Menu

Security exceptions occur when attempting to install apps

Environment 

  • Knox SDK
  • Knox Platform for Enterprise (KPE)

Overview

On a Knox Workspace-enabled device, security exceptions are thrown when a UEM agent in the Workspace attempts to install apps on the personal side of the device.

The log sample below shows one of the exceptions:

09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: java.lang.SecurityException: Permission Denial: get/set setting for user asks to run as user 0 but is calling from user 13; this requires android.permission.INTERACT_ACROSS_USERS_FULL 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at com.android.server.am.UserController.handleIncomingUser(UserController.java:1717) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at com.android.server.am.ActivityManagerService.handleIncomingUser(ActivityManagerService.java:24745) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at android.app.ActivityManager.handleIncomingUser(ActivityManager.java:4801) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at com.android.providers.settings.SettingsProvider.resolveCallingUserIdEnforcingPermissionsLocked(SettingsProvider.java:2115) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at com.android.providers.settings.SettingsProvider.getSystemSetting(SettingsProvider.java:1587) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at com.android.providers.settings.SettingsProvider.call(SettingsProvider.java:527) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at android.content.ContentProvider$Transport.call(ContentProvider.java:403) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:272) 
09-05 10:35:59.240 1000 4855 19709 E DatabaseUtils: at android.os.Binder.execTransact(Binder.java:739) 
09-05 10:35:59.241 1310013 5455 5611 D EmergencyMode: [EmergencyManager] getIntForUser failed e java.lang.SecurityException: Permission Denial: get/set setting for user asks to run as user 0 but is calling from user 13; this requires android.permission.INTERACT_ACROSS_USERS_FULL
			
A second exception occurs when calling addPackageToApprovedInstallerWhitelist():
09-05 10:36:40.077 1000 4855 4883 D ApplicationPolicy: isApplicationInstalled : pkgName = com.samsung.knox.example.container in user 13 - true 
09-05 10:36:40.078 1000 4855 4883 I ApplicationPolicy: addPackageToApprovedInstallerWhiteList com.samsung.knox.example.container 
09-05 10:36:40.078 1000 4855 4883 D ApplicationPolicy: addPackageToList: Enforcing DOPO permission 10200, 13 
09-05 10:36:40.085 1000 4216 4216 W keymaster2_mdfpp: entered get_key_characteristics function. 
09-05 10:36:40.086 10200 4131 4131 W System.err: java.lang.SecurityException: caller is not DO or PO or KPU: 10200
			

Cause

From the above logs, the method asks to run as User 0 (personal side), but calls from User 13 (Workspace). The exceptions that follow are occurring because the app, installed in the UEM agent in the Workspace, is interacting with data on the device's personal side without the correct permissions.
The UEM agent requires the android.permission.INTERACT_ACROSS_USERS_FULL permission to install apps across profiles to the personal space.

Resolution

With the Knox SDK, you can use the TYPE_APPROVED_APP_INSTALLER constant to grant your app the android.permission.INTERACT_ACROSS_USERS_FULL permission and add it as an approved package installer. This constant can only be used in the profile where the client administrator is installed. 
NOTE—You must have a KPE Premium license to use TYPE_APPROVED_APP_INSTALLER. 

Additional information

To learn more about TYPE_APPROVED_APP_INSTALLER, see the Knox SDK developer documentation.
Share it: