Update: I'm currently using the following method to "authenticate" the apps the calling my application.
When a third party app is calling my activity, i use the following: callingPackage = getCallingPackage(); //method to get the package name of the activity which sent the intent. The package name is returned by the AndroidOS. pinfo = getPackageManager().getPackageInfo(callingPackage,PackageManager.GET_SIGNATURES); signature = pinfo.signatures; //Retrives the signature of the application sending the intent. This is also given by the OS. I store this the first time the 3rd party app is calling my application. For subsequent calls to my application, I check the package name and the signature to allow access. As Dianne pointed out before, the "package name + signing cert" combination is unique. So, even if an attacker can fake the "package name", I don't think he can fake the signature associated with package (I guess for this he needs the private key of the original developer, which is hopefully securely protected). On the other hand if it is possible for an attacker to install an app with the required package name + somehow attaching the signature (which is public anyway) to his app on the phone. Then the above solution fails. I think Android doesn't allow this, but only Android experts can confirm if this is foolproof. Cheers, Raj On Jul 28, 4:31 am, Chris Palmer <[email protected]> wrote: > In general, these may help: > > https://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf > > (perhaps the "Binder Interfaces" section?) > > https://www.isecpartners.com/intent_sniffer.html > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
