"Permissions Are Install-Order Dependent", https://code.google.com/p/android/issues/detail?id=25906.
I think you have to "Star" it to give it a +1. When votes hit a critical mass, then the issue might be fixed. Jeff On Fri, Jul 20, 2012 at 2:14 AM, Patrick Boos <[email protected]> wrote: > Following situation: > > App1 > Main application > - Allows enabling debug by secured broadcast > >> <permission android:name="com.company.PERMISSION" >> android:protectionLevel="signature" /> >> ... >> <receiver android:name=".SettingsReceiver" >> android:permission="jcom.company.PERMISSION" > >> ... >> </receiver> > > > App2 > A app for enabling debug mode and other options in the real app (for support > purpose) > >> <uses-permission android:name="com.company.PERMISSION" /> > > > Now this works very well. Even if the install order is App2 and then App1. > BUT. > > Security Issue? > If I am a hacker, that wants to turn on debug (but who is not authorized to > do so) installs his own app first that has the following in its > AndroidManifest.xml: > >> <permission android:name="com.company.PERMISSION" >> android:protectionLevel="signature" /> >> <uses-permission android:name="com.company.PERMISSION" /> > > > Than after he installed this app, he installs App1, he can send the > broadcast and it seems like the permission is not checked! But if the > hackers app is installed after the original app, the security is in place. > > What is the reason for that behavior? Any way to get it working right? > > Current Solution: > I have App1 check for a packageName in the broadcast. If none is received, > it is denied. If one is received, than it will first check if the signature > matches, and if it does sends a "send your settings" request with a token > and wait a few milliseconds for the answer, if none comes, the token > expires. > > Would that be a good way to solve it and make it secure? > > Best regards, > Patrick Boos > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/BXvjR8GgcWYJ. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
