I answered this question (verbatim) earlier today on android-platform... So one of the things you might think about is what happens on hardware you don't trust.
What stops someone from writing up a ROM that just hijacks your intent and sends it to someone else? The answer in this case would be to encrypt the information you're sending, though you obviously still have the possibility of introducing a timing channel if there's any possibility of that by the nature of *when* you send intents. So I would say that in general there is not a way to do this securely within the system, and that instead you should focus on some higher level way to enforce these kinds of guarantees. That being said, you do know about the distinction between implicit and explicit intents, correct? You can specify exactly which package you want to handle your intent. While you can't -- at the *intent resolution* level -- be sure intents are routed correctly, you *can* write a permission that ensures signature with the same certificate. http://developer.android.com/guide/topics/manifest/permission-element.html#plevel So if we assume the system is being *good* and not routing your intents badly, then you can use this mechanism to ensure correct delivery. If you consider a byzantine system, you want to add some additional security. If you assume the system is working against you, really you're kind of hosed anyway, because the system will have access to the key used to encrypt the information on both sides, so there's really nothing you can do anyway... kris On Thu, Sep 27, 2012 at 3:38 AM, Vision <[email protected]> wrote: > Hi, > > I want to send an intent with password from application to service at same > time this intent contents should not be sniffed or pulled by other app or > any other malicious app. can anyone tell me how Android provides such > facility? > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/fH_REnH0LakJ. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
