Personally I know that Android recommends to use the enforcing permission when declaring the component for the secured IPC operation.
But sometimes it's quite not easy to use the unified single enforcing permission when it should operate with bunch of applications which are signed by their own signing key. I know that those application *SHOULD* be signed by considering this enforcing permission, but practically sometimes those applications run in real world and later we need to protect their unprotected IPCs : broadcasting, service, content provider and activity. Is there any other method available for the secured IPC besides the component security or enforcing permission which restricts the IPC by requiring the Android permission ? * Checking the signing certificate ? - For bound service, it can be used, but in other case, it's difficult to apply. * Is the EXPLICIT intent secure ? - If intent is resolved by intent.setPackage(packageName), can only the specified package take the intent securely ? - Is it no possibility that it can be sniffed by other package ? * ... I think that this inquiry is a little bit stupid, but it's true that some other secured IPC is necessary when the component security or the enforcing permission is not available. Thanks in advance. tkHWANG. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
