Thank you Chris. I understand your points. And they are all valid ones. Custom intents are indeed tricky. I didn't really think about them. But now that I think about that, analysing every startActivity(intent) and startService(intent) -- that is not exhaustive by any means but good enough for the purpose of what I'm trying to achieve -- and then analyze the getAction(), along with maybe getType(), and disallow everything except for well-known actions.
Makes sense? ATTA On Mon, Apr 23, 2012 at 5:48 PM, Chris Stratton <[email protected]> wrote: > On Monday, April 23, 2012 11:22:51 AM UTC-4, atta wrote: >> >> I understand your point about JNI and reflection. I don't have solution >> for JNI but for reflection, I think we can use static analyzer to see if >> it's been used to load certain classes or make calls to certain methods. >> > > You might be able to find out if reflection is used at all, but you won't > be able to tell what code is being reflected without executing/simulating > the code to find the argument to the reflection. > > >> What I don't know about is, "constructed intent". Could you please >> elaborate. >> > > Similarly, code can instruct an Intent with parameters that can't be known > without executing/simulating the code. > > Consider the extreme case: the android-app equivalent to a command line > shell, which gives the user text fields into which they can enter > parameters to the reflection or Intent - obviously, there is no way to know > what they enter. Then consider the less extreme case, in which > those parameters are produced internally in a highly obfuscated way. Or > the variant case where they seem to come from a straightforward source, but > actually come from someplace else (like a network socket) due to the code > having an intentional "bug" in it... > > -- > You received this message because you are subscribed to the Google Groups > "Android Discuss" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-discuss/-/Dr3D7IlraOUJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en.
