Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.

Signature permission allowlist

Platform signed apps are apps sharing the same (or compatible) signing certificate with the platform package (android). A platform signed app can be a system app (located on a system image partition), or a nonsystem app. Platform signature permissions are permissions defined by the platform package that also have the signature protection level. Debuggable builds are builds whose android.os.Build.isDebuggable() return true, such as userdebug or eng builds.

Historically, device manufacturers had little control over which platform signature permissions could be granted to platform signed nonsystem apps. Starting in Android 15, manufacturers can explicitly grant platform signature permissions in the system configuration XML files in the /etc/permissions directory. If a platform signed nonsystem app isn't added to the allowlist for a platform signature permission, that permission acts as if the app isn't platform signed on nondebuggable builds.

Add an allowlist

You can list permission allowlists for apps in a single XML file or in multiple XML files located in the /etc/permissions directory:

  • /etc/permissions/signature-permissions-OEM_NAME.xml
  • /etc/permissions/signature-permissions-DEVICE_NAME.xml

No strict rule applies to how content is organized. Device implementers can determine content structure as long as the appropriate apps and their permissions are added to the allowlist.

Customize an allowlist

AOSP includes an allowlist implementation that you can customize as needed, similar to the privileged permission allowlist. For example:

<!--
~ThisXMLfiledeclareswhichplatformsignaturepermissionstograntto
~platformsignednonsystemapps.
-->
<permissions>
<signature-permissionspackage="com.android.example">
<permissionname="android.permission.READ_DEVICE_CONFIG"/>
...
</signature-permissions>
...
</permissions>

Find missing permissions

To find missing permissions, install your platform signed app and inspect device logs for the following format of warning messages:

Signature permission {PERMISSION_NAME} for package {PACKAGE_NAME} ({PACKAGE_PATH}) not in signature permission allowlist

The system can still grant the permission on debuggable builds, but not on nondebuggable builds such as user builds.

Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.

Last updated 2025年12月02日 UTC.