I am using FileProvider and Intents to share content from our application to other applications. Using these components can also upload data from other applications to our application. For security reasons, we want to only disable sharing from our application to other applications. Is there a global solution to have this restriction put in place?
Thanks in advance.
FileProvider enables to share content from our application to other applications.
Only by having additional code in your app. FileProvider, on its own, does not do what you describe.
It also provides capabilities to upload data from other applications to our application.
Again, this only happens if you have have additional code in your app. FileProvider, on its own, does not do this.
Is there a global solution to have this restriction put in place?
Do not write the code that implements sharing from your application to other applications.
IIRC your app must "opt in" to sharing its own files on a case-by-case basis. Other applications request files from your application, which must then grant them (temporary) permission and pass them the access URI. Other applications don't get automatic access to your files without asking. If you don't implement the sharing functionality, there is no way for a sharing request to be granted.
If you do want limited sharing you can also set up a policy XML file to restrict which directories owned by your application are shareable.
https://developer.android.com/training/secure-file-sharing
Related
Illustration:
How do I pass data coming from a form in my app to a third-party app?
Also, what are the terms, functions and APIs about doing this?
It is possible through Intent and URI.
The app that is receiving your data should support be open to receive URI so that you can fire up the Intent method it will open the app and send data.
You can refer: https://developer.android.com/training/basics/intents/sending.html#java
Unfortunately there is not a one-size-fits-all solution to this question, as such you are going to receive a variety of different "solutions" but the truthful answer is, it depends on the implementation of the app built by the other party;
Intents
If the third-party app is open to receiving data through intents, and hopefully the developer of that app has documented this somewhere. This would be the most streamlined approach.
It is important to note with this implementation that if there are specific apps you have in mind to connect to, and your application is going to be publicly available, then the user will need to have those specific third-party apps installed. This is easier if you only have one specific third-party app in mind (you can check the user's device to see if it is installed and inform them), and gets exponentially more cumbersome for every additional application you wish to connect to, not only due to having to instruct the user about yet another required third-party app but also as you will need to make sure you are able to pass all the necessary data to a completely different application.
Have a look at this earlier question to see how this can be achieved.
APIs
Another solution would be to use APIs. Just like intents, this requires the third-party developer to have exposed their application to these specific API calls, which you can then connect to to pass your data. The simplest real-world implementation of this approach would be signing on to an application using a social media account instead of having to create a separate account per application.
This is less streamlined than the intents approach as it would involve additional steps of posting your data to the API and then opening the other app in order to retrieve the data and proceed.
Everyone knows that Facebook reads user's SMS-content on Android. Me tasked to create fake Content Provider and redirect Facebook to read fake SMS database.
I'm trying to create my own content provider to replace default Telephony on Android, which will handle Facebook's requests separately.
So, there are two questions:
1) Where can i find complete project of TelephonyProvider? Decompilation of TelephonyProvider.apk has no good results.
2) How can i handle requests of specific app separately in content provider?
Me tasked to create fake Content Provider and redirect Facebook to read fake SMS database.
Fortunately, this is not possible, for blindingly obvious privacy and security reasons, unless you control the device firmware.
I'm trying to create my own content provider to replace default Telephony on Android
Fortunately, this too is not possible, for blindingly obvious privacy and security reasons, unless you control the device firmware.
Where can i find complete project of TelephonyProvider?
http://source.android.com.
How can i handle requests of specific app separately in content provider?
You can see if Binder.getCallingUid() returns something that identifies the app that invoked the ContentProvider -- I do not know if that works or not.
I want to make an app like McAfee Secure Container. The container app should launch other (specific) apps and provide them isolated execution environment. There should be no data sharing outside the container and all the apps inside container should use container's network connection.
What can be a way forward?
I know one solution that runs each app within it's own dalvik VM with a unique ID (uid ref linux) to protect all resources for that app. It makes use of the linux file permissions to protect these resources. The only way to get apps running with the same UID is to sign it with the same publisher key and declare this ID in the manifest. To get resources world readable you have to declare this explicitly when opening the resources within the app. Further more the apps can only access certain system resources if they declare that permission in the manifest. Think of IO operations and so on. These permissions will than be prompted to the user and install time.
... It's called Android :-)
Or in other words what more do you search for than what is already provided by the Android system? If you're looking for security I would say the Android system is pretty secure on its own. Some threats I can think of are listed next.
A possible threat is that the system itself (not the app) is compromised (rooted or so). Then all your app data will be exposed on that system. The solution for that is encrypting your data. Google for Android Derived Key for more information on how to get a key from a user password and use that key to encrypt sensitive data stored on a device. The main rule here is to only store sensitive data if you really have to and encrypt it if you do. Also make sure to use CBC mode instead of ECB mode and provide a salt and an IV.
Never ever think that your code is save. Not even if it is obfuscated. Obfuscation does not make it impossible to get the code in a readable format. It just makes it harder. So it's always a bad idea to keep sensitive data in your code.
Another possible threat I can think of is network traffic. Use SSL/TLS and verify hostnames. Limit credentials going over the network by using generated tokens for authentication. Encrypt data over the network, this time use a dynamic IV. Also validate input and be aware of SQL injection.
Short answer : you can achieve this with Dynamic Library loading.
Long answer please refer to this:
https://www.youtube.com/watch?v=siVS2jmPABM
How can i access a database which is in a different application. I want to access the data and use it for an other application how am i suppose to do it. I dont even have a clue how to access data from a different application please help.
Read this article:
"Application modularity – The Android system allows applications that are signed by the same certificate to run in the same process, if the applications so requests, so that the system treats them as a single application. In this way you can deploy your application in modules, and users can update each of the modules independently if needed."
"Code/data sharing through permissions – The Android system provides signature-based permissions enforcement, so that an application can expose functionality to another application that is signed with a specified certificate. By signing multiple applications with the same certificate and using signature-based permissions checks, your applications can share code and data in a secure manner. "
please use content provider for accomplishing the same
Do you know about content provider?, you can implement the above functionality by using this.
For example, Calendar, Contacts are doing the same.
Check:
Creating a Content Provider
Android SQLite Database and ContentProvider - Tutorial
in Android diff app can share the data with help of content provider
below will help you
http://about-android.blogspot.in/2010/04/content-provider-example-1.html
Stay smiling
Is there a permission to allow one app to read the (private) data/data//files/... files of another application? If not, how do backup programs like MyBackup work?
C
On a side-note, in the unlikely event that you're the one who's writing both applications, you can make them share the same sandbox by signing them the same way.
Is there a permission to allow one app
to read the (private)
data/data//files/... files of another
application?
No.
If not, how do backup programs like
MyBackup work?
They backup and restore only things with public APIs. That includes some data from the operating system and some things from applications specifically integrated with them.