我正在编写一个 Android 应用程序,其中我需要接收系统发送的一些广播。我想确保广播确实是由系统发送的。我找到了这个 OWASP video .
在视频中的 18:00 时间,演讲者建议验证广播来源的方法之一是使用(查看他的幻灯片):
Binder.getCallingUid () == Process.SYSTEM_UID
我试图在我的应用程序中对此进行测试,但是这个 API 为我提供了我自己的应用程序的 uid。
我找到了 explanation来自黛安哈克伯恩:
Binder.getCallingUid() returns the UID of the caller when processing
an incoming Binder IPC. The value that is returned will vary depending
on whether you are in the context of dispatching an incoming IPC or
something else.
Also, code will often call Binder.clearCallingIdentity() to clear the
calling information after it has verified it so that further operations
are considered to be coming from the current uid.
此外,来自 docs :
Return the Linux uid assigned to the process that sent you the current
transaction that is being processed. This uid can be used with
higher-level system services to determine its identity and check permissions.
If the current thread is not currently executing an incoming transaction,
then its own uid is returned.
鉴于这两种解释,是 API
Binder.getCallingUid
在 Android 组件的生命周期事件中有什么用途(我已经在 BroadcastReceiver 的 onReceive、Service 的 onStartCommand 中测试过)?如果没有,为什么 OWASP 要求我们使用它?
最佳答案
this document 第 5 节解释了为什么 Binder.getCallingUid() 在 BroadcastReceiver
中没有用处.它只返回正在执行的应用程序的 UID。但如果您调用远程服务,它会返回一个有用的值,例如使用 AIDL 绑定(bind)服务时。
关于android - 广播接收器 - 调用者验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25691422/