Share via


AppOpsManager Class

Definition

App-ops are used for two purposes: Access control and tracking.

[Android.Runtime.Register("android/app/AppOpsManager", DoNotGenerateAcw=true)]
public class AppOpsManager : Java.Lang.Object
[<Android.Runtime.Register("android/app/AppOpsManager", DoNotGenerateAcw=true)>]
type AppOpsManager = class
    inherit Object
Inheritance
AppOpsManager
Attributes

Remarks

App-ops are used for two purposes: Access control and tracking.

App-ops cover a wide variety of functionality from helping with runtime permissions access control and tracking to battery consumption tracking.

<h2>Access control</h2>

App-ops can either be controlled for each uid or for each package. Which one is used depends on the API provider maintaining this app-op. For any security or privacy related app-op the provider needs to control the app-op for per uid as all security and privacy is based on uid in Android.

To control access the app-op can be set to a mode to: <dl> <dt>#MODE_DEFAULT<dd>Default behavior, might differ from app-op or app-op <dt>#MODE_ALLOWED<dd>Allow the access <dt>#MODE_IGNORED<dd>Don't allow the access, i.e. don't perform the requested action or return no or placeholder data <dt>#MODE_ERRORED<dd>Throw a SecurityException on access. This can be suppressed by using a ...noThrow method to check the mode </dl>

API providers need to check the mode returned by #noteOp if they are are allowing access to operations gated by the app-op. #unsafeCheckOp should be used to check the mode if no access is granted. E.g. this can be used for displaying app-op state in the UI or when checking the state before later calling #noteOp anyway.

If an operation refers to a time span (e.g. a audio-recording session) the API provider should use #startOp and #finishOp instead of #noteOp.

<h3>Runtime permissions and app-ops</h3>

Each platform defined runtime permission (beside background modifiers) has an associated app op which is used for tracking but also to allow for silent failures. I.e. if the runtime permission is denied the caller gets a SecurityException, but if the permission is granted and the app-op is #MODE_IGNORED then the callers gets placeholder behavior, e.g. location callbacks would not happen.

<h3>App-op permissions</h3>

App-ops permissions are platform defined permissions that can be overridden. The security check for app-op permissions should by #MODE_DEFAULT default check the permission grant state. If the app-op state is set to #MODE_ALLOWED or #MODE_IGNORED the app-op state should be checked instead of the permission grant state.

This functionality allows to grant access by default to apps fulfilling the requirements for a certain permission level. Still the behavior can be overridden when needed.

<h2>Tracking</h2>

App-ops track many important events, including all accesses to runtime permission protected APIs. This is done by tracking when an app-op was #noteOp noted or #startOp started. The tracked data can only be read by system components.

<b>Only #noteOp/#startOp are tracked; #unsafeCheckOp is not tracked. Hence it is important to eventually call #noteOp or #startOp when providing access to protected operations or data.</b>

Some apps are forwarding access to other apps. E.g. an app might get the location from the system's location provider and then send the location further to a 3rd app. In this case the app passing on the data needs to call #noteProxyOp to signal the access proxying. This might also make sense inside of a single app if the access is forwarded between two parts of the tagged with different attribution tags.

An app can register an OnOpNotedCallback to get informed about what accesses the system is tracking for it. As each runtime permission has an associated app-op this API is particularly useful for an app that want to find unexpected private data accesses.

Java documentation for android.app.AppOpsManager.

Portions of this page are modifications based on work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.

Constructors

AppOpsManager(IntPtr, JniHandleOwnership)

A constructor used when creating managed representations of JNI objects; called by the runtime.

Fields

ModeAllowed
Obsolete.

Result from #checkOp, #noteOp, #startOp: the given caller is allowed to perform the given operation.

ModeDefault
Obsolete.

Result from #checkOp, #noteOp, #startOp: the given caller should use its default security check.

ModeErrored
Obsolete.

Result from #checkOpNoThrow, #noteOpNoThrow, #startOpNoThrow: the given caller is not allowed to perform the given operation, and this attempt should cause it to have a fatal error, typically a SecurityException.

ModeForeground
Obsolete.

Special mode that means "allow only when app is in foreground.

ModeIgnored
Obsolete.

Result from #checkOp, #noteOp, #startOp: the given caller is not allowed to perform the given operation, and this attempt should <em>silently fail</em> (it should not cause the app to crash).

OpstrAddVoicemail

Required to access phone state related information.

OpstrAnswerPhoneCalls

Answer incoming phone calls

OpstrBodySensors

Access to body sensors such as heart rate, etc.

OpstrCallPhone

Allows an application to initiate a phone call.

OpstrCamera

Required to be able to access the camera device.

OpstrCoarseLocation

Access to coarse location information.

OpstrFineLocation

Access to fine location information.

OpstrGetUsageStats

Access to android.app.usage.UsageStatsManager.

OpstrMockLocation

Inject mock location into the system.

OpstrMonitorHighPowerLocation

Continually monitoring location data with a relatively high power request.

OpstrMonitorLocation

Continually monitoring location data.

OpstrPictureInPicture

Access to picture-in-picture.

OpstrProcessOutgoingCalls

Access APIs for diverting outgoing calls

OpstrReadCalendar

Allows an application to read the user's calendar data.

OpstrReadCallLog

Allows an application to read the user's call log.

OpstrReadCellBroadcasts

Read previously received cell broadcast messages.

OpstrReadContacts

Allows an application to read the user's contacts data.

OpstrReadExternalStorage

Read external storage.

OpstrReadPhoneNumbers
OpstrReadPhoneState

Required to access phone state related information.

OpstrReadSms

Allows an application to read SMS messages.

OpstrReceiveMms

Allows an application to receive MMS messages.

OpstrReceiveSms

Allows an application to receive SMS messages.

OpstrReceiveWapPush

Allows an application to receive WAP push messages.

OpstrRecordAudio

Required to be able to access the microphone device.

OpstrSendSms

Allows an application to send SMS messages.

OpstrSystemAlertWindow

Required to draw on top of other apps.

OpstrUseFingerprint

Use the fingerprint API.

OpstrUseSip

Access APIs for SIP calling over VOIP or WiFi

OpstrWriteCalendar

Allows an application to write to the user's calendar data.

OpstrWriteCallLog

Allows an application to write to the user's call log.

OpstrWriteContacts

Allows an application to write to the user's contacts data.

OpstrWriteExternalStorage

Write external storage.

OpstrWriteSettings

Required to write/modify/update system settings.

WatchForegroundChanges
Obsolete.

Flag for #startWatchingMode(String, String, int, OnOpChangedListener): Also get reports if the foreground state of an op's uid changes.

Properties

Class

Returns the runtime class of this Object.

(Inherited from Object)
Handle

The handle to the underlying Android instance.

(Inherited from Object)
JniIdentityHashCode (Inherited from Object)
JniPeerMembers
PeerReference (Inherited from Object)
ThresholdClass

This API supports the Mono for Android infrastructure and is not intended to be used directly from your code.

ThresholdType

This API supports the Mono for Android infrastructure and is not intended to be used directly from your code.

Methods

CheckOp(String, Int32, String)

This member is deprecated.

CheckOpNoThrow(String, Int32, String)

This member is deprecated.

CheckPackage(Int32, String)

This member is deprecated.

Clone()

Creates and returns a copy of this object.

(Inherited from Object)
Dispose() (Inherited from Object)
Dispose(Boolean) (Inherited from Object)
Equals(Object)

Indicates whether some other object is "equal to" this one.

(Inherited from Object)
FinishOp(String, Int32, String, String)

Report that an application is no longer performing an operation that had previously been started with #startOp(String, int, String, String, String).

FinishOp(String, Int32, String)

This member is deprecated.

FinishProxyOp(String, Int32, String, String)

Report that an application is no longer performing an operation that had previously been started with #startProxyOp(String, int, String, String, String).

GetHashCode()

Returns a hash code value for the object.

(Inherited from Object)
IsOpActive(String, Int32, String)

Checks whether the given op for a package is active, i.

JavaFinalize()

Called by the garbage collector on an object when garbage collection determines that there are no more references to the object.

(Inherited from Object)
NoteOp(String, Int32, String, String, String)

Make note of an application performing an operation and check if the application is allowed to perform it.

NoteOp(String, Int32, String)

This member is deprecated.

NoteOpNoThrow(String, Int32, String, String, String)

Like #noteOp(String, int, String, String, String) but instead of throwing a SecurityException it returns #MODE_ERRORED.

NoteOpNoThrow(String, Int32, String)

This member is deprecated.

NoteProxyOp(String, String, Int32, String, String)

Make note of an application performing an operation on behalf of another application when handling an IPC.

NoteProxyOp(String, String)

This member is deprecated.

NoteProxyOpNoThrow(String, String, Int32, String, String)

Like #noteProxyOp(String, String, int, String, String) but instead of throwing a SecurityException it returns #MODE_ERRORED.

NoteProxyOpNoThrow(String, String, Int32)

This member is deprecated.

NoteProxyOpNoThrow(String, String)

This member is deprecated.

Notify()

Wakes up a single thread that is waiting on this object's monitor.

(Inherited from Object)
NotifyAll()

Wakes up all threads that are waiting on this object's monitor.

(Inherited from Object)
PermissionToOp(String)

Gets the app-op name associated with a given permission.

SetHandle(IntPtr, JniHandleOwnership)

Sets the Handle property.

(Inherited from Object)
SetOnOpNotedCallback(IExecutor, AppOpsManager+OnOpNotedCallback)

Set a new OnOpNotedCallback.

StartOp(String, Int32, String, String, String)

Report that an application has started executing a long-running operation.

StartOp(String, Int32, String)

This member is deprecated.

StartOpNoThrow(String, Int32, String, String, String)

Like #startOp(String, int, String, String, String) but instead of throwing a SecurityException it returns #MODE_ERRORED.

StartOpNoThrow(String, Int32, String)

This member is deprecated.

StartProxyOp(String, Int32, String, String, String)

Report that an application has started executing a long-running operation on behalf of another application when handling an IPC.

StartProxyOpNoThrow(String, Int32, String, String, String)

Like #startProxyOp(String, int, String, String, String) but instead of throwing a SecurityException it returns #MODE_ERRORED.

StartWatchingActive(String[], IExecutor, AppOpsManager+IOnOpActiveChangedListener)
StartWatchingMode(String, String, AppOpsManager+IOnOpChangedListener)

Monitor for changes to the operating mode for the given op in the given app package.

StartWatchingMode(String, String, WatchForeground, AppOpsManager+IOnOpChangedListener)
StopWatchingActive(AppOpsManager+IOnOpActiveChangedListener)

Stop watching for changes to the active state of an app-op.

StopWatchingMode(AppOpsManager+IOnOpChangedListener)

Stop monitoring that was previously started with #startWatchingMode.

ToArray<T>() (Inherited from Object)
ToString()

Returns a string representation of the object.

(Inherited from Object)
UnregisterFromRuntime() (Inherited from Object)
UnsafeCheckOp(String, Int32, String)

Do a quick check for whether an application might be able to perform an operation.

UnsafeCheckOpNoThrow(String, Int32, String)

Like #checkOp but instead of throwing a SecurityException it returns #MODE_ERRORED.

UnsafeCheckOpRaw(String, Int32, String)

Like #checkOp but returns the <em>raw</em> mode associated with the op.

UnsafeCheckOpRawNoThrow(String, Int32, String)

Like #unsafeCheckOpNoThrow(String, int, String) but returns the <em>raw</em> mode associated with the op.

Wait()

Causes the current thread to wait until it is awakened, typically by being <em>notified</em> or <em>interrupted</em>.

(Inherited from Object)
Wait(Int64, Int32)

Causes the current thread to wait until it is awakened, typically by being <em>notified</em> or <em>interrupted</em>, or until a certain amount of real time has elapsed.

(Inherited from Object)
Wait(Int64)

Causes the current thread to wait until it is awakened, typically by being <em>notified</em> or <em>interrupted</em>, or until a certain amount of real time has elapsed.

(Inherited from Object)

Explicit Interface Implementations

IJavaPeerable.Disposed() (Inherited from Object)
IJavaPeerable.DisposeUnlessReferenced() (Inherited from Object)
IJavaPeerable.Finalized() (Inherited from Object)
IJavaPeerable.JniManagedPeerState (Inherited from Object)
IJavaPeerable.SetJniIdentityHashCode(Int32) (Inherited from Object)
IJavaPeerable.SetJniManagedPeerState(JniManagedPeerStates) (Inherited from Object)
IJavaPeerable.SetPeerReference(JniObjectReference) (Inherited from Object)

Extension Methods

JavaCast<TResult>(IJavaObject)

Performs an Android runtime-checked type conversion.

JavaCast<TResult>(IJavaObject)
GetJniTypeName(IJavaPeerable)

Gets the JNI name of the type of the instance self.

JavaAs<TResult>(IJavaPeerable)

Try to coerce self to type TResult, checking that the coercion is valid on the Java side.

TryJavaCast<TResult>(IJavaPeerable, TResult)

Try to coerce self to type TResult, checking that the coercion is valid on the Java side.

Applies to