Chris, So what services are responsible for verification if the caller has permission to force the callee to execute its requirements? In case of installd, I cannot find its permission declaration. So could the permission be verified by the User ID (installd is execute on behalf of * system*)?
On 24 February 2011 06:21, Chris Palmer <[email protected]> wrote: > On Wed, Feb 23, 2011 at 12:04 PM, Rahul Potharaju <[email protected]> > wrote: > > > I understand when you say the receiver should ask "Do I know or care > about > > the sender of this Intent?" and "Is the Intent well-formed according to > my > > input validation rules?". But I don't quite understand why the receiver > > should ask the question "Did the sender have a given permission?". Isn't > > this the task of the Security Manager (Reference Monitor) that takes care > of > > the access control? Or am I missing something here? > > Android does not use a Java Security Manager. And that is a Good Thing > (even if it freaks everybody out). (Dare I mention that Dalvik does > bytecode verification primarily for optimization and not for security? > :) ) > > You might want to check if the caller had a certain Permission as an > indication that the user has delegated some authority to a class of > apps, and not just a single app by app identity. You could create a > new Permission, or use an existing one. If the caller has that > Permission, then the user has delegated that power to the calling app. > > If your component is a Service or a BroadcastReceiver, you can set > this kind of policy declaratively, e.g. the permission attribute of > the <service> or <receiver> tag: > > http://developer.android.com/guide/topics/manifest/service-element.html > > Otherwise, you can also set this kind of policy imperatively: > > > http://developer.android.com/guide/topics/security/security.html#enforcement > -- Best regards, Anh-Duy Vu -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
