Hi, I am building an application that needs to do certain "system level" tasks.
So, i am splitting my application in two APK's... One APK will be signed with platform signature, and the other one will be signed with my signature own. (Needs to be separated in two APK files) Using the Binder i will communicate both APK's. Several chuncks of data must be transferred from the System Signed APK to the Application APK, so i will be using the Messenger Bound Service on the System Signed APK with a ReplyTo object so the Application APK can receive back the chuncks. http://developer.android.com/guide/components/bound-services.html#Messenger Now, i have two concerns: 1. Nobody else should be able to talk to the System Signed APK. 2. Nobody should be able to do eavesdropping on the communication between the System Signed APK and the Application APK. To solve #1, i am hardcoding the certificate of the Application APK into the System Signed APK, and then, detecting the calling user id using Binder.getCallingUid and then getPackageInfo with GET_SIGNATURES. With this i'm getting the certificate of the caller process, so i am just comparing it against my hard coded certificate. If the certificates aren't equal, i'm just doing nothing with the request. To solve #2, i really don't know if i'm safe with android's Binder security. Basically i need to know if i'm fine with what i'm doing or that if you could give me an advice to help strengthen the security... Thanks in advance. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/IFWeca-lwK0J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
