我正在编写一个Android应用程序,我需要接收系统发送的一些广播。我想确保广播确实是由系统发送的。我找到了这个OWASP video。
在视频中的时间18:00,发言者建议使用其中一种方法来验证广播的来源(查看他的幻灯片):
Binder.getCallingUid () == Process.SYSTEM_UID
我试过在我的应用程序中测试它,但是这个API给了我自己的应用程序的uid。
我从Dianne Hackborn那里找到了explanation:
Binder.getCallingUid() returns the UID of the caller when processing
an incoming Binder IPC. The value that is returned will vary depending
on whether you are in the context of dispatching an incoming IPC or
something else.
Also, code will often call Binder.clearCallingIdentity() to clear the
calling information after it has verified it so that further operations
are considered to be coming from the current uid.
另外,来自docs:
Return the Linux uid assigned to the process that sent you the current
transaction that is being processed. This uid can be used with
higher-level system services to determine its identity and check permissions.
If the current thread is not currently executing an incoming transaction,
then its own uid is returned.
鉴于这两个解释,是在Android组件的生命周期事件中使用的API Binder.getCallingUid(我已经在onReceive的BroadcastReceive,onStartCommand of Service中测试过)?
如果没有,为什么OWASP要求我们使用它?
答案 0 :(得分:0)
this document的第5节解释了为什么Binder.getCallingUid()在BroadcastReceiver中没有用。它只是返回执行自己的应用程序的UID。但是在您调用远程服务的情况下,它会返回一个有用的值,例如使用AIDL绑定服务时。