signature protection level - clarifying [duplicate]

Question

This question already has answers here:

Regarding Android Permissions and Signature Protection level (2 answers)

Closed 8 years ago.

As I am new to Android, I wanted to ask something which is not clear enough to me. I read the API guide about the permissions as a lot more Q&A considering this topic, still, I am not sure if I understand it correctly. So, signature protection level is:

A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.

Does this mean that I am not able to use any permission with 'signature' protection level, so all permissions defined in the Android's API and having such protection level are unavailable to anyone, apart the team which is developing it?

Answer 1

Does this mean that I am not able to use any permission with 'signature' protection level, so all permissions defined in the Android's API and having such protection level are unavailable to anyone, apart the team which is developing it?

Generally speaking, yes.

More specifically, a signature-level permission means that the app defending itself with that permission (e.g., via android:permission attributes) and the app trying to talk to the first app that needs the permission (<uses-permission> element) must be signed by the same signing key.

If the app defending itself is part of the device firmware, or is the OS itself, only apps signed by the same signing key as that firmware can talk to the defending app by holding the permission.

However, if you write App A that defends itself with a signature-level permission (e.g., a custom one), and you write App B that wants to talk to the defended portions of App A, you can do so, if you are signing App A and App B with the same signing key.