Android Component Security

1, Activity, Service, Broadcastreceiver, ContentProvider are the four components of Android, their security is very important. The security vulnerabilities of the four components are mainly focused on whether external calls can be externally invoked and whether there are risks to external calls.

Whether the four components can be called externally, the determinant is the androidmanifest.xml of the label export of the four components defined within the definition. As follows:

<activity              android:name= ". Partactivity "              android:theme=" @android: Style/theme.dialog "             android:export=" true ">  </activity >  

Export is true to indicate that partactivity can be called externally. Export if False, indicates that partactivity cannot be called externally.

We notice that when we define the four components, we often do not write the export tag, then what is the default export of the system?

(1), if the four components contain intent-filter, then the Android system believes that this component can be externally through implicit invocation, so the default export is true.

<activity              android:name= ". Mainactivity "              android:label=" mainactivity ">              <intent-filter>                  <action android:name=" Android.intent.action.MAIN "/>                    <category android:name=" Android.intent.category.LAUNCHER "/>              < /intent-filter>  </activity>

(2), if the four components do not contain Intent-filter, then the Android system believes that the component value can only be internally through explicit invocation, so the default export is False.

<activity              android:name= ". Partactivity "              android:theme=" @android: Style/theme.dialog ">  </activity>

2, in order to increase the security of the four components, you can define a permission to access a component.

<activity  android:name= ". Partactivity "  android:theme=" @android: Style/theme.dialog ">  android:permission=" Com.example.test.permission "</activity><permission android:name=" Com.example.test.permission "  Android:protectionlevel= "Dangerous"  android:label= "test"  android:description= "Test_permission"/>  

If the need to use must be in the Androidmanifest.xml, through the application of permissions can, in addition to pay attention to ProtectionLevel, if it is signature, then only the application with the same private key signature application can request this permission.

<uses-permission android:name= "Com.example.test.permission"/>

3, intent start different components of the method as follows:

Component Name	Method name
A Ctivity                                 &N Bsp                          ,         &NB Sp	s Tartactivity () startactivityforresult ()                   and nbsp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NB Sp
service	startservice () bind Service ()
Broadcasts	Sendbroadcast () Sendorderedbroadcast () Sendstickybroadcast ()

Sendbroadcast, there is a way, can not be declared inside the androidmanifest.xml, uses-permission;Direct send with permission, Sendbroadcast (Intent, Receiverpermission)。 A dynamically registered receiver can specify the permissions required to access it in the code.

4. ContentProvider Safety

<provider    android:name= ". Studentcontentprovider "    android:authorities=" Com.example.loadermanagerdemo.StudentContentProvider "Android: readpermission= "Com.example.testapps.readPermission" android:writepermission= " Com.example.testapps.writePermission "></provider>

Need to read ContentProvider, to apply for readpermission, need to write contentprovider, you need to apply for writepermission.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Android Component Security