Android Crash: Setting manifest.xml activity permissions(android:permission) crashing application on launch

[harishchopra86]

Our code scanner had reported a vulnerability with Android that when an activity is exported and no permissions are defined, then other mobile apps can interact with it and perform potential unauthorized actions. For instance, an exported content provider can expose sensitive data, if no permissions are defined, to other mobile apps. And recommended implementing restrictive permissions on exposed components.

To tackle this I added the below permission in manifest.xml: <permission android:name="xui.permission" android:description="@string/perm_desc_A_PERMISSION" android:label="@string/perm_label_A_PERMISSION" android:protectionLevel="normal"/>

And then added this to activity like this: <activity android:name="mobile.android.MainActivity" android:exported="true" android:permission="xui.permission"

However, after adding this permission my android application would not launch. It is throwing this error:

`This issue may be caused by:

• crash at startup (try tns debug android --debug-brk to check why it crashes)
• different application identifier in your package.json and in your gradle files (check your identifier in package.json and in all *.gradle files in your App_Resources directory)
• device is locked
• manual closing of the application

`

And if I remove permissions android:permission from activity declaration then it works fine. But we need to add permission to address this vulnerability.

Can you please advise with a possible resolution of this situation?

[NathanaelA]

I would highly recommend you re-read the Android manifest documentation on adding keys/permissions to the manifest file. If I had to "guess" at your issue. I would guess you totally messed something up with the above permissions line, or put it into the wrong place in the manifest. If you break the manifest then the build will fail to build with the error you are seeing. I'm also the author of the NS-permissions plugin and have written many plugins for NativeScript and I've personally never seen "xui.permission", so that might also be the error, if you are using the wrong permission, it can cause the manifest to be broken.

Finally, you can use --log trace to see the gradle results which can sometimes tell you exactly what it doesn't like about the permissions line. In addition, the code scanner probably has docs on how to fix any thing it thinks is an error.

---

Since this is not a actual issue with NativeScript, the Android runtime, or the building tools. I'm going to close the issue as there is actually nothing "we" can actually do to fix it.

This is definitely a support type issue and as such should be on Stack Overflow, or via a support issue if you are supporting NativeScript via the Support contract service.

[harishchopra86]

@NathanaelA Thanks for your response. In the above example I am declaring a permission named "xui.permission" with protection level android:protectionLevel="normal".

But the android application won't launch when I add this permission to the activity. I am doing this as advised by the code scanner and also declared here: https://developer.android.com/guide/topics/manifest/permission-element As per this link, we can add permissions to an activity to limit access to specific components applications. So adding permissions to activity should not stop it from launching.

[NathanaelA]

NativeScript does not make any changes to the Manifest building tools that Google supplies, we just call it the same way Android Studio would, as if you built a native app inside Android Studio, since we use the exact same tools.

As much as we would love to help everyone with every issue they have, this is something that is not actually related to NativeScript at all, so it isn't anything actionable by us. Github reports are primarily used for bug reports or new features, and as such most the community will not see this issue and/or comment on it.

So for you to get a answer to this, this would be much better asked on Stack Overflow (i.e. User to User support) or via a support request to nStudio (Professional support contracts and contracting) or via contracting with any developer or company that can research and/or provide you with the insight on how to do this properly in a Android application.