I am new to Android and have a question regarding protection level "Signature" for permissions in AndroidManifest.xml.

The Android reference document states about "Signature" protection level:

A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.

This implies that permissions which have protection level "Signature" are not available to use by normal application and can only be used Android Dev Team.

What I am wondering about is that how many applications in Android Market or on other sites can have these permissions? Like an application which is used for recording calls has android.permission.DEVICE_POWER in addition to other permissions. Is Android system really granting this permission to this application while installation?

When I tried to use the permission "READ_INPUT_STATE" (new in 2.2) I got the following error in LogCat:

06-28 09:28:34.943: WARN/PackageManager(60): Not granting permission android.permission.READ_INPUT_STATE to package com.example.wheredoyoulive (protectionLevel=2 flags=0x8444)

The same is true for permissions with Protection Level "SignatureOrSystem". There exists a caller application which has CALL_PRIVILEGED permission in addition to other permissions.

Please help me and clear my doubts.

Regards

Abhishek

I believe the purpose of the "Signature" permission level is for two applications by the same developer to be able to share data seamlessly without bothering the user. The READ_INPUT_STATE permission is not intended to be used in applications:

Allows an application to retrieve the current state of keys and switches. This is only for use by the system.

See http://developer.android.com/reference/android/Manifest.permission.html#READ_INPUT_STATE

Facebook home uses this,

once you install it you'll notice that it doesn't request ANY permissions, but explicitly requires that the facebook app be installed, this is so that the system can grant it the necessary permissions by proxy of the Facebook app.

Typically what happens is the Facebook app with advertise facilities for other apps to read your status and news feed, normally these apps would need to explicitly request permission to use them if they are signed under a different certificate or rather private key.