如何将对ContentProvider的访问权限仅限于我的应用程序?
[英]How do I restrict access to my ContentProvider to only my apps?
问题描述
I want to export a ContentProvider for use by another one of MY apps. 
我想导出一个ContentProvider供另一个MY应用程序使用。 How do I prevent other apps from accessing it? 如何阻止其他应用访问它? If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app? 如果我使用android:permission属性,第三方应用程序是否只能将该权限应用于他们的应用程序? I really need to lock down access to my apps only. 我真的需要锁定对我的应用程序的访问权限。
Thanks in advance... 提前致谢...
1 个解决方案
解决方案1
9 已采纳 2014-04-24 23:58:37
If I use an android:permission attribute, can't 3rd party apps just apply that permission to their app?
Well, you can use a signature -level custom permission ( android:protectionLevel="signature" ). 好吧,你可以使用signature级别的自定义权限( android:protectionLevel="signature" )。 Then, the app holding the permission and the app defending itself with the permission have to be signed by the same signing key. 然后,持有权限的应用程序和应用程序通过权限进行自我辩护必须使用相同的签名密钥进行签名。
There's a bug/limitation in Android that can allow an attacker, installed before your app, to hold this permission even though the attacker is not signed by your signing key. Android中存在一个错误/限制,即使攻击者未通过您的签名密钥签名,也可以允许在您的应用之前安装的攻击者保留此权限。 I go into that in more detail in this report (as it's a bit complex for an SO answer) and have a PermissionUtils class to help you detect that case. 我在本报告中更详细地介绍了它 (因为它对于一个SO答案来说有点复杂)并且有一个PermissionUtils类来帮助您检测这种情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.