Hello* *Maciej Górski,
I know this is a common problem. This issue has been resolved by Google
since Android 4.1.1: in fact from this version on, they have introduced a
new class that allows you to retrieve data (ActivityManager.RecentTaskInfo)
that doesn't allow you to get "extras" from other applications.
In my opinion if you want to pass data in such a secure way between two
activity, you can pass crypted data or you can only pass a kind a simple
variable (for example an Integer or a String) and in the second activity
you can retrieve data from a Db or from the shared preferences.
Let's consider that you want to send the number of a credit card from
FirstActivity to SecondActivity.
Now in FirstActivity you can save the number of the credit card in a Db or
using a SharedPreference, then you can pass to SecondActivity a number or a
string that has no real meaning (for example you can pass the name used to
save the sharedPreferences). In the SecondActivity, you receive that String
and you can retrieve the number of the credit card from the
sharedPreferences you have saved or from the Db. In this way no data
passing from one activity to another can be read by other applications .
I hope this is useful for you.
*
*
Il giorno sabato 11 maggio 2013 21:29:53 UTC+2, Maciej Górski ha scritto:
>
> Hello everybody,
>
> I've noticed that when an application has GET_TASKS permission it can
> retrieve the data sent between two Activities in other application, where
> second Activity is not exported like in this example:
>
> <activity android:name=".FirstActivity" >
> <intent-filter>
> <action android:name="android.intent.action.MAIN" />
>
> <category android:name="android.intent.category.LAUNCHER"
> />
> </intent-filter>
> </activity>
> <activity android:name=".SecondActivity" />
>
> somwhere in FirstActivity:
>
> Intent intent = new Intent(this, SecondActivity.class);
> intent.putExtra("any_key", "any_value");
> startActivity(intent);
>
> any_key + any_value pair can be read from application that has GET_TASKS
> permission.
>
> Does that mean we should not send sensitive data between exported and
> private Activity?
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
