Hello,
I would like to correlate series of API calls with the permissions
required
for the code to execute properly. A simple example of this would be
seeing:
Cursor c = getContentResolver().query(Contacts.CONTENT_URI, ...);
and knowing it requires READ_CONTACTS. Many cases will require
considering several statements rather than one and possibly tracking
the
values of variables that get passed into the API calls.
There are two ways I was thinking about gaining this information:
1. Reviewing the source of existing applications and examining both
the
permissions they require and the specific code that exercises that
functionality. However, this is limited to the permissions used in
applications of which I have the source. True, I could create
prototypes
that use every permission, but that would be very time intensive.
Furthermore, a greater problem is that there are a large number of
ways and API calls that require a given permission. This approach
would not be a good way to capture all the ways an application can
(for example) read the contacts.
2. As permissions need to be enforced to work, I thought there might
be
some place in the Android source that checks if an app should be
allowed
to complete the current API call based on its permissions. Previous
threads
pointed me towards ActivityManagerService.java. However, the
PermissionController class defined in it does not seem to contain the
correlation
information I seek. checkPermission() and other functions appear to
primarily
check the uid and pid of the current application against a permission
string,
there's no <this function> with <these args> needs <this permission>,
as I
would like.
Is there a better / more complete way of finding out this correlation
that I
haven't considered?
Thanks for your time,
Clint Gibler
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
