Android component security
1. Activity, Service, BroadcastReceiver, and ContentProvider are four major components of Android. Their security is very important. The security vulnerabilities of the four major components mainly focus on whether external calls are allowed and whether external calls are at risk.
Whether the four components can be called externally depends on the Boolean value of the tag export of the four components defined in AndroidManifest. xml. As follows:
If export is true, PartActivity can be called externally. If the value of export is false, PartActivity cannot be called externally.
We noticed that when defining the four major components, we often do not write the export label. What is the default export of the system?
(1) If the four components contain intent-filter, the Android system considers that this component can be implicitly called by the outside, so the default export is true.
(2) If the four components do not contain the intent-filter, the Android system considers that the component value can only be explicitly called internally, so the default export is false.
2. To increase the security of four components, you can define that a permission is required to access a component.
android:permission=com.example.test.permission
If you need to use it, it must be in AndroidManifest. xml. You can apply for permissions, and also pay attention to protectionLevel. If it is Signature, only applications with the same private key Signature can apply for this permission.
3. Use Intent to start different components as follows:
Component name |
Method Name |
Activity |
StartActivity () StartActivityForResult () |
Service |
StartService () BindService () |
Broadcasts |
SendBroadcast () SendOrderedBroadcast () SendStickyBroadcast () |
SendBroadcast has a method that does not need to be declared in AndroidManifest. xml. uses-permission; permissions attached to sending directly, sendBroadcast (intent, receiverPermission ). Dynamically registered referers can specify the permissions required to access them in the code.
4. ContentProvider Security
To read contentProvider, you must apply for readPermission. To write contentProvider, you must apply for writePermission.