bindDeviceAdminService requires service to be proected by BIND_DEVICE_ADMIN

     * See {@link #getBindDeviceAdminTargetUsers} for a definition of which

     * device/profile owners are allowed to bind to services of another profile/device owner.

     * <p>

     * The service must be unexported. Note that the {@link Context} used to obtain this

     * The service must be protected by {@link android.Manifest.permission#BIND_DEVICE_ADMIN}.

     * Note that the {@link Context} used to obtain this

     * {@link DevicePolicyManager} instance via {@link Context#getSystemService(Class)} will be used

     * to bind to the {@link android.app.Service}.

     *

package com.android.server.devicepolicy;

import static android.Manifest.permission.BIND_DEVICE_ADMIN;

import static android.Manifest.permission.MANAGE_CA_CERTIFICATES;

import static android.app.admin.DevicePolicyManager.CODE_ACCOUNTS_NOT_EMPTY;

import static android.app.admin.DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED;

        if (!expectedPackageName.equals(info.serviceInfo.packageName)) {

            throw new SecurityException("Only allow to bind service in " + expectedPackageName);

        }

        if (info.serviceInfo.exported) {

            throw new SecurityException("The service must be unexported");

        // STOPSHIP(b/37624960): Remove info.serviceInfo.exported before release.

        if (info.serviceInfo.exported && !BIND_DEVICE_ADMIN.equals(info.serviceInfo.permission)) {

            throw new SecurityException(

                    "Service must be protected by BIND_DEVICE_ADMIN permission");

        }

        // It is the system server to bind the service, it would be extremely dangerous if it

        // can be exploited to bind any service. Set the component explicitly to make sure we