Thanks Dianne, I'm sorry if I am just slow here, but it still isn't clear to me how I would get the uid of the caller from the service.
Because it is a synchronous call to my remote service, is it just that my remote service will be running on the same thread and I can get the id from the Process.myTid()? Thanks, -Tony On Dec 16, 3:39 pm, Dianne Hackborn <hack...@android.com> wrote: > Yep. What the platform typically does is have the service publish a > factory interface, with a call to request a new session: > > interface IMySession { > void close(); > > } > > interface IMyService { > IMySession makeSession(); > > } > > In makeSession(), check the uid of the caller. > > If you want to check signing cert, you can get the packages associated with > the calling uid and check the cert of one of them. (All packages > associated with the same uid must be signed with the same cert.) > > 2011/12/16 Harri Smått <har...@gmail.com> > > > > > > > > > > > Hi, > > > I would go for a simple handshaking mechanism quite likely. You can let > > anyone bind to your service but disallow usage of IPC methods for > > unidentified clients. E.g. > > > 1. Client connects to service. > > 2. After connection is established, client is required to call, say, > > identify() IPC method which returns a String, Integer, what so ever. > > 3. After receiving this challenge, client has to call identify(result) > > method which gives client a session id. > > 4. For all of the later calls client has to use this session id among with > > the call. > > > Quite obviously all this depends totally on how much security you're > > required to have within your client-service interaction but some very > > simple handshaking protocol might work surprisingly well if it's kept > > secret. > > > -- > > H > > > On Dec 16, 2011, at 6:26 PM, Bsweet wrote: > > > > It is the spoof part that concerns me. > > > > Anyone else out there have any creative ideas? > > > > Right now I'm considering just checking who is on the top of the > > > activity stack, but that is hokey and not reliable. > > > > On Dec 16, 4:30 am, Mark Murphy <mmur...@commonsware.com> wrote: > > >> On Thu, Dec 15, 2011 at 9:54 PM, Kristopher Micinski > > > >> <krismicin...@gmail.com> wrote: > > >>> When you get a bind in your service (your onBind) can you just take > > >>> the intent and get component associated with it? > > > >>> From Intent: > > >>> ComponentName getComponent() > > >>> Retrieve the concrete component associated with the intent. > > > >> That should be the recipient, not the sender. > > > >> The only way I know to find out whoboundto you is if you require > > >> that information in an extra, and that can always be spoofed. The > > >> expectation is that you should not care *who*boundto you, merely > > >> whether they had sufficient permissions to do so. > > > >> -- > > >> Mark Murphy (a Commons Guy)http://commonsware.com| > >http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy > > > >> _Android Programming Tutorials_ Version 4.1 Available! > > > > -- > > > You received this message because you are subscribed to the Google > > > Groups "Android Developers" group. > > > To post to this group, send email to android-developers@googlegroups.com > > > To unsubscribe from this group, send email to > > > android-developers+unsubscr...@googlegroups.com > > > For more options, visit this group at > > >http://groups.google.com/group/android-developers?hl=en > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to android-developers@googlegroups.com > > To unsubscribe from this group, send email to > > android-developers+unsubscr...@googlegroups.com > > For more options, visit this group at > >http://groups.google.com/group/android-developers?hl=en > > -- > Dianne Hackborn > Android framework engineer > hack...@android.com > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en