Reputation: 578
Protect against Intent Interception
Suppose that I want to allow partners app´s to start my activity. My app and the partners app´s have different developers signature.
Some articles suggest to use a explicit intent to protect against a Intent Interception. Avoiding implicit intent. They also suggest use of permissions.
I also read something about avoid intent because trojans could use GET_TASK to access extra datas. They suggest to use service instead of activity. However this problem appear had been corrected on version 4.1.1 and I don´t know how many vulnerabilities service could have.
My doubt now if how I can protect me against a app with the same package name that mine.
Suppose that a user don´t have my app installed on it. Then, he access a alternative store and installs a app with the same name that my app have on Play Store.
How I can protect me and my partners against this situation? There is any way that my partners could use to verify my true identity? There is any approach recommend by android to avoid it? Or should I implement a web service that allowing partners to check my identity?
Upvotes: 0
Views: 376
Answers (1)
Reputation: 1006614
How I can protect me and my partners against this situation? There is any way that my partners could use to verify my true identity?
Since I am a little bit confused as to who is calling whom here, I will refer to App A and App B. App A wants to start an activity from App B, but is concerned that App B might not be the legitimate app, even though it has the same package name.
Step #1: The author of App B can use the Java 7 version of keytool to determine the SHA-256 hash of App B's release signing key, the key used to sign the app that is shipped to the Play Store. This should be in the form of a capitalized, colon-delimited hash string (e.g., CA:FE:BA:BE:...).
Step #2: The author of App A can save App B's hash string (given to you by the developer of App B) as a string resource.
Step #3: The author of App A can add my CWAC-Security library and call SignatureUtils.getSignatureHash(), passing in some Context and the package name of App B (after App A has confirmed that App B is actually installed). This will return the computed SHA-256 hash of the installed copy of App B. This should match the string resource; if it does not, the App B that is installed is a hacked copy, signed with some other signing key.
Upvotes: 3
Related Questions
- Capturing/Intercepting Android Intents during runtime
- Precice delivery of implicit Intents
- How to restrict Android Intents or add security
- Is there a way to intercept intents passed when opening a new activity by another app?
- Android Intent Security
- How can I intercept the Intent when the user open another application?
- android activity protection from intent
- Android - avoiding intent sniffing
- Intercept Android's explicit intents
- startActivity and intercept intent extras