Private Content Provider shared among my apps only

Question

I've googled enough, but couldn't find this case. I want to write a custom Content Provider that is shared/accessible to only specific apps.

I've this scenario:

• Have multiple apps on Google Play. Say A, B and C.
• Want to write a Content Provider, say Z that could only be accessed by A, B and C. I'm thinking to publish Content Provider 'Z' as its own apk.
• When Z is installed on device; A, B and C can access Z. If Z is not installed, then first app will direct to Google Play to install Z.

Now my question is:

Is it possible at all to write such Content Provider at all, which is only shared among specific apps? android:exported="false" makes it inaccessible by any other external app. android:grantUriPermissions="true" doesn't work when android:exported is set to false, and setting android:exported to true makes it public accessible.

Please feel free to share other solutions too, if they seem more appropriate to my requirements of sharing info among multiple apps.

Answer 1

android:grantUriPermissions="true" doesn't work when android:exported is set to false

Yes, it does.

However, android:grantUriPermissions may not be relevant for your use case, particularly if Z is its own standalone app. Z would have to be the one calling into A/B/C using an Intent with the FLAG_GRANT* flag, and I am guessing that this would not fit your plan.

If, as I suspect, A/B/C need to access Z independently of Z telling them that it can be accessed and granting the Uri-specific permissions, the standard approach would be to use a custom signature-level <permission>. You would then defend export the provider and defend it with that permission using android:permission in the <provider>. The theory is that only your app suite can hold that permission, because only your app suite will be signed by that signing key and therefore have a signature match.

(I say "in theory" because there are issues with this approach)