Android Firebase消息传递SDK如何防止Intent欺骗? [英] How is Android Firebase messaging SDK secure against Intent spoofing?
问题描述
我使用以下依赖项使用Firebase Messaging创建了一个简单的项目.
I created a simple project using Firebase Messaging, using the following dependency.
implementation 'com.google.firebase:firebase-messaging:20.0.0'
我已经构建了该应用程序,并检查了其 merged AndroidManifest.xml文件.Firebase Messaging SDK唯一导出的组件是以下接收者:
I have built the app and checked its merged AndroidManifest.xml file. The only exported component by Firebase Messaging SDK is the following receiver:
<receiver
android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver"
android:exported="true"
android:permission="com.google.android.c2dm.permission.SEND" >
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE" />
</intent-filter>
</receiver>
我找不到权限 com.google.android.c2dm.permission.SEND
的定义,即使我已解码Google Play Services APK的AndroidManifest.xml并在此未找到任何内容.除了定义外,它无法阻止恶意应用使用许可
并传播伪造的Intent.同样,由于意图是由 system_server
传递的,因此接收方无法检查发送方的身份.
I couldn't find the definition of the permission com.google.android.c2dm.permission.SEND
, even though I have decoded AndroidManifest.xml of Google Play Services APK and found nothing there. Apart from its definition whatever it is, it cannot prevent a malicious app to use-permission
it and broadcast forged Intents. Also because of Intents being delivered by system_server
, the receiver cannot check the identity of the sender.
Firebase Messageing SDK如何反击这种威胁?
How does Firebase Messageing SDK counterattack this threat?
推荐答案
从Play商店安装的恶意应用无法使用以"com.google.android"开头的任何权限.这些保留给系统特权的应用程序.
A malicious app installed from the Play Store cannot use any permission that starts with "com.google.android". Those are reserved for system privileged apps.
安装在每台具有Play商店的设备上的Play服务后端"应用实际上实际上是直接处理传入的FCM消息.它是一个特权应用程序,并且是唯一将使用这些权限将数据发送到您的应用程序的应用程序.
The Play services "backend" app, which is installed on every device that has the Play store, actually handles incoming FCM messages directly. It is a privileged app, and is the only one that will use those permissions to send data to your app.
如果您设法将您的设备植根并使用系统特权安装恶意应用程序,则可能会遇到问题.但这就是您绕过设备内置的安全措施时要承担的风险.
If you manage to root your device and install a malicious app with system privileges, then you might have a problem. But that's the risk you take when you bypass the security measures built into the device.
这篇关于Android Firebase消息传递SDK如何防止Intent欺骗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!