On Jun 10, 5:04 am, Mark Murphy <[EMAIL PROTECTED]> wrote: > Unless you are passing around some sort of request token, I don't know > how you will be able to identify "subsequent calls" as being from the > same caller as a previous one. And, if you *are* passing some sort of > caller token with each call, impersonation is merely a matter of > intercepting and reusing said token.
The Binder system gives a really nice facility for dealing with these kinds of security issues. It is at its heart a capability system, so an IBinder represents a capability that you can grant to others. Thus if you just instantiate a Binder object and hand it off as the token, you can be sure when you get that object back that it only came from the process you gave it to (or any process that process gave it to). > A determined person will break it anyway, if they can get their hands on > your client APK. I suspect Dalvik bytecodes can be decompiled, even if > there isn't necessarily a decompiler available at present. Then, it's > just a matter of figuring out where your private key is stored. If the > client application can sign things, somebody with the APK can, in > theory, learn everything that is needed to sign things as well. Well I would strongly discourage putting a private key in your .apk. There is no need. Given that two .apks have been signed, you can check to determine that they were signed with the same private key without anyone having to know what that private key is. In the upcoming SDK where the signing stuff is fully implemented, this is central to how it operates. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
