On Wednesday, July 13, 2011 9:16:56 AM UTC-4, DCA wrote: I've developed a framework that loads potentially untrusted plug-in > code from a remote repository into my framework's process at runtime > (using OSGi). Each plug-in is started on a thread that my framework > holds a reference to. Problematically, misbehaving plug-ins >
Please note that anything run in your process, or for that matter in another process run as your application's user ID will have the full privileges of your application. Should the untrusted code cross the boundary from unintentionally misbehaving to malicious, it can do anything the system will permit your application to do, and to it in _your_ name. Web browsers typically solve this problem for javascript by sandboxing the virtual machine in which the foreign code runs. But that's not perfectly secure. Android solves the problem not by sandboxing the VM's in which applications run, but by using unix user ID's to separate the services the kernel provides to each application; you are proposing effectively to break down that mechanism and trust everything running at the invitation of your application by running it all under the same user ID. Once you do that, existence of user-level administration and debug authority of all of a user's processes means running in the same or separate processes is just a convenience, not a true barrier. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en