如何将对ContentProvider的访问限制为仅对我的应用程序?
我想导出ContentProvider以便由我的另一个应用程序使用.如何防止其他应用程序访问它?如果我使用android:permission属性,那么第三方应用程序不能仅将该权限应用于其应用程序吗?我真的只需要限制对我的应用程序的访问.
I want to export a ContentProvider for use by another one of MY apps. How do I prevent other apps from accessing it? If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app? I really need to lock down access to my apps only.
预先感谢...
如果我使用android:permission属性,那么第三方应用程序不能仅将该权限应用于其应用程序吗?
If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app?
那么,您可以使用signature级自定义权限(android:protectionLevel="signature").然后,必须使用相同的签名密钥对持有许可的应用程序和使用许可进行防御的应用程序进行签名.
Well, you can use a signature-level custom permission (android:protectionLevel="signature"). Then, the app holding the permission and the app defending itself with the permission have to be signed by the same signing key.
Android中存在一个错误/限制,即使没有使用您的签名密钥对攻击者进行签名,它也可以允许在您的应用程序之前安装的攻击者拥有此权限.我在此报告中对此进行了更详细的介绍(因为对于这样的答案),并提供一个PermissionUtils类来帮助您发现这种情况.
There's a bug/limitation in Android that can allow an attacker, installed before your app, to hold this permission even though the attacker is not signed by your signing key. I go into that in more detail in this report (as it's a bit complex for an SO answer) and have a PermissionUtils class to help you detect that case.