Geek Answers Handbook

Protecting Additional Data in Android Intent

I use intention to start a new action in a new task. This intention contains some personal data necessary for this Activity for its additional purposes. This data should not be read by other applications. We examined whether these data did not really leak. We found that using the RecentTaskInfo method of getRecentTasks (), this additional data can be read by any arbitrary application that has GET_TASK permission. It is not very safe. We stopped the search as soon as we discovered this leak. Are there other ways to leak data? And how can I ensure that the data in the extra is not read by other applications?

+6
source share
3 answers

Starting with Android 4.1.1, an additional permission has been added to protect against reading third-party applications using RecentTaskInfo . This permission ( android.Manifest.permission.GET_DETAILED_TASKS ) can only be obtained by the system. Without this permission, additional ones will be replaced until baseIntent through RecentTaskInfo .

From the commit comment http://androidxref.com/4.2.2_r1/history/frameworks/base/services/java/com/android/server/am/ActivityManagerService.java#8238e717df4bc5eebf15f97172d68af3599a95bb :

Add a new permission at the signature level for task details.

Third-party applications can no longer access additional functions associated with tasks so that personal data does not leak into them.

Change-Id: I95af9e181ac42557bc8b981807e7ddd266a88d0e

Thus, it seems that efforts are made to make confidential information more secure for transportation. I do not know if there are other ways in which these additional may flow, but at least the additional seems OK from JB.

+7
source

This intention contains some personal data necessary for this Activity in its additional functions.

Why? Pass identifiers to private data in additional applications where the resolution of these identifiers to this personal data (for example, a database query) can only be done through activity.

We found that using the RecentTaskInfo method of getRecentTasks (), this additional data can be read by any arbitrary application that has GET_TASK permission

Yes, I wrote about this almost two years ago, while others probably did it before that.

Are there more ways to leak this data?

All requests to launch other components are executed through the OS process, so the data is constantly "leaking" into the OS.

And, depending on what you are doing with Intent , you can skip it in other ways (for example, pass Intent itself as Parcelable to other applications).

And how can I ensure that the data in the extra is not read by other applications?

You can not. Again, do not put personal data in additional activity activities, but instead use identifiers that can be used to obtain this private data.

+6
source

You have a private storage space that is readable only by your application. On unloaded devices, the information you store there will only be available to your application.

You can use SharedPreference to store your data - the data is stored in your limited application store.

Alternatively, you can directly use private storage and attach arbitrary files to it:

 FileOutputStream fos; try { fos = openFileOutput (FILENAME, Context.MODE_PRIVATE); fos.write (string.getBytes ()); fos.close (); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); }
+1
source

More articles:


All Articles