控制第三方API对Android系统资源的访问?
[英]Control access of third party APIs to Android system resources?
问题描述
When you import third party APIs (packet dependency injection, generated libraries, source code, etc) in your Android project, you assume they will behave as advertised. 
在您的Android项目中导入第三方API(数据包依赖注入,生成的库,源代码等)时,您会假定它们的行为与广告中所宣传的一样。 Most of the times code is not open source, it is obfuscated or just compiled. 大多数时候,代码不是开源的,它们被混淆或只是被编译。
Is there a way to control the access of this APIs to important system resources such as network, contacts, video and audio, location? 有没有办法控制此API对重要系统资源(例如网络,联系人,视频和音频,位置)的访问?
The best approach would be to provide a proxy to them for the system resources. 最好的方法是为它们提供系统资源的proxy 。 This would have the following benefits: 这将具有以下好处:
- Tests could be performed by providing mock data in the proxies 可以通过在代理中提供模拟数据来执行测试
- Your application would not have to provide all the permissions the API require if they are not necessary and the proxy would allow the API to not break because of permission by emulating permission granted 如果不需要,您的应用程序将不必提供API所需的所有权限,并且代理可以通过模拟授予的权限来允许API不会由于权限而中断
- Filter possible data collected locally about user and sent to an API home repo, used for advertising or malicious intent 过滤可能在本地收集的有关用户的数据,并将其发送到API主存储库,用于广告或恶意意图
I have failed to find how one such solution can be implemented since the user's defined activities and services can not control the services of the third party APIs or even prevent them for making direct calls to any Android public interface. 由于用户定义的活动和服务无法控制第三方API的服务,甚至无法阻止它们直接调用任何Android公共接口,因此我无法找到解决方案的实现方式。
The solution should not require root access, since you do not want to have this control outside the boundaries of your own app. 该解决方案不需要root用户访问权限,因为您不想让此控件超出您自己的应用程序的范围。
The content of this question is linked to several questions which address particularities of this broad question ( log data of content providers , network requests - that got me to think of this problem while researching an answer for it) 这个问题的内容与解决这个广泛问题的特殊性的几个问题相关联( 内容提供商的日志数据 , 网络请求 -使我在研究答案时考虑这个问题)
Note : The short answer is no, but one can be creative enough (maybe going for native level hacks may resolve this issue - idk) 注意 :简短的答案是“否”,但一个人可能足够有创意(也许进行本机级黑客攻击可能会解决此问题-idk)
1 个解决方案
解决方案1
1 已采纳 2016-02-25 15:42:08
Build proxy class for your desired android resource you want to protect in a package named com.myproxies (eg MediaRecorder, SensorManager, Camera, java.net.HTTPURLConnection).In the proxy you need to implement all of the public methods of the class you are mocking and you need to implemented logic to allow for access (forward to appropriate method) or deny. 在名为com.myproxies的包中(例如MediaRecorder,SensorManager,Camera,java.net.HTTPURLConnection)为要保护的所需Android资源构建代理类。在代理中,您需要实现该类的所有公共方法在嘲笑,您需要实施逻辑以允许访问(转发到适当的方法)或拒绝。 One helpful step would be to check the caller of the method . 一个有用的步骤是检查方法的调用者 。
If you plan to import source code, refactor code to change package to your proxy (proguard can help with this).
如果您打算导入源代码,请重构代码以将包更改为代理(Proguard可以提供帮助)。 If you are using a library, get Jar Jar Links ,a utility that makes it easy to repackage Java libraries and embed them into your own distribution, and change the package names internally to that of a class in your package that will serve as a proxy.
如果您使用的是库,请获取Jar Jar Links ,该实用程序可以轻松地重新打包Java库并将其嵌入到您自己的发行版中,并将内部包名称更改为包中用作代理的类的名称。 。 If you are using Maven or Gradle package dependency injection, you can also try to import Jar Jar Links and perform the package refactoring at compile time (not very sure it can be done)
如果您使用的是Maven或Gradle软件包依赖项注入,则还可以尝试导入Jar Jar Links并在编译时执行软件包重构(不是很确定可以做到)。
Unfortunately it is very easy to break the API, as I experienced myself, and there is a lot of manual labour involved. 不幸的是,按照我的经验,很容易破坏API,并且涉及大量的体力劳动。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.