Android - 广播接收器 - 呼叫者验证

4

我正在编写一款Android应用程序,需要接收系统发送的广播。我想确保这些广播确实是由系统发送的。我找到了这个OWASP 视频

在视频的18:00处,演讲者建议验证广播来源的一种方法是使用(查看他的幻灯片):

 Binder.getCallingUid () == Process.SYSTEM_UID

我尝试在我的应用中测试过这个API,但是它给了我自己应用程序的uid。
我从Dianne Hackborn那里找到了这个解释
 Binder.getCallingUid() returns the UID of the caller when processing 
 an incoming Binder IPC.  The value that is returned will vary depending 
 on whether you are in the context of dispatching an incoming IPC or 
 something else.

 Also, code will often call Binder.clearCallingIdentity() to clear the 
 calling information after it has verified it so that further operations
 are considered to be coming from the current uid.

此外,从文档中得知:
 Return the Linux uid assigned to the process that sent you the current 
 transaction that is being processed. This uid can be used with 
 higher-level system services to determine its identity and check permissions. 
 If the current thread is not currently executing an incoming transaction, 
 then its own uid is returned.

考虑到这两种解释,Binder.getCallingUid API在Android组件的生命周期事件中(我已经在BroadcastReceiver的onReceive和Service的onStartCommand中进行了测试)有用吗?
如果没有作用,为什么OWASP要求我们使用它?

这个问题与这个有关吗?我想知道为什么BroadcastReceiverContentProvider之间的API如此不同,但是据我所见没有BroadcastReceiver.getCallingPackage()或等效项。 :( - Giszmo
你找到解决方法了吗? - Alice Van Der Land
1个回答

0

本文档的第5节解释了为什么在BroadcastReceiver中使用Binder.getCallingUid()是无用的。它只返回执行自己应用程序的UID。但是,在调用远程服务时,例如使用AIDL绑定服务时,它会返回一个有用的值。


链接已经失效了,很遗憾。 - user1120897

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接