是什么保护Android AccountManager密码不被其他应用读取? [英] What protects Android AccountManager passwords from being read by other apps?
问题描述
我正在编写1)一个在AccountManager中存储用户名和密码的应用程序,以及2)一个单独的后台服务应用程序,该应用程序访问这些凭据以登录到我的服务器,等等.能够从服务(应用程序2)调用AccountManager.getPassword(account)来访问使用其他应用程序(应用程序1)添加到AccountManager的帐户类型.
I'm writing 1) an app that stores a username and password in the AccountManager, and 2) a separate background Service app that accesses those credentials to login to my servers, etc. Playing around with this, I find I'm able to call AccountManager.getPassword(account) from the Service (app 2) to access the type of accounts I've add to the AccountManager using the other app (app 1).
由于这个原因,我开始怀疑是什么阻止了以下任意恶意应用程序的运行:1)包括清单中具有帐户管理访问权限的字段,然后2)遍历特定类型的所有帐户并调用在它们上的mAccountManger.getPassword(account).我知道在安装过程中会弹出一个对话框,其中包含应用程序请求使用的所有权限,但是我认为我们不能指望普通用户拒绝应用程序,因为它需要可疑的权限.
Due to this, I'm starting to wonder what stops an arbitrary malicious app from 1) including the fields in the manifest to have Account management access, and then then 2) from iterating through all accounts of a particular type and calling mAccountManger.getPassword(account) on them. I know that during installation, a dialog pops up with all the permissions that an app requests to use, but I don't think we can count on the average user to reject an app because it requests suspicious permissions.
是否有一种方法可以防止在帐户类型上调用getPassword?有什么方法可以保护AccountManager中的帐户免受具有大量帐户权限的应用的侵害?
Is there a way to prevent getPassword from being called on an account type? Are there ways to protect accounts in the AccountManager from apps that have given themselves lots of account permissions?
推荐答案
帐户数据保护基于发出请求的进程的Linux用户ID(UID).(请参阅指南中的安全和权限.)每个帐户都与帐户身份验证者(具有UID),并且调用 getPassword 的进程(或其他几种方法)必须具有与身份验证者相同的UID.
Account data protection is based on the Linux user id (UID) of the process making the request. (See Security and Permissions in the guide.) Each account is associated with an account authenticator (that has a UID), and the process calling getPassword (or several other methods) must have the same UID as the authenticator.
这篇关于是什么保护Android AccountManager密码不被其他应用读取?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
