Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android AIDL security

Tags:

android

aidl

Is there any security provided when an application calls a remote service using AIDL? Or is it simply like a malicious application could read the data?

like image 922
user567879 Avatar asked Sep 06 '12 05:09

user567879


2 Answers

On Android, one process cannot normally access the memory of another process.

When you bind to applications with a AIDL interface, the system will establish a connection between those processes. Therefor, the only those two applications that can read the information that is shared via the AIDL interface.

If you want to be sure, you should make a extra check in the onBind(Intent intent), to make sure it's your own application that is connecting

Tip: read the first part of this page: http://developer.android.com/guide/components/aidl.html

like image 108
Ion Aalbers Avatar answered Sep 29 '22 12:09

Ion Aalbers


you could always filter in your methods to restrict the packages that are allowed. Throw a SecurityException if the package does not have permission

Collection<String> callingpackages = getCallingPackages();

if(!callingpackages.contains("yourpackagename"){
//Throw securityException.
}

And getCallingPackages

private Collection<String> getCallingPackages() {
     int caller = Binder.getCallingUid();
     if (caller == 0) {
         return null;
     }
     return Lists.newArrayList(mContext.getPackageManager().getPackagesForUid(caller));
 }
like image 20
nandeesh Avatar answered Sep 29 '22 12:09

nandeesh