What protects Android AccountManager passwords from being read by other apps?

混江龙づ霸主 提交于 2020-01-01 04:19:39

问题


I'm writing 1) an app that stores a username and password in the AccountManager, and 2) a separate background Service app that accesses those credentials to login to my servers, etc. Playing around with this, I find I'm able to call AccountManager.getPassword(account) from the Service (app 2) to access the type of accounts I've add to the AccountManager using the other app (app 1).

Due to this, I'm starting to wonder what stops an arbitrary malicious app from 1) including the fields in the manifest to have Account management access, and then then 2) from iterating through all accounts of a particular type and calling mAccountManger.getPassword(account) on them. I know that during installation, a dialog pops up with all the permissions that an app requests to use, but I don't think we can count on the average user to reject an app because it requests suspicious permissions.

Is there a way to prevent getPassword from being called on an account type? Are there ways to protect accounts in the AccountManager from apps that have given themselves lots of account permissions?


回答1:


Account data protection is based on the Linux user id (UID) of the process making the request. (See Security and Permissions in the guide.) Each account is associated with an account authenticator (that has a UID), and the process calling getPassword (or several other methods) must have the same UID as the authenticator.



来源:https://stackoverflow.com/questions/8174835/what-protects-android-accountmanager-passwords-from-being-read-by-other-apps

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!