RoLAN210 RoLAN210 - 22 days ago 11
Android Question

How to only allow my companion watch app to connect to my wearable listener service on handheld?

I want to ensure my WearableListenerService running on my handheld is only accessible by my companion app. I would think that creating a custom permission would be the route to take however I faced issues with this approach and could not get the wearable to successfully bind to the handheld, I would get the following exception on my handheld;

Permission Denial: Accessing service ComponentInfo{com.mypackage.android/com.mypackage.android.androidwear.service.WearListenerService} from pid=4868, uid=10014 requires com.mypackage.android.WATCHAPP
WearableService: bind: Permission denied connecting to ServiceRecord[com.mypackage.android.androidwear.service.WearListenerService, events=1, bound=false, [Event[79380002: onMessageReceived, event=requestId=16741, action=/start-activity, dataSize=26, source=31c5457d]]]
java.lang.SecurityException: Not allowed to bind to service Intent { act=com.google.android.gms.wearable.BIND_LISTENER cmp=com.mypackage.android/.androidwear.service.WearListenerService }
at android.app.ContextImpl.bindServiceCommon(ContextImpl.java:1437)
at android.app.ContextImpl.bindService(ContextImpl.java:1395)
at android.content.ContextWrapper.bindService(ContextWrapper.java:632)
at android.content.ContextWrapper.bindService(ContextWrapper.java:632)
at android.content.ContextWrapper.bindService(ContextWrapper.java:632)
at aeim.a(:com.google.android.gms:6693)
at aeim.a(:com.google.android.gms:1378)
at aeim.handleMessage(:com.google.android.gms:1295)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:158)
at android.os.HandlerThread.run(HandlerThread.java:61)


I have tried defining a custom permission in a number of ways, initially in only the handheld manifest and then in both manifests, as well as trying different protection levels, normal, signature, signatureOrSystem. I even verified that the permission was successfully granted to my wearable by running the dumpsys command;

declared permissions:
com.mypackage.android.WATCHAPP: prot=normal, INSTALLED
requested permissions:
android.permission.WAKE_LOCK
com.mypackage.android.WATCHAPP
install permissions:
com.mypackage.android.WATCHAPP: granted=true
android.permission.WAKE_LOCK: granted=true


I have applied a data filter to my service however I would like to enforce that only MY app can launch my service and the filter approach doesn't seem sufficient.

Answer

Your watch app and handheld app never directly talk to one another. All of the Data Layer APIs go through Google Play services (the com.google.android.gms lines of your exception) - first on the Wear side, then on the handheld side.

Given that, it is not possible to add a custom permission that secure the communication over the Data Layer (as the Google Play services app will never add your custom permission).

Comments