On Fri, Jul 22, 2011 at 3:22 PM, rich friedel <[email protected]> wrote: > @Mark That is extremely interesting! Just like you, I assumed that intent > extras were private.
Yeah, it shocked the heck out of me when somebody mentioned it. > This begs the question... What to do then to keep > intent extras private? Better yet, how should we pass sensitive data in an > intent extra in such a way that the data remains secure? Don't pass sensitive stuff in extras used in Intents with startActivity(). Hold that information elsewhere (e.g., static data member). Using static data members for passing data between activities is generally a bad idea, but for this, it may be the best choice. You could save the data to a local file or something, but that involves file I/O, which can have performance implications, though for something like this it's probably OK. Corollary: don't design an exported activity (i.e., one you want third parties to invoke) that requires sending sensitive stuff via extras. -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
