开发者

How to secure Intent data while sending it across applications

开发者 https://www.devze.com 2023-04-10 18:57 出处:网络
I am working on the security aspects of my android application. I would like to know about the ways to secure the Intent data and extras while sending it fr开发者_JAVA技巧om one application to anothe

I am working on the security aspects of my android application.

I would like to know about the ways to secure the Intent data and extras while sending it fr开发者_JAVA技巧om one application to another so that no other application other than these two can snoop it.

One of the brute-force approaches would be to use android's encryption-decryption to encode intent data, is there a better way to achieve the same ??

Thanks in advance.


As pointed in the other answers, although you can send an intent to a fully qualified activity, nothing prevents someone from creating an application with the same package.

You might want to add an additional security step to this scheme:

  • First send a 'Challenge' intent to the remote activity (it should, for example, encrypt a random string you provided using a shared passphrase and send it back to you).

  • If that first security step is ok, you may freely send unencrypted messages to this remote app by using its fully qualified activity.

This is rather lame security, but perhaps it's sufficient for your needs.


Please take a look at CommonsWare's comment below.

A more secure way might be to code your activity as a Bound Service, keeping the Challenge step, but by means of more private communication.


My guess is that if you use an explicit intent, i.e. specifying the class to which the intent is to be sent to, then no other class can intercept that intent and look at its data.
This method however, may fail if the class name in the application that you're trying to send the information to changes.


If an intent specifies the the target, which is part of the sender application's package, then other applications won't have the chance to capture it - it will be delivered to the intended receiver.

On the other hand, if you send an intent to another application, there is no guarantee that the receiver of the intent will have the implementation you expect: if you send your intent to com.mycompany.security.SecureReceiver, but instead of your application, another application is installed with the given class description, than you will send your intent to that application.

Also, Android is an open system. If someone compiles his own application framework, than he can manipulate the Intent delivery system.

Do you want to protect your data from the user, or from malicious applications?

0

精彩评论

暂无评论...
验证码 换一张
取 消