Geek Answers Handbook

Application billing recipient permission

Background

I know the receiver in the Dungeons manifest (an example of an invoicing application for those who don’t know this) does not include the strong> permission , but Lint warns me: "The exported receiver does not require permission (...) Without this, any application can use this receiver "

If I understood this correctly, the application could fool me with fake data (perhaps I’m not sure about the created system), possibly personifying the Play application and providing fake payment records.

Questions

  • Is it correct? What are the implications of a regular conventional Android device for Android?

  • What should I write for this to expect normal behavior? . I suppose this only allows my recipient to receive broadcasts from the legitimate Play app. Is this com.android.vending.BILLING ? In this case, I think a fake system can declare this. This leads to 3:

  • Should it be compared with Google's public signatures to avoid a fake system?

Comments

I know that some of them may seem too important for some, but I think about this theory. :-)

In addition, I have no use for manifest receivers, so I never paid much attention to them. However, if I do not understand, please correct me. Yes, I read the documentation earlier and only now.

Thanks.

+4
source share
1 answer

These transactions are signed with a unique key associated with your developer account. If you validate them correctly, no one can cheat transactions.

As for why there is no specific permission, the way the Android permission system works is as follows: you say that this broadcast can only be received by an application signed with the same key as the sender. "Obviously, your application is signed with a different key than the Google Play application, signature-based permissions cannot be used, and this should be publicly available.

Technically, you can check who sends the broadcast, get the package name for this UID and compare with the famous Google Play packages. They usually change with the release of new versions and differ on some devices (in particular, cellular devices), so this may not scale well and give false alarms.

+1
source

More articles:


All Articles