Can someone please help me understand the following CDD requirement:
MUST NOT grant any runtime permissions to preinstalled apps unless:
- the user's consent can be obtained before the application uses it
- the runtime permissions are associated with an intent pattern for which the preinstalled application is set as the default handler
I have two questions:
Pre-installed apps are installed either in /system/app or /system/priv-app folder. AFAIK, APKs that fall under these two folders automatically get all permissions they claim in their manifest. Please correct me if I am wrong. But in M, are they trying to say that even if an app is a pre-installed system app, a user should be prompted at runtime before the app can be granted this permission.
What is "intent pattern"? Is it the same as the Dialer app has permission to make phone calls?
It can be a kind of late for the answer but your both assumptions are correct.
Pre-installed apps that are installed under /system/app or /system/priv-app will be granted all permissions they declared in the AndroidManifest.xml file. But for devices with Android 6.0 Marshmallow, Google wants two things:
These are required for pre-installed apps to be CDD/CTS compliant.
Only exception to above is if the user sets that application to be the default for a specific action (default handler for an intent pattern):
the runtime permissions are associated with an intent pattern for which the preinstalled application is set as the default handler
For instance, if you set Google Calendar to be the default handler for Calendar events, you’re giving it permission to access your Calendar.