Hi,
I'm writing an app (say, appA) that allows others (suppose one of them
is appB) to start it via an intent. Since appA is doing some operations
that require a special permission (PERM), I hope to check inside appA to
ensure that appB has PERM (I dislike checking it inside appB).
A first glance at the APIs leads me to Context.checkCallingPermission,
however it kept returning -1 (permission denied) when used in
Activity/BroadCastReceiver/Service. And by checking Binder.getCallingPid()
I find that it is always the same as Process.myPid(); as the document says,
it always returns -1 since Android system considers it "not currently
processing an IPC".
My next attempt is trying to get appB's package name and check whether
appB has the permission.
*Assuming* appB's package name is known, I used
"PackageManager.checkPermission" however it seems not working either
(always denied). The only API that works for me is
PackageManager.getPackageInfo and then check its requestedPermissions.
However the problem is that I don't know how to get appB's package name
in a general way. It seems that the package name is available only when the
PIC intent is sent through "startActivityForResult", in which case it's
possible to use "Activity.getCallingPackage" from appA to retrieve the name
of appB.
There is a workaround to force the intent to carry an extra field
indicating the sender's (here it's appB's) package name and extract the
corresponding field content of the intent inside appA. Obviously it's
inconvenient since it requires more boilerplate code on appB's side; more
seriously, appB is able to cheat by filling the field with other strings
(specially, another package name whose corresponding app has PERM).
My question: is there any general way to check appB's permissions
insider appA in all cases (Activity/BroadCastReceiver/Service) for an
intent related IPC?
I saw a similar thread(
https://groups.google.com/forum/#!topic/android-developers/8v7TWtg7clA) on
mailing list, it finally suggested using AIDL as a solution; however I do
hope to only deal with the intent case.
Best Regards,
Hongxu
--
You received this message because you are subscribed to the Google Groups
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/CAJPBKOEDJPExxxFiPp3KQAyPsq9eaJ2%2BxD%2B45bDXa07dSYX%2BWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
