我正在编写一款Android应用程序,需要接收系统发送的广播。我想确保这些广播确实是由系统发送的。我找到了这个OWASP 视频。
在视频的18:00处,演讲者建议验证广播来源的一种方法是使用(查看他的幻灯片):
Binder.getCallingUid () == Process.SYSTEM_UID
我尝试在我的应用中测试过这个API,但是它给了我自己应用程序的uid。
我从Dianne Hackborn那里找到了这个解释:
Binder.getCallingUid() returns the UID of the caller when processing
an incoming Binder IPC. The value that is returned will vary depending
on whether you are in the context of dispatching an incoming IPC or
something else.
Also, code will often call Binder.clearCallingIdentity() to clear the
calling information after it has verified it so that further operations
are considered to be coming from the current uid.
此外,从文档中得知:
Return the Linux uid assigned to the process that sent you the current
transaction that is being processed. This uid can be used with
higher-level system services to determine its identity and check permissions.
If the current thread is not currently executing an incoming transaction,
then its own uid is returned.
考虑到这两种解释,
Binder.getCallingUid
API在Android组件的生命周期事件中(我已经在BroadcastReceiver的onReceive和Service的onStartCommand中进行了测试)有用吗?如果没有作用,为什么OWASP要求我们使用它?
BroadcastReceiver
和ContentProvider
之间的API如此不同,但是据我所见没有BroadcastReceiver.getCallingPackage()
或等效项。 :( - Giszmo