问题
Security tips chapter related to AccountManager mentions that:
If credentials are used only by applications that you create, you can verify the application that accesses the AccountManager using checkSignature().
Where in the code should I check the signature? I've already tried to use Binder.getCallingUid() to obtain the UID of the calling process inside my own implementation of the AbstractAccountAuthenticator, but it returns 1000 as the system process performs IPC. I need to obtain UID/package name of the other app that tries to access the account created by my app as I want to perform the checkSignature check before returning the auth token.
回答1:
Turns out it's fairly simple. The package name, uid and pid of the real caller is contained in the Bundle passed as a parameter. This code should reside in the implementation of an AbstractAccountAuthenticator.
public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
String authTokenType, Bundle bundle) {
try {
PackageManager packageManager = context.getPackageManager();
String callerPackageName = bundle.getString("androidPackageName");
// Caller app must be signed with the same key to get the auth token
int signatureResult = packageManager.checkSignatures(BuildConfig.APPLICATION_ID,
callerPackageName);
if (signatureResult >= PackageManager.SIGNATURE_MATCH) {
return [bundle with the auth token];
} else {
return Bundle.EMPTY;
}
}
来源:https://stackoverflow.com/questions/47334432/accountmanager-and-signature-check