How Can the Settings App Start an App's Non-Exported Activity?
I would guess there is nothing in the manifest that gives an app the permission to call exported activities. I believe the way it's accomplishing this is by setting LOCAL_PRIVILEGED_MODULE := true
in the Android.mk file for the Settings application. This flag will give an application system level permissions and place it in the system/priv-app/
directory during OS compile time.
If you look at frameworks/base/core/java/android/app/ActivityManager.java
for the method checkComponentPermission
you can see that if the UID is that of the SYSTEM, component permission is granted regardless of the exported setting.
While @Bobbake4's answer that the check is based on UID is correct,
If you look at frameworks/base/core/java/android/app/ActivityManager.java for the method checkComponentPermission you can see that if the UID is that of the SYSTEM, component permission is granted regardless of the exported setting.
I believe the first part about LOCAL_PRIVILEGED_MODULE
is irrelevant. The directory location doesn't control which UID Settings get, but instead that is set by the sharedUserId
in the manifest. As noted in the documentation, this only works if the app is signed using the same certificate as the platform.