On 07/17/2013 12:30 PM, Richard Haines wrote:
I have a pair of simple apps: one provides a service (installed as a 'platform' app) and the other is the client (running as untrusted_app). However they are not related (i.e. they are signed differently), but the client knows the startIntent.setClassName. The client sends an intent to start the service.I did not expect the service to start with the default intent_mac.xml and mmac_types.xml files, however it did. After some digging I found that it was allowed because of this entry in the intent_mac.xml file: <intent> <filter> <action name="android.intent.action.MAIN"/> <category name="android.intent.category.LAUNCHER"/> </filter> <!-- Allow all apps to send this intent --> <allow name="find_main_activities"/> </intent> This does not seem that secure, so I've patched the file with the attached patch. This allows AOSP apps to send the intent, but not others. I then added entries in intent_mac and mmac_types to allow my apps to communicate. This seems a more secure solution. Richard
What if your example platform app exposes a service that intends to allow anyone to use?
-- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
