Android的意图安全 [英] Android Intent Security
问题描述
我一直工作在最近设计了一些Android应用程序,和我的下一个实验性的冒险之一就是先听外部意图:谷歌语音。我想知道潜在的恶意用户创建另一个意图几乎等于一个pre-现有的信任的意图注入邪恶code到我的应用程序。
I've been working on designing a few Android apps lately, and one of my next experimental adventures is the first to listen to an external Intent: Google Voice. I was wondering about the potential for a malicious user to create another Intent mostly identical to a pre-existing trusted Intent to inject evil code into my app.
推荐答案
由于意图相互隔离的活动(除非你的根或有一个为尚未发现和相当基本的缺陷),但不能注入code转换对方。但是,在开始任何活动当然可以做任何允许其根据其表现。
Since intents isolate activities from each other (unless you root or there's an as-yet-undiscovered and fairly fundamental defect), they can't inject code into each other. However, any activity you start may of course do whatever is permitted to it according to its manifest.
针对恶意应用程序,无论是通过意图或以其他方式沟通的主要安全对策,是的清单,并在安装用户的认可。如果用户安装一个应用程序,处理 RecognizerIntent ,该应用程序会在你试图让语音识别psented作为一个选项,以最终用户的$ P $。如果最终用户选择它,它会被执行。它可以与您的应用程序做的最多的是后结果返回给你的活动通过<一个href="http://developer.android.com/reference/android/app/Activity.html#onActivityResult%28int,%20int,%20android.content.Intent%29"相对=nofollow> onActivityResult 。你必须决定多少信任的数据(例如,您可能要问验证用户发送可能是尴尬的电子邮件之前)。
The primary security countermeasure against malicious apps, whether they communicate by intents or otherwise, is the manifest and user approval at installation. If the user installs an app that processes RecognizerIntent, that app will be presented as an option to the end user when you attempt to get speech recognition. If the end user selects it, it will be executed. The most it can do with your app is to post results back to your Activity through your onActivityResult. You have to decide how much to trust that data (e.g., you may want to ask the user for verification before sending a possibly embarrassing email).
任何安全威胁模型考虑到哪些资产可以保护,谁和你信任的东西,和外界的互动和攻击点。当涉及到语音识别,可以在Android的安全模式发生的最糟糕的是,外部应用程序做了最坏的自己(使用你的应用程序仅仅作为触发),或者说,它张贴坏语音识别结果返回。
Any security threat model has to take into account what assets you protect, whom and what you trust, and the outside interaction and attack points. When it comes to speech recognition, the worst that can happen under the Android security model is that an external app does its worst on its own (using your app just as a trigger), or that it posts bad speech recognition results back.
这篇关于Android的意图安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
