问题描述
安全提示与AccountManager
相关的章节:
我应该在代码中的哪里检查签名?我已经尝试使用Binder.getCallingUid(
)在我自己的AbstractAccountAuthenticator
实现中获取调用进程的UID,但是当系统进程执行IPC时,它将返回1000.我需要获取另一个尝试访问由我的应用程序创建的帐户的应用程序的UID/程序包名称,因为我想在返回auth令牌之前执行checkSignature
检查.
Where in the code should I check the signature? I've already tried to use Binder.getCallingUid(
) to obtain the UID of the calling process inside my own implementation of the AbstractAccountAuthenticator
, but it returns 1000 as the system process performs IPC. I need to obtain UID/package name of the other app that tries to access the account created by my app as I want to perform the checkSignature
check before returning the auth token.
推荐答案
结果很简单.实际调用者的程序包名称,uid和pid包含在作为参数传递的Bundle
中.此代码应驻留在AbstractAccountAuthenticator
的实现中.
Turns out it's fairly simple. The package name, uid and pid of the real caller is contained in the Bundle
passed as a parameter. This code should reside in the implementation of an AbstractAccountAuthenticator
.
public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
String authTokenType, Bundle bundle) {
try {
PackageManager packageManager = context.getPackageManager();
String callerPackageName = bundle.getString("androidPackageName");
// Caller app must be signed with the same key to get the auth token
int signatureResult = packageManager.checkSignatures(BuildConfig.APPLICATION_ID,
callerPackageName);
if (signatureResult >= PackageManager.SIGNATURE_MATCH) {
return [bundle with the auth token];
} else {
return Bundle.EMPTY;
}
}
这篇关于AccountManager和签名检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!