;
+&lt;string name=&quot;permdesc_callPhone&quot;&gt;Allows the application to call
+    phone numbers without your intervention. Malicious applications may
+    cause unexpected calls on your phone bill. Note that this does not
+    allow the application to call emergency numbers.&lt;/string&gt;
 </pre>
 
-<p>You can look at the permissions currently defined in the system with the
+<p>You can view at the permissions currently defined in the system using the
 Settings app and the shell command <code>adb shell pm list permissions</code>.
-To use the Settings app, go to Settings &gt; Applications.  Pick an app and
+To use the Settings app, go to <b>Settings</b> &gt; <b>Applications</b>.  Pick an app and
 scroll down to see the permissions that the app uses. For developers, the adb '-s'
 option displays the permissions in a form similar to how the user will see them:</p>
 
-<pre>
+<pre class="no-pretty-print">
 $ adb shell pm list permissions -s
 All Permissions:
 
@@ -615,14 +633,53 @@ Services that cost you money: send SMS messages, directly call phone numbers
 
 ...</pre>
 
+<h3 id="custom-recommendations">
+  Custom permission recommendations
+</h3>
+
+<p>
+  Apps can define their own custom permissions and request custom permissions
+  from other apps by defining <a href=
+  "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code
+  >&lt;uses-permission&gt;</code></a> elements.
+  However, you should carefully assess whether it is necessary for your app to
+  do so.
+</p>
+
+<ul>
+  <li>If you are designing a suite of apps that expose functionality to one
+  another, try to design the apps so that each permission is defined only once.
+  You must do this if the apps are not all signed with the same certificate.
+  Even if the apps are all signed with the same certificate, it's a
+  best practice to define each permission once only.
+  </li>
+
+  <li>If the functionality is only available to apps signed with the same
+  signature as the providing app, you may be able to avoid defining custom
+  permissions by using signature checks. When one of your apps makes a request
+  of another of your apps, the second app can verify that both apps are signed
+  with the same certificate before complying with the request.
+  </li>
+
+  <li>If you are developing a suite of apps runs only on your own
+  devices, you should develop and install a package that
+  manages permissions for all the apps in the suite. This package does not need
+  to provide any services itself. It just declares all the permissions, and the
+  other apps in the suite request those permissions with the <a href=
+  "{@docRoot}guide/topics/manifest/uses-permission-element.html"><code
+  >&lt;uses-permission&gt;</code></a>
+  element.
+  </li>
+</ul>
+
 <a name="manifest"></a>
 <h3>Enforcing Permissions in AndroidManifest.xml</h3>
 
-<p>High-level permissions restricting access to entire components of the
-system or application can be applied through your
-<code>AndroidManifest.xml</code>. All that this requires is including an {@link
+<p>TYou can apply high-level permissions restricting access to entire components
+of the system or application through your
+<code>AndroidManifest.xml</code>. To do this, include an {@link
 android.R.attr#permission android:permission} attribute on the desired
-component, naming the permission that will be used to control access to
+component, naming the permission that controls access to
 it.</p>
 
 <p><strong>{@link android.app.Activity}</strong> permissions

Meaning
"{@code normal}"	The default value. A lower-risk permission that gives requesting - applications access to isolated application-level features, with - minimal risk to other applications, the system, or the user. +	The default value. A lower-risk permission that gives requesting + applications access to isolated application-level features, with + minimal risk to other applications, the system, or the user. The system automatically grants this type of permission to a requesting application at installation, without asking for the user's explicit approval (though the user always @@ -109,11 +119,11 @@ The value can be set to one of the following strings: asking for the user's explicit approval.
"{@code signatureOrSystem}"	A permission that the system grants only to applications that are +	A permission that the system grants only to applications that are in the Android system image or that are signed with the same - certificate as the application that declared the permission. Please avoid using this - option, as the {@code signature} protection level should be sufficient - for most needs and works regardless of exactly where applications are + certificate as the application that declared the permission. Please avoid using this + option, as the {@code signature} protection level should be sufficient + for most needs and works regardless of exactly where applications are installed. The "{@code signatureOrSystem}" permission is used for certain special situations where multiple vendors have applications built into a system image and need diff --git a/docs/html/guide/topics/security/permissions.jd b/docs/html/guide/topics/security/permissions.jd index ecbe33ab4abbc..c6a12f66db9f0 100644 --- a/docs/html/guide/topics/security/permissions.jd +++ b/docs/html/guide/topics/security/permissions.jd @@ -18,6 +18,7 @@ page.tags=permissions Defining and Enforcing Permissions + Custom permission recommendations ...in AndroidManifest.xml ...when Sending Broadcasts Other Permission Enforcement @@ -540,17 +541,19 @@ to be as high as possible. You can see which permissions were added with each re Defining and Enforcing Permissions - To enforce your own permissions, you must first declare them in your -`AndroidManifest.xml` using one or more -`{@link android.R.styleable#AndroidManifestPermission <permission>}` -tags. + + To enforce your own permissions, you must first declare them in your + `AndroidManifest.xml` using one or more `<permission>` + elements. + For example, an application that wants to control who can start one of its activities could declare a permission for this operation as follows: <manifest xmlns:android="http://schemas.android.com/apk/res/android" - package="com.me.app.myapp" > - <permission android:name="com.me.app.myapp.permission.DEADLY_ACTIVITY" + package="com.example.myapp" > + <permission android:name="com.example.myapp.permission.DEADLY_ACTIVITY" android:label="@string/permlab_deadlyActivity" android:description="@string/permdesc_deadlyActivity" android:permissionGroup="android.permission-group.COST_MONEY" @@ -558,50 +561,65 @@ of its activities could declare a permission for this operation as follows: ... </manifest> + + Note: The system does not allow multiple packages to declare + a permission with the same name, unless all the packages are signed with the + same certificate. If a package declares a permission, the system does not permit + the user to install other packages with the same permission name, unless + those packages are signed with the same certificate as the first package. To + avoid naming collisions, we recommend using reverse-domain-style naming for custom + permissions, for example `com.example.myapp.ENGAGE_HYPERSPACE`. + + The {@link android.R.styleable#AndroidManifestPermission_protectionLevel -<protectionLevel>} attribute is required, telling the system how the +protectionLevel} attribute is required, telling the system how the user is to be informed of applications requiring the permission, or who is allowed to hold that permission, as described in the linked documentation. - The {@link android.R.styleable#AndroidManifestPermission_permissionGroup -<permissionGroup>} attribute is optional, and only used to help the system display -permissions to the user. You will usually want to set this to either a standard -system group (listed in {@link android.Manifest.permission_group -android.Manifest.permission_group}) or in more rare cases to one defined by -yourself. It is preferred to use an existing group, as this simplifies the -permission UI shown to the user. + + The `android:permissionGroup` + attribute is optional, and only used to help the system display permissions + to the user. In most cases you will want to set this to a standard system + group (listed in {@link android.Manifest.permission_group + android.Manifest.permission_group}), although you can define a group yourself. + It is preferable to use an existing group, as this simplifies the + permission UI shown to the user. + - Note that both a label and description should be supplied for the -permission. These are string resources that can be displayed to the user when + You need to supply both a label and description for the +permission. These are string resources that the user can see when they are viewing a list of permissions (`{@link android.R.styleable#AndroidManifestPermission_label android:label}`) or details on a single permission ( `{@link android.R.styleable#AndroidManifestPermission_description android:description}`). -The label should be short, a few words +The label should be short; a few words describing the key piece of functionality the permission is protecting. The -description should be a couple sentences describing what the permission allows -a holder to do. Our convention for the description is two sentences, the first -describing the permission, the second warning the user of what bad things -can happen if an application is granted the permission. +description should be a couple of sentences describing what the permission allows +a holder to do. Our convention is a two-sentence description: +the first sentence describes the permission, and the second sentence warns the +user of the type of things that can go wrong if an application is granted the +permission. Here is an example of a label and description for the CALL_PHONE permission: - <string name="permlab_callPhone">directly call phone numbers</string> - <string name="permdesc_callPhone">Allows the application to call - phone numbers without your intervention. Malicious applications may - cause unexpected calls on your phone bill. Note that this does not - allow the application to call emergency numbers.</string> +<string name="permlab_callPhone">directly call phone numbers</string> +<string name="permdesc_callPhone">Allows the application to call + phone numbers without your intervention. Malicious applications may + cause unexpected calls on your phone bill. Note that this does not + allow the application to call emergency numbers.</string> - You can look at the permissions currently defined in the system with the + You can view at the permissions currently defined in the system using the Settings app and the shell command `adb shell pm list permissions`. -To use the Settings app, go to Settings > Applications. Pick an app and +To use the Settings app, go to Settings > Applications. Pick an app and scroll down to see the permissions that the app uses. For developers, the adb '-s' option displays the permissions in a form similar to how the user will see them: - + $ adb shell pm list permissions -s All Permissions: @@ -615,14 +633,53 @@ Services that cost you money: send SMS messages, directly call phone numbers ... + + Custom permission recommendations + + + + Apps can define their own custom permissions and request custom permissions + from other apps by defining `<uses-permission>` elements. + However, you should carefully assess whether it is necessary for your app to + do so. + + + + If you are designing a suite of apps that expose functionality to one + another, try to design the apps so that each permission is defined only once. + You must do this if the apps are not all signed with the same certificate. + Even if the apps are all signed with the same certificate, it's a + best practice to define each permission once only. + + + If the functionality is only available to apps signed with the same + signature as the providing app, you may be able to avoid defining custom + permissions by using signature checks. When one of your apps makes a request + of another of your apps, the second app can verify that both apps are signed + with the same certificate before complying with the request. + + + If you are developing a suite of apps runs only on your own + devices, you should develop and install a package that + manages permissions for all the apps in the suite. This package does not need + to provide any services itself. It just declares all the permissions, and the + other apps in the suite request those permissions with the `<uses-permission>` + element. + + + Enforcing Permissions in AndroidManifest.xml - High-level permissions restricting access to entire components of the -system or application can be applied through your -`AndroidManifest.xml`. All that this requires is including an {@link + TYou can apply high-level permissions restricting access to entire components +of the system or application through your +`AndroidManifest.xml`. To do this, include an {@link android.R.attr#permission android:permission} attribute on the desired -component, naming the permission that will be used to control access to +component, naming the permission that controls access to it. {@link android.app.Activity} permissions