使用 PLATFORM 密钥签名的 Android APK 未获得系统权限？

Question

I have access to an Android tablets' platform key and certificate. I'm attempting to build an app and install it with system level privileges by doing the following:

1. Create a Java KeyStore file with platform.pk8 and platform.x509.pem using the bash script called platform_import_keystore found on GitHub.

2. In AndroidManifex.xml add the following:

   <uses-permission android:name="android.permission.READ_LOGS"/> android:sharedUserId="android.uid.system"

3. Sign APK with PLATFORM key and certificate using a Java KeyStore file in Android Studio.

4. Install APK

When the app runs, the system denies READ_LOGS permission. Why isn't my app running with system level permissions?

Answer 1

What @Mark mentions is correct to some extent, for system apps. I think you are doing something else wrong. I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.

That changes things AFAIK, so if it's AOSP 10+, it might behave differently.

Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/ or push it into /vendor/app/ . You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied messages.

I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)

There's two classes of system apps, /system/app/ and /system/priv-app/ The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name .

If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.

User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.

All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/ and use keytool or similar to check it's signature, and then try to match with your release apk.

It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.