android:permission is used to set a single permission for both reading and writing data from a content provider. In regard to the
Principle of Least Privilege, client applications that consume the content provider should only have the necessary privileges to complete their tasks.
As android:permission grants both read and write access, it prevents client applications from applying this principle. In practice, it
means client applications that require read-only access will have to ask for more privileges than what they need: the content provider will always
grant read and write together.
There is a risk if you answered yes to this question.
android:permission attribute alone. Instead android:readPermission and
android:writePermission attributes to define separate read and write permissions. android:readPermission and android:writePermission attributes. <provider android:authorities="com.example.app.Provider" android:name="com.example.app.Provider" android:permission="com.example.app.PERMISSION" <!-- Sensitive --> android:exported="true"/>
<provider android:authorities="com.example.app.Provider" android:name="com.example.app.Provider" android:readPermission="com.example.app.PERMISSION" <!-- Sensitive --> android:writePermission="com.example.app.PERMISSION" <!-- Sensitive --> android:exported="true"/>
<provider android:authorities="com.example.app.MyProvider" android:name="com.example.app.MyProvider" android:readPermission="com.example.app.READ_PERMISSION" android:writePermission="com.example.app.WRITE_PERMISSION" android:exported="true"/>