I have a simple application that runs a webview and I want it to be launchable by other applications sending a few parameters that I will include in the URL string.
To accomplish this, I created a new intent-filter on the main activity to go with the main/launcher intent-filter like so:
<intent-filter>
<action android:name="com.mycompany.myapp.intents.START_APP" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
So far so good, however, there's a twist. I'd like to protect this activity from being run by anyone - I only want it to be run by other applications with the same signature that define a custom permission. To do that, I created a custom permission for the application like so:
<permission
android:name="com.mycompany.myapp.mycustompermission"
android:protectionLevel="signature" />
and in the activity I added:
android:permission="com.mycompany.myapp.mycustompermission"
This resulted in the following error in upon installation from APK and launching from the installer:
E/AndroidRuntime(6702): java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=com.mycompany.myapp cmp=com.mycompany.myapp/.myActivity } from ProcessRecord{41517d20 6702:com.android.packageinstaller/u0a56} (pid=6702, uid=10056) requires com.mycompany.myapp.mycustompermission
And a message on the screen saying:
Unfortunately, Package installer has stopped
My guess is that this is because the activity that launches the application from an intent can't be the main activity but rather has to be a separate activity but I couldn't find anything that proves that online.
My questions is - do you know this to be true - should I never put a custom signature level permission on the main (launchable) activity of the application?
