Android system/app/ VS system/priv-app/

The system/priv app directory is mainly used to store system level applications customized by mobile phone manufacturers, such as phone app, settings app, systemui app, etc. these applications need system and permissions, but cannot be unloaded by users. This directory is a new partition in Android KitKat. Before KitKat, all apks in the system partition can use system permissions. This change enables mobile phone manufacturers to better control the access of bundled software to sensitive permissions. When mobile phone manufacturers customize some system software, the software also needs to add SELinux policy to priv app. Of course, there are other ways for applications to obtain system permissions. Add them to the Android manifest. XML file android:sharedUserId= “Android. Uid. Sysytem” and add a system signature to the APK. For example, Xiaomi mobile phone needs to add Xiaomi’s system permissions to the APK

In fact, from the perspective of security, Google doesn’t want the system/APP/applications that use WebView controls to have system permissions, such as chrome, which has always been a favorite attack point for hackers, so Google will check whether the applications that use WebView controls have system permissions in code power. Paste a code:

194    static WebViewFactoryProvider getProvider() {
195        synchronized (sProviderLock) {
196            // For now the main purpose of this function (and the factory abstraction) is to keep
197            // us honest and minimize usage of WebView internals when binding the proxy.
198            if (sProviderInstance != null) return sProviderInstance;
200            final int uid = android.os.Process.myUid();
201            if (uid == android.os.Process.ROOT_UID || uid == android.os.Process.SYSTEM_UID
202                    || uid == android.os.Process.PHONE_UID || uid == android.os.Process.NFC_UID
203                    || uid == android.os.Process.BLUETOOTH_UID) {
204                throw new UnsupportedOperationException(
205                        "For security reasons, WebView is not allowed in privileged processes");
206            }

Note that the processes marked in yellow have system privileges.
These are the special features of the system/priv-app/ partition.

Similar Posts: