Simple huristic based Android api to permission mapping extractor. (incomplete but accurate)
Research results like PScout are more complete but imprecise and problematic. For security checkers like Android capability leak, those result are not able to be used in the practical.
This inspires me to do the simple huristic python script, and results are surprisingly good.
If you find any new case not covered by the script please let me know, or feel free to pull-request your code.
AOSP have following ways to describe the permission needed for an API:
- Annotation @RequiresPermission:
@RequiresPermission( allOf ={Manifest.permission.INTERACT_ACROSS_USERS_FULL, Manifest.permission.MANAGE_USERS }) public@NullableStringgetUserAccount(@UserIdIntintuserHandle){try{returnmService.getUserAccount(userHandle)} catch (RemoteExceptionre){throwre.rethrowFromSystemServer()} }This tells us the getUserAccount API need INTERACT_ACROSS_USERS_FULL and (&) MANAGE_USERS permission. Other variaties are, anyOf means or (|), single permission.
- JavaDoc
{@link android.Manifest.permission#XXX}:
/** * Returns list of the profiles of userHandle including * userHandle itself. * Note that this returns both enabled and not enabled profiles. See *{@link #getEnabledProfiles(int)} if you need only the enabled ones. * * Requires{@link android.Manifest.permission#MANAGE_USERS} permission. * @param userHandle profiles of this user will be returned. * @return the list of profiles. * @hide */publicList<UserInfo> getProfiles(@UserIdIntintuserHandle){try{returnmService.getProfiles(userHandle, false/* enabledOnly */)} catch (RemoteExceptionre){throwre.rethrowFromSystemServer()} }This tells us getProfiles API need MANAGE_USERS permission.
Regex based python script:
- Build permission short name to full name mapping via parse
android/Manifest.java:
publicstaticfinaljava.lang.StringACCESS_CHECKIN_PROPERTIES = "android.permission.ACCESS_CHECKIN_PROPERTIES";Generate: ACCESS_CHECKIN_PROPERTIES -> android.permission.ACCESS_CHECKIN_PROPERTIES
- Walkthrough each .java file under base directory:
- a. Extract package name (e.g.
android.os) and class name (e.g.UserManager). - b. Apply
Observation 1 and 2to find method name to permission mappings (e.g.getProfiles -> MANAGE_USERS). - c. Find full name for permission (e.g.
MANAGE_USERStoandroid.permission.MANAGE_USERS). - d. Build record (e.g.
android.os.UserManager getProfiles android.permission.MANAGE_USERS).
android.permission.MANAGE_USERS means it only requires one permission.
android.permission.INTERACT_ACROSS_USERS_FULL|android.permission.MANAGE_USERS means need any of those permissions.
android.permission.INTERACT_ACROSS_USERS_FULL&android.permission.MANAGE_USERS means need all of those permissions.
$ python extract_permission_mapping.py <base_dir>