On Tue, Jun 15, 2010 at 12:59 PM, ADman <[email protected]> wrote: > hi there, > > For our application, we need to have two applications share the same > database. I have done the following: > > 1. assigned each application the same 'SharedUserID' > 2. used Context.CONTEXT_INCLUDE_CODE in the 'calling' application to > access the db defined in the 'called' application > 3. signed both apps with my key > > By doing this both apps are able to share the same db. My questions: > > 1. Can some 3rd party app figure out the sharedUserID and also gain > access to the db using the Context.CONTEXT_INCLUDE_CODE >
No. To run as the same sahredUserId you need to be signed with the same cert. > 2. can the 'calling' app be inspected to figure out how to use the > database i.e. what calls to use? > It can always access the code. It can not access the data. > 3. is signing enough to prevent a 3rd party from getting access to > both my 'called' and 'calling' app? or do the apps needs to be > obfuscated(I saw a post about using 'Proguard'?) > It depends on what you mean by access. By default all data you write is not world readable, so only others running as your uid can access it. > 4.Finally, is this the best way to achieve my goal of sharing the db? > I read about using ContentProvider method also, but people say its > slower than using direct db access? Does ContentProvider method > provides better security? > The security depends on how you use things. Which makes sense really depends on a lot of factors. -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
