Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Stay organized with collections
Save and categorize content based on your preferences.
Platform signed apps are apps sharing the same (or compatible) signing
certificate with the platform package (android). A platform signed app can be
a system app (located on a system image partition), or a nonsystem app.
Platform signature permissions are permissions defined by the platform package
that also have the signature protection level. Debuggable builds are builds
whose android.os.Build.isDebuggable() return true, such as userdebug or
eng builds.
Historically, device manufacturers had little control over which platform
signature permissions could be granted to platform signed nonsystem apps.
Starting in Android 15, manufacturers can explicitly
grant platform signature permissions in the system configuration XML files in
the /etc/permissions directory. If a platform signed nonsystem app isn't
added to the allowlist for a platform signature permission, that permission acts
as if the app isn't platform signed on nondebuggable builds.
Add an allowlist
You can list permission allowlists for apps in a single XML file or in multiple
XML files located in the frameworks/base/etc/permissions directory:
No strict rule applies to how content is organized. Device implementers can
determine content structure as long as the appropriate apps and their
permissions are added to the allowlist.
Customize an allowlist
AOSP includes an allowlist implementation that you can customize as needed,
similar to the
privileged permission allowlist. For
example:
To find missing permissions, install your platform signed app and inspect device
logs for the following format of warning messages:
Signature permission {PERMISSION_NAME} for package {PACKAGE_NAME} ({PACKAGE_PATH}) not in signature permission allowlist
The system can still grant the permission on debuggable builds, but not on
nondebuggable builds such as user builds.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Signature permission allowlist\n\nPlatform signed apps are apps sharing the same (or compatible) signing\ncertificate with the platform package (`android`). A platform signed app can be\na system app (located on a system image partition), or a nonsystem app.\nPlatform signature permissions are permissions defined by the platform package\nthat also have the `signature` protection level. Debuggable builds are builds\nwhose `android.os.Build.isDebuggable()` return `true`, such as `userdebug` or\n`eng` builds.\n| **Note:** On this page, `/etc/permissions` resolves to \u003cvar translate=\"no\"\u003epartition\u003c/var\u003e`/etc/permissions`.\n\nHistorically, device manufacturers had little control over which platform\n`signature` permissions could be granted to platform signed nonsystem apps.\nStarting in Android 15, manufacturers can explicitly\ngrant platform signature permissions in the system configuration XML files in\nthe `/etc/permissions` directory. If a platform signed nonsystem app isn't\nadded to the allowlist for a platform signature permission, that permission acts\nas if the app isn't platform signed on nondebuggable builds.\n| **Note:** The allowlist isn't enforced on debuggable builds to facilitate easier testing.\n| **Note:** platform signed system apps and their requested permissions aren't affected by this change, however permissions newly requested by a system app update (but not requested by the original system app) still need to be added to the allowlist.\n\nAdd an allowlist\n----------------\n\nYou can list permission allowlists for apps in a single XML file or in multiple\nXML files located in the `frameworks/base/etc/permissions` directory:\n\n- `/etc/permissions/signature-permissions-`\u003cvar translate=\"no\"\u003eOEM_NAME\u003c/var\u003e`.xml`\n- `/etc/permissions/signature-permissions-`\u003cvar translate=\"no\"\u003eDEVICE_NAME\u003c/var\u003e`.xml`\n\nNo strict rule applies to how content is organized. Device implementers can\ndetermine content structure as long as the appropriate apps and their\npermissions are added to the allowlist.\n\nCustomize an allowlist\n----------------------\n\nAOSP includes an allowlist implementation that you can customize as needed,\nsimilar to the\n[privileged permission allowlist](/docs/core/permissions/perms-allowlist). For\nexample: \n\n \u003c!--\n ~ This XML file declares which platform signature permissions to grant to\n ~ platform signed nonsystem apps.\n --\u003e\n\n \u003cpermissions\u003e\n \u003csignature-permissions package=\"com.android.example\"\u003e\n \u003cpermission name=\"android.permission.READ_DEVICE_CONFIG\"/\u003e\n ...\n \u003c/signature-permissions\u003e\n ...\n \u003c/permissions\u003e\n\nFind missing permissions\n------------------------\n\nTo find missing permissions, install your platform signed app and inspect device\nlogs for the following format of warning messages: \n\n Signature permission {PERMISSION_NAME} for package {PACKAGE_NAME} ({PACKAGE_PATH}) not in signature permission allowlist\n\nThe system can still grant the permission on debuggable builds, but not on\nnondebuggable builds such as `user` builds."]]
