AccountManager和签名检查 [英] AccountManager and signature check

问题描述

安全提示与AccountManager相关的章节:

如果凭据仅由您创建的应用程序使用，则可以 使用以下命令验证访问AccountManager的应用程序 checkSignature().

If credentials are used only by applications that you create, you can verify the application that accesses the AccountManager using checkSignature().

我应该在代码中的哪里检查签名?我已经尝试使用Binder.getCallingUid()在我自己的AbstractAccountAuthenticator实现中获取调用进程的UID，但是当系统进程执行IPC时，它将返回1000.我需要获取另一个尝试访问由我的应用程序创建的帐户的应用程序的UID/程序包名称，因为我想在返回auth令牌之前执行checkSignature检查.

Where in the code should I check the signature? I've already tried to use Binder.getCallingUid() to obtain the UID of the calling process inside my own implementation of the AbstractAccountAuthenticator, but it returns 1000 as the system process performs IPC. I need to obtain UID/package name of the other app that tries to access the account created by my app as I want to perform the checkSignature check before returning the auth token.

推荐答案

结果很简单.实际调用者的程序包名称，uid和pid包含在作为参数传递的Bundle中.此代码应驻留在AbstractAccountAuthenticator的实现中.

Turns out it's fairly simple. The package name, uid and pid of the real caller is contained in the Bundle passed as a parameter. This code should reside in the implementation of an AbstractAccountAuthenticator.

public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
                           String authTokenType, Bundle bundle) {
    try {
        PackageManager packageManager = context.getPackageManager();
        String callerPackageName = bundle.getString("androidPackageName");
        // Caller app must be signed with the same key to get the auth token
        int signatureResult = packageManager.checkSignatures(BuildConfig.APPLICATION_ID,
                callerPackageName);
        if (signatureResult >= PackageManager.SIGNATURE_MATCH) {
            return [bundle with the auth token];
        } else {
            return Bundle.EMPTY;
        }
}

这篇关于AccountManager和签名检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！