Reputation: 1610
Verify signature of ContentProvider
I have the classic case where one of my apps provides content to my other app. I know that the content provider can be secured using a permission with a signature protection level. But I'm concerned about the other direction. What if the app that contains the content provider is not installed and a malicious app contains a provider with the same authority (I know the authority should not accidentally collide, but I'm thinking about a malicious app). How can I ensure that my app only queries the provider if it's defined in an app with the same signature?
The closest thing I can think off is to find my other app through package manager and verify that the signature matches. And since my other app has the content provider, another content provider with the same authority cannot be installed on the same device. But with this I'm making the connection between the package name and the authority. I'm hoping there's a cleaner way.
Upvotes: 3
Views: 873
Answers (1)
Reputation: 1007474
Call resolveContentProvider() on PackageManager, passing in the authority string. This will give you the details on the ContentProvider for that string. From there, check the signature of that provider's package to see if it matches yours.
Upvotes: 5
Related Questions
- Android content provider protection level & different keys
- How to validate android content provider/resolver succeeded in saving the file?
- Check signature of an apk
- Android signature protection and exported="false"
- Secure Content Provider
- Self-checking an APK's signature
- Android signature verification
- Verifying Android Code Signing
- Check for Android Content Uri
- How to authenticate signed android .apk?