I see that this opens a lot of vulnerabilities, but any application with the right permissions could already do on the Android phone what you mentioned - it does not need to send key events to be malicious.
On the other hand, permissions could be finer grained: i.e. allow a certain application only to send key events to a specific other application or only grant restricted rights to an application whenever it is controlled by another application. But I agree that allowing an application to send arbitrary key events to arbitrary other applications poses severe security issues. So as long as finer grained permissions are not available, it is probably safest to do as you do and turn this feature off completely. (I think a similar vulnerability issue arises with the possibility to launch arbitrary intents on another phone through GTalk - http://groups.google.com/group/android-developers/browse_frm/thread/a5dba58a03b9f46e - at least in m5 I don't see yet how this can be prevented. Some refined permission system is probably necessary there too.). Peli On Apr 4, 3:19 am, hackbod <[EMAIL PROTECTED]> wrote: > Being able to inject key events to any applications means you can > effectively do anything the user can do -- you can start phone calls > without them being involved, download and install applications without > them being involved, etc. > > This is not something we plan to support. > > On Apr 3, 5:03 pm, Peli <[EMAIL PROTECTED]> wrote: > > > > > What could go wrong with granting permissions to selected trustful > > applications just like applications can be granted rights to > > ACCESS_GPS, READ_CONTACTS, or RECEIVE_BOOT_COMPLETED? => > > INJECT_KEY_EVENTS? > > > Not that I'm asking for it (since I know of the time-constraints the > > Android team has to deal with), but in principle, wouldn't it be a > > more open strategy to allow technically whatever is possible as long > > as access is controlled by permissions? > > > Peli > > > On Apr 3, 11:29 pm, hackbod <[EMAIL PROTECTED]> wrote: > > > > We aren't allowing injection of arbitrary key events from third party > > > applications. It's just too big a security hole. > > > > On Apr 3, 1:47 pm, Peli <[EMAIL PROTECTED]> wrote: > > > > > Another possible usage could be speech recognition (SR) - if this is > > > > not covered by the Android framework itself: A SR application could > > > > put text at the cursor position of another application, and thus > > > > enable blind people to work with arbitrary applications - email, web > > > > browser forms, proprietary forms, ... - not only those that have been > > > > designed for the blind... > > > > > Of course, it would be better to have native support for those but > > > > that is not in sight yet... > > > > > Peli > > > > > On Apr 3, 9:27 pm, hackbod <[EMAIL PROTECTED]> wrote: > > > > > > You are allowed to inject key events as long as the focus window they > > > > > are going to is one that was created by a process with your own user > > > > > ID. This allows instrumentation tests to drive the UI of the app they > > > > > are testing (since the instrumentation is built against the test app, > > > > > so runs with its own uid). > > > > > > On Apr 3, 11:57 am, "Dan U." <[EMAIL PROTECTED]> wrote: > > > > > > > Yeah, I agree. Huge security problem there. I can see where it might > > > > > > come in handy for automated GUI testing, but not much else. > > > > > > > On Apr 3, 9:35 am, hackbod <[EMAIL PROTECTED]> wrote: > > > > > > > > No, we don't allow an application to inject key events that drive > > > > > > > another app. Too big of a security hole. :) > > > > > > > > On Apr 3, 7:45 am, dimenwarper <[EMAIL PROTECTED]> wrote: > > > > > > > > > Yea, more or less I want one app of mine to serve as a proxy > > > > > > > > actor to > > > > > > > > another app. I don't see any of these in the docs or anywhere > > > > > > > > else so > > > > > > > > I'll probably have to implement a mini layer based on intents > > > > > > > > to do > > > > > > > > the job =| > > > > > > > > > chrs, > > > > > > > > dw > > > > > > > > > On Apr 3, 12:36 am, "Dan U." <[EMAIL PROTECTED]> wrote: > > > > > > > > > > You mean to make your app interact with another app? I don't > > > > > > > > > think > > > > > > > > > that's possible. > > > > > > > > > > On Apr 2, 11:13 pm,dimenwarper<[EMAIL PROTECTED]> wrote: > > > > > > > > > > > hey all! > > > > > > > > > > > Does anyone know if there is any way to create and launch > > > > > > > > > > events (such > > > > > > > > > > as click and key events) via software (e.g. > > > > > > > > > > createClickEvent(float x, > > > > > > > > > > float y))? > > > > > > > > > > > Rgrds, > > > > > > > > > > dw- Hide quoted text - > > > > > > - Show quoted text -- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
