ProGuard doesn't provide any protection; it can provide obfuscation. android:sharedUserId is for security, to allow you to bypass the normal application sandboxing (where each app gets its own uid) for applications that are signed with the same certificate and thus come from the same author.
On Tue, Jun 15, 2010 at 3:31 PM, ADman <[email protected]> wrote: > hi dianne, > > thank you for the prompt reply. so just to confirm, using the > SharedUserID mechanism, along with using 'Proguard' for code > obfuscation will lead to protection of both the code and the database? > ( assuming the user does not root the device, in which case I presume > they will be able to copy the database off the device and view it)? > > > On Jun 15, 1:10 pm, Dianne Hackborn <[email protected]> wrote: > > On Tue, Jun 15, 2010 at 12:59 PM, ADman <[email protected]> wrote: > > > hi there, > > > > > For our application, we need to have two applications share the same > > > database. I have done the following: > > > > > 1. assigned each application the same 'SharedUserID' > > > 2. used Context.CONTEXT_INCLUDE_CODE in the 'calling' application to > > > access the db defined in the 'called' application > > > 3. signed both apps with my key > > > > > By doing this both apps are able to share the same db. My questions: > > > > > 1. Can some 3rd party app figure out the sharedUserID and also gain > > > access to the db using the Context.CONTEXT_INCLUDE_CODE > > > > No. To run as the same sahredUserId you need to be signed with the same > > cert. > > > > > 2. can the 'calling' app be inspected to figure out how to use the > > > database i.e. what calls to use? > > > > It can always access the code. It can not access the data. > > > > > 3. is signing enough to prevent a 3rd party from getting access to > > > both my 'called' and 'calling' app? or do the apps needs to be > > > obfuscated(I saw a post about using 'Proguard'?) > > > > It depends on what you mean by access. By default all data you write is > not > > world readable, so only others running as your uid can access it. > > > > > 4.Finally, is this the best way to achieve my goal of sharing the db? > > > I read about using ContentProvider method also, but people say its > > > slower than using direct db access? Does ContentProvider method > > > provides better security? > > > > The security depends on how you use things. Which makes sense really > > depends on a lot of factors. > > > > -- > > Dianne Hackborn > > Android framework engineer > > [email protected] > > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see > and > > answer them. > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
