在Android应用动态检查权限 [英] On checking for permissions dynamically in android apps
问题描述
在我的previous <一个跟进href=\"http://stackoverflow.com/questions/18420994/multiple-permissions-in-androidpermisson\">question在运行时Android权限执法,我发现有Android中许多不同的方式它的应用程序可以验证通过调用(客户端)应用程序所拥有的权限。这包括像checkCallingPermission,checkCallingOrSelfPermission,checkCallingUriPermission,checkCallingOrSelfUriPermission,的checkPermission,checkUriPermission电话。据我已经通过 Android文档走了,我能够只有找到有关权限,这些调用在运行时检查。我的问题:
Following up on my previous question on android permissions enforcement at runtime, I found that there are many different ways in android which an app can verify the permissions possessed by the calling (client) app. This includes calls like checkCallingPermission, checkCallingOrSelfPermission, checkCallingUriPermission, checkCallingOrSelfUriPermission, checkPermission, checkUriPermission. As far as I have gone through the android documentation, I am able to find only these calls pertaining to permissions check at run time. My questions:
- 是否有任何其他方式(而不是使用上述电话)
检查动态呼叫者的权限?如果有任何
此类电话,请提供信息/链接或列举。 - 的
- Is there any other way (rather than using the aforementioned calls) to check the permissions of a caller dynamically? If there are any such calls, please provide info/links or list them.
- The description of checkCallingOrSelfPermission says
它赋予你自己的权限,如果你目前没有一个处理
IPC。与使用照顾!
it grants your own permissions if you are not currently processing an IPC. Use with care!
这似乎是危险的,因为它可以促进的(危险的)权限调用进程,可能导致权限提升(如果不小心使用)代表团。请让我知道我是否说得对,这可能导致特权升级攻击。
This seems risky as it could facilitate the delegation of (dangerous) permissions to the calling process which could result in privilege escalation (if used carelessly). Please let me know whether I am right in saying that this could lead to privilege escalation attacks.
- 我不明白为什么一个过程(运行程序)会检查是否是具有一定的权限(这将很好地知道它是有权这样做?)请让我知道了
这种特殊的设计方法背后的直觉:
checkCallingOrSelfPermission。 (简单来说,为什么/当我需要
checkCallingOrSelfPermission?)
- I could not understand why a process (running app) would check whether it possesses certain permission (it would very well know what it is entitled to do?). Please let me know the intuition behind the design of this particular method: checkCallingOrSelfPermission. (Putting it simply, why/ when do I need checkCallingOrSelfPermission?)
推荐答案
有两种类型的Android中的权限检查机制。
There are two type of permission check mechanism in Android.
一个是每个进程运行时动态检查,另一种是每个封装静态检查。你提到什么是所有关于运行时动态的东西在上下文中执行,另一个版本是软件包管理系统。 - <一个href=\"http://developer.android.com/reference/android/content/pm/PackageManager.html#checkPermission%28java.lang.String,%20java.lang.String%29\"相对=nofollow>的checkPermission
One is runtime-dynamic checking per process, and the other one is static checking per package. What you mentioned is all about runtime-dynamic stuffs are implemented in Context, the another version is in PackageManager. - checkPermission
href=\"http://developer.android.com/reference/android/content/pm/PackageManager.html#checkPermission%28java.lang.String,%20java.lang.String%29\"相对=nofollow>的checkPermission 是答案。如需更详细的介绍,还有在Android开发者网站的一篇文章,关于这个主题。
- http://developer.android.com/guide/topics/security/ permissions.html#声明
What you want to is check whether a specific package has a specific permission, checkPermission is the answer. For more detailed description, there is a article in Android Developer Site, about this subject. - http://developer.android.com/guide/topics/security/permissions.html#declaring
在很多情况下,你不需要使用动态权限检查方法,它只是,如果你正在一个供应商分享一些私人文件到特定的客户端,远程服务或某些部件需要 - 通过相关时间权限授予系统的东西意图或IPC。
In many case you don't need to use dynamic permission checking methods, it is needed only if you are working one provider for sharing some private files to specific client, remote service or some widgets - something related temporally permission grant system via Intent or IPC.
和,另一个变薄约
And, one other thins for your previous question about multiple permissions in android:permisson. There is a way an app define the list of permissions what they want inside Manifest.
入住
的http://developer.android.com/guide/topics/manifest/uses-permission-element.html
这篇关于在Android应用动态检查权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
