Android Security Simply Explained

From an application perspective, Android security is very simple. Here’s the default security rules for when one application tries to access the component of another application. By component, we mean provider, service or receiver. 

1. If calling app is root or system, grant access
   
2. If calling app has same UID, grant access
   
3. If component not exported, deny access
   
4. If no permission, grant access
   
5. If permission, check calling app has permission
   

Some inferences from the above rules:

1. If you don’t export your component, only same uid and system can access it
   
2. It follows from (1), you can protect your application component against anything but system (or root) merely by not exporting it
   
3. If you export your component, the only way to protect it is by requiring a permission
   
4. Permissions aren’t checked/needed if the component is being called by an application with the same sharedUserId declared in its manifest.
   

Keep in mind the above rules are the default rules specified by the Android platform. You get them out of the box, just by configuring the manifest. However, an application developer may choose to programmatically enforce additional permission checks, or even programmatically reject anything that tries to bind against a component without having the same sharedUserId. This is particularly common among proprietary google applications that don’t want system applications accessing some of their services.