Create a secure ContentProvider (Custom) get SecurityException after adding knownSigner

Question

I have 2 applications (different signing keys) which I want to have secure content provider between these 2 apps, I researched and the conclusion was using permission like below:

<permission android:name="com.example.myapplication.READ_PERMISSION" android:protectionLevel="signature|knownSigner" android:knownCerts="@raw/known_certs" tools:targetApi="s" />

The content provider works if I write it like

<permission android:name="com.example.myapplication.READ_PERMISSION" />

But if I use knownSigner then I get below error:

​java.lang.SecurityException: Permission Denial: opening provider com.example.myapplication.CustomProvider from ProcessRecord{c4924bb 23886:package.name/u0a701} (pid=23886, uid=10701) requires com.example.myapplication.READ_PERMISSION or com.example.myapplication.READ_PERMISSION

And this is how known_certs.xml looks like

<?xml version="1.0" encoding="utf-8"?>
<certificates>
    <certificate>
        <alias>androiddebugkey</alias>
        <sha1>SHA1 CODE</sha1>
    </certificate>
</certificates>

Answer 1

Solution:

I could find the issue and fixed it:

1. We don't need known_certs.xml file
2. We should use SHA-256 hash
3. SHA-256 must not contains : between it's characters
4. We can have just one or multiple hash codes per permission

Single certificate:

<permission
    android:name="com.example.myapplication.READ_PERMISSION"
    android:protectionLevel="signature|knownSigner"
    android:knownCerts="SHA256 HASH"
    tools:targetApi="s"/>

Multi certificates

create a string array inside strings.xml like :

<string-array name="known_certs">
    <item>HASHCODE1</item>
    <item>HASHCODE2</item>
</string-array>

then the permission will be:

<permission
    android:name="com.example.myapplication.READ_PERMISSION"
    android:protectionLevel="signature|knownSigner"
    android:knownCerts="@array/known_certs"
    tools:targetApi="s"/>