Greetings, Will. Thanks for the note. The OpenIntents project is very open for others to implement compatible intents. For instance, OI Safe (as it's now called) requires a password, but you could imagine implementing a keystore system that used biometric or other kinds of authentication.
However, you make a good point. How can we distinguish the users' desire to allow an application to act as a keystore from a malicious application? It sounds like you suggest somehow requiring permission from a user for an application to handle certain kinds of actions, but that there's really no way to do this right now, is that right? Is this the paper you're referring to? http://www.citeulike.org/user/dhein1030/article/3979456 thanks, Isaac William Enck wrote: > > Isaac, > > Your project looks interesting. Quick question regarding the security of > OI Safe's Keystore Service. In your example, how does the Instant > Message Application know that it is the AndroidPasswordSafe application > receiving the cleartext password stored in the ACTION_SET_PASSWORD > Intent? Assuming (from the symmetric communication in the diagram) you > are using startActivity() and not broadcasting an Intent, the API does > not provide a mechanism to require a permission of the receiving > application. > > I believe a caution related to this was mentioned as a "developer tip" > in the iSec whitepaper by Jesse Burns that was mentioned on this list a > few months ago. > > Thanks, > > -Will > > On Mar 12, 2009, at 7:32 PM, Isaac Potoczny-Jones wrote: > >> >> Greetings, as I just mentioned on the android developers group, you >> might find the OpenIntents keystore project of interest as well: >> >> http://code.google.com/p/openintents/wiki/CryptoIntents >> >> It would be great to build something compatible, since the goal of the >> openintents project is interoperability :) >> >> peace, >> >> isaac >> >
