Following situation: *App1* Main application - Allows enabling debug by secured broadcast
<permission android:name="com.company.PERMISSION" > android:protectionLevel="signature" /> > ... > <receiver android:name=".SettingsReceiver" > android:permission="jcom.company.PERMISSION" > > ... > </receiver> > *App2* A app for enabling debug mode and other options in the real app (for support purpose) <uses-permission android:name="com.company.PERMISSION" /> Now this works very well. Even if the install order is App2 and then App1. BUT. *Security Issue?* If I am a hacker, that wants to turn on debug (but who is not authorized to do so) installs his own app first that has the following in its AndroidManifest.xml: <permission android:name="com.company.PERMISSION" > android:protectionLevel="signature" /> > <uses-permission android:name="com.company.PERMISSION" /> Than after he installed this app, he installs App1, he can send the broadcast and it seems like the permission is not checked! But if the hackers app is installed after the original app, the security is in place. What is the reason for that behavior? Any way to get it working right? *Current Solution:* I have App1 check for a packageName in the broadcast. If none is received, it is denied. If one is received, than it will first check if the signature matches, and if it does sends a "send your settings" request with a token and wait a few milliseconds for the answer, if none comes, the token expires. Would that be a good way to solve it and make it secure? Best regards, Patrick Boos -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/BXvjR8GgcWYJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
