Victor Ronin
Victor Ronin

Reputation: 23318

Custom permission between two apps with different signatures

I have two application which are signed with different certs/keys.

I want to make authenticated call (to a service) from application A to app B (so no 3rd party can make such call).

Common solution for such things in Android is custom permissions with signature protection level. However, it won't work in my case, because two apps are signed with different certs (developed by different companies)

So, the question is. What is the best practice for this case, if I want allow only application A (or any apps developed by this company) to call/bind a service in app B?

Upvotes: 1

Views: 1180

Answers (1)

CommonsWare
CommonsWare

Reputation: 1007658

There really isn't one, IMHO.

If the permission is not signature-based, the user can grant it to any app that asks for it, so a permission will not help you.

If you use services with the binding pattern, your Binder has getCallingUid(), which you can use to find the UID of the calling app. With some work, you can find out the package name for that UID from PackageManager. How you validate that package name is up to you (baked-in whitelist, try to make sense of the package's signature from PackageManager, whatever). That doesn't prevent somebody from messing with your APK and hacking your validation routine, though.

Upvotes: 2

Related Questions