Geek Answers Handbook

Reflection Protection - Android

Even the private member / function of my class can be obtained by reflection using setAccessible(true) . Is there any way to prevent such access from external code?

I read something here in the stack overflow that I can use the SecurityManager to prevent reflection in applets (not sure how this works), but is there a similar mechanism for Android? Maybe annotation or clever programming?

+6
source share
3 answers

If you step back, what you observe is the difference in the security philosophy, between the Java runtime model, as originally embodied in Sun JVMs, and the Android runtime model.

The original design of Java VM was designed for a system in which several mutually suspicious applications (or "applets" in the Java language) will simultaneously be in the same address space running in the same virtual machine. Since the designers did not want one application to be bothered with another, they faced great difficulties in defining a security model inside the VM that would forbid things like one object relating to private fields of another object of another class.

However, the Java library ended up with different "escape hatches" from the security model. One of them is setAccessible() on reflection objects, as you noticed.

The Android model is different: Android uses processes as the boundary of security and isolation of an isolated application, rather than trying to insert it into a process, as was done using traditional JVMs. This allows you to completely solve the problem of the Java security model, except that it helps the application "save it from itself." That is, it is a good design to not have an object that would be poked into other private objects of the object, and the standard Java security model provides just that.

Leaving aside the question of how people change your code, with Android, as the author of the application, you manage all the code that ends in the process of your application. If you decide to include code that calls setAccessible() in your company. You may be shooting in the foot, but you, of course, will not take off the feet of other applications, since the Android security model, operating at the process level, inherently does not allow this to happen. Similarly, using native code will completely destroy you from the Java object model, which allows you to completely overload you in any situation, but also allows you to express some things more productively than you could in Java. This is a compromise, but it is a compromise between developers and developers, and not one that especially affects anything else that happens on your phone / device.

I know this does not directly answer your question, but I hope that it provides some useful context.

+12
source

Is there any way to prevent such access from external code?

Not really.

Is there a similar mechanism for Android?

Even if there is (and I don’t know that such a thing exists), anyone can delete it by decompiling their code (if they do not have their own source), get rid of protection and recompile the code.

Remember that when used properly, ProGuard will confuse your private classes and methods for your APK assembly. This, as well as the lack of documentation, will force everyone to access these private classes and methods.

+1
source

I do not believe that you really can 100% protect against users who use reflection in your project with malicious intent. You can make it more difficult for users to do this by doing things like obfuscating your code, but you can still think about confusing code.

I do not believe that the SecurityManager can be used for the purpose that you propose, although I could be wrong.

0
source

More articles:


All Articles