如何解决有关导出的 Firebase 消息服务实现的 android lint 投诉? [英] How to address android lint complaint about exported Firebase Messaging service implementations?

问题描述

按照 Google 开发人员关于在我的应用中实施 Firebase 的说明，我注意到 android lint 抱怨.

Following the Google developer instructions on implementing Firebase in my app, I notice that android lint complains.

我们的想法是我们必须实现两个继承自 Firebase 服务的服务:

The idea is that we have to implement two services which inherit from Firebase services:

public class MyFirebaseInstanceIDService extends FirebaseInstanceIdService { ... }

public class MyFirebaseMessagingService extends FirebaseMessagingService { ... }

然后在清单中注册这些服务.但是，它并不十分完美.特别是，这两个推荐的 AndroidManifest.xml 服务条目不包含任何特殊权限:

and then register those services in the manifest. But, it's not quite perfect. In particular, these two recommended AndroidManifest.xml service entries do not contain any special permissions:

<service android:name=".MyFirebaseMessagingService">
    <intent-filter>
        <action android:name="com.google.firebase.MESSAGING_EVENT"/>
    </intent-filter>
</service>

<service android:name=".MyFirebaseInstanceIDService">
    <intent-filter>
        <action android:name="com.google.firebase.INSTANCE_ID_EVENT"/>
    </intent-filter>
</service>

所以 linter 说:

and so the linter says:

导出的服务(设置exported=true 或包含intent-filter 且未指定exported=false 的服务)应定义实体必须具有的权限才能启动服务或绑定到它.没有这个，任何应用程序都可以使用这个服务.

Exported services (services which either set exported=true or contain an intent-filter and do not specify exported=false) should define a permission that an entity must have in order to launch the service or bind to it. Without this, any application can use this service.

我是否应该将此属性添加到每个服务标签并完成它

Should I just add this attribute to each service tag and be done with it

tools:ignore="ExportedService"

或者在这种情况下有更好的方法吗?我的意思是，像这样公开这些特定的 Firebase 派生服务是否安全?

or is there a better approach in this situation? I mean, is it safe to expose these particular Firebase derived services like this?

推荐答案

你问:...像这样公开这些特定的 Firebase 派生服务是否安全? 如果你相信这些评论在这些服务的清单文件中.

You ask: ...is it safe to expose these particular Firebase derived services like this? It is if you trust the comments in the manifest files for these services.

在 Android Studio 中，打开应用的 AndroidManifest.xml 文件.在窗口底部，选择 Merged Manifest 选项卡.滚动以找到 FirebaseMessagingService 的条目.双击包含服务名称的行.服务的清单文件应该会打开，您会看到:

In Android Studio, open your app's AndroidManifest.xml file. At the bottom of the window, select the tab for Merged Manifest. Scroll to find the entry for FirebaseMessagingService. Double-click on the line that contains the service name. The manifest file for the service should open and you will see this:

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.firebase.messaging">
    <uses-sdk android:minSdkVersion="14"/>

    <application>

        <!-- FirebaseMessagingService performs security checks at runtime,
             no need for explicit permissions despite exported="true" -->
        <service android:name="com.google.firebase.messaging.FirebaseMessagingService" android:exported="true">
            <intent-filter android:priority="-500">
                <action android:name="com.google.firebase.MESSAGING_EVENT"/>
            </intent-filter>
        </service>

    </application>
</manifest>

注意注释:FirebaseMessagingService 在运行时执行安全检查，尽管exported="true"

您可以对 FirebaseInstanceIdService 执行相同操作并查看相同的注释.

You can do the same for FirebaseInstanceIdService and see the same comment.

如果您相信评论(我相信)，您可以放心地忽略 lint 警告或禁用检查.

If you trust the comments (I do), you can safely ignore the lint warnings or disable the checks.

这篇关于如何解决有关导出的 Firebase 消息服务实现的 android lint 投诉?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！