Is there any security provided when an application calls a remote service using AIDL? Or is it simply like a malicious application could read the data?
On Android, one process cannot normally access the memory of another process.
When you bind to applications with a AIDL interface, the system will establish a connection between those processes. Therefor, the only those two applications that can read the information that is shared via the AIDL interface.
If you want to be sure, you should make a extra check in the onBind(Intent intent)
, to make sure it's your own application that is connecting
Tip: read the first part of this page: http://developer.android.com/guide/components/aidl.html
you could always filter in your methods to restrict the packages that are allowed. Throw a SecurityException if the package does not have permission
Collection<String> callingpackages = getCallingPackages();
if(!callingpackages.contains("yourpackagename"){
//Throw securityException.
}
And getCallingPackages
private Collection<String> getCallingPackages() {
int caller = Binder.getCallingUid();
if (caller == 0) {
return null;
}
return Lists.newArrayList(mContext.getPackageManager().getPackagesForUid(caller));
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With