Android Firebase消息传递SDK如何防止Intent欺骗? [英] How is Android Firebase messaging SDK secure against Intent spoofing?

问题描述

我使用以下依赖项使用Firebase Messaging创建了一个简单的项目.

I created a simple project using Firebase Messaging, using the following dependency.

implementation 'com.google.firebase:firebase-messaging:20.0.0'

我已经构建了该应用程序，并检查了其 merged AndroidManifest.xml文件.Firebase Messaging SDK唯一导出的组件是以下接收者:

I have built the app and checked its merged AndroidManifest.xml file. The only exported component by Firebase Messaging SDK is the following receiver:

<receiver
    android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver"
    android:exported="true"
    android:permission="com.google.android.c2dm.permission.SEND" >
    <intent-filter>
        <action android:name="com.google.android.c2dm.intent.RECEIVE" />
    </intent-filter>
</receiver>

我找不到权限 com.google.android.c2dm.permission.SEND 的定义，即使我已解码Google Play Services APK的AndroidManifest.xml并在此未找到任何内容.除了定义外，它无法阻止恶意应用使用许可并传播伪造的Intent.同样，由于意图是由 system_server 传递的，因此接收方无法检查发送方的身份.

I couldn't find the definition of the permission com.google.android.c2dm.permission.SEND, even though I have decoded AndroidManifest.xml of Google Play Services APK and found nothing there. Apart from its definition whatever it is, it cannot prevent a malicious app to use-permission it and broadcast forged Intents. Also because of Intents being delivered by system_server, the receiver cannot check the identity of the sender.

Firebase Messageing SDK如何反击这种威胁?

How does Firebase Messageing SDK counterattack this threat?

推荐答案

从Play商店安装的恶意应用无法使用以"com.google.android"开头的任何权限.这些保留给系统特权的应用程序.

A malicious app installed from the Play Store cannot use any permission that starts with "com.google.android". Those are reserved for system privileged apps.

安装在每台具有Play商店的设备上的Play服务后端"应用实际上实际上是直接处理传入的FCM消息.它是一个特权应用程序，并且是唯一将使用这些权限将数据发送到您的应用程序的应用程序.

The Play services "backend" app, which is installed on every device that has the Play store, actually handles incoming FCM messages directly. It is a privileged app, and is the only one that will use those permissions to send data to your app.

如果您设法将您的设备植根并使用系统特权安装恶意应用程序，则可能会遇到问题.但这就是您绕过设备内置的安全措施时要承担的风险.

If you manage to root your device and install a malicious app with system privileges, then you might have a problem. But that's the risk you take when you bypass the security measures built into the device.

这篇关于Android Firebase消息传递SDK如何防止Intent欺骗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！