I have developed one SDK containig a layout with some sensitive input fields.
This SDK will be provided to third party App.
Everything is working fine.
Problem is,
I don't want third party App to fetch any of information from the input fields. But while using that SDK(.aar file) he can get the resource id's of those SDK input fields.
What can be done to prevent the resource id's from been exposed.
Code used in third party app to integrate the SDK,
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.package_name", "com.package_name.class_name"));
startActivity(intent);
I don't want third party App to fetch any of information from the input fields
It is code in their app. They can get at whatever they want.
What can be done to prevent the resource id's from been exposed.
If by "exposed", you mean "available at compile time as simple R constants", you can whitelist the IDs that should be public, and the build tools will hide the remainder.
Note that this will not stop an interested party from accessing those fields from within their own process. It will merely add a few minutes to the development process.
Related
I want to add a web page navigation Activity in my Android application, and I find that I need to use CATEGORY_BROWSABLE. The description says:
By supporting this category, you are promising that there is nothing damaging
(without user intervention) that can happen by invoking any matching Intent.
Can someone tell what risk is Android is trying to highlight here ? What could be damaging in handling web page navigation ?
Operations such as invasive edits to an account, deleting contacts and text messages, downloading files without user permission, etc. are considered damaging without user intervention.
As this category can be added to any activity (webview-based or not), the line you quoted is meant as a general rule of thumb for developers who decide to flag their activities (webview-based or not) as BROWSABLE.
I would like to make a slight change to my application's name. I read that it can work if both applications are signed with the same signature and is given the same userId then they can share information and I can migrate the original application's information to the new one. It is very important that the user gets the notification to upgrade. Will the user receive the update to upgrade if its done this way?
Your users will still get the upgrade, as long as you don't change the top level java package name.
Do you mean the actual name (human readable) or the application package? You can change the name, description, etc. at any time (though it might be confusing for existing users). On the other hand, you cannot change the package name, you need to publish a new app. Unless the current app already has the sharedUserId, set you cannot really use that option: setting it will change the UID and the application won't be able to see its own files. Two solutions to this:
export the data in some shared format (XML, CSV, JSON, etc.)
write a content provider and use a signature permission to make sure only your apps can read from it.
I understand that intents can be used to employ external activities to accomplish specific tasks, my question is whether those called external activities can be included within the project itself.
For example, if I wanted to include check-in functionality to my application, and knew that google plus has this great check-in activity, would it be possible to include that specific check-in activity for use in my application?
You need the intent of that activity. I think if you have installed G+ app, you need to iterate through the list of Intents you have installed and find the matching one.
List<ResolveInfo> IntentsList= getPackageManager().queryIntentActivities(new Intent(Intent.ACTION_MAIN, null).addCategory(Intent.CATEGORY_LAUNCHER), 0);
PackageManager.PERMISSION_GRANTED = 0 in the addCategory
The 1st argument of addCategory() method varies whether the intent category is CATEGORY_LAUNCHER, CATEGORY_ALTERNATIVE or most likely your required intent to be CATEGORY_DEFAULT. If you know the intent name then you might be able to call it in your activity, also adding it to you manifest as activity in your application.
The short answer is yes, if you had the library project for the external app you want to use. This generally not the best solution because if you could get the source (a big if) and then the user downloaded the app then you'd have to choose which app to complete the intent with (if you didn't use explicit intents) plus you'd have to update your own app when theirs is updated. All this creates overhead on you. An alternative would be to follow the example of the Text-to-Speech library. The Android O/S doesn't come with one preinstalled so whenever the functionality is requested the user is prompted to download the related library. Just uninstall Pico TTS and you'll see what I mean.
What is the best way to discover an Android application's API or hooks into/from the application?
Specifically, I am looking to pass a parameter or data to an application, utilize the application's specific functions, and return data or a parameter to the calling application.
A few ideas come to mind, but I am unfamiliar with what is available, specifically to Android.
Contact an application's developer directly
Somehow decompile the APK to browse the source
Read any available documentation
Some ways to check out what is available for :
Tool to re-engineer closed APK files
http://code.google.com/p/android-apktool/
Review intent filters for actions
Lookup the app in some sort of application manager on your phone. Android System Info. If you go to the details of the app it will tell you where the apk is and the name of it. For instance, under the Email app you can see "Source: /system/app/Email.apk".
To pull that off just do "adb pull /system/app/Email.apk Email.apk", to pull it to your current directory.
Look at the Manifest.xml. Rename the apk to zip and unpack.
Follow the instructions here: http://android.amberfog.com/?p=582
Then you can read the decompiled Manifest.xml and look at the intent filters they are registering.
Android applications are all in their own sandbox, so you can not just arbitrarily call some other Android applications' functions, they would need to be made public to you somehow.
If you are looking to execute some function that is provided by another Android application, you would most likely need to hear about it from the developer, most likely from their public documentation if they have any.
The correct way to do this is to use "intents". With an intent, you can launch another application (such as a barcode scanner) and the user interacts with it. Then, the application exits returning some data (such as the barcode). Try googling or see:
http://www.vogella.com/articles/AndroidIntent/article.html
I am reading the intent filter of the android, and having a few question need to ask.
Do they match the filter within the same application or all of the applications?
The scheme within the data tag, I have looked on the documentation on the android sdk website but no idea what it mean. It say scheme://host:port/path or pathPrefix or pathPattern
What is the host port and path .... What does the path relate to?
1) Depends on the type of intent that was requested. See implicit vs explicit intents in the "Intent resolution" section of the docs:
http://developer.android.com/guide/topics/intents/intents-filters.html
If you name the component exactly then you know which activity will launch. Other intents name a generic action and can be matched by multiple activities. The user gets a menu asking which app they want to use to complete the action normally. For instance download the Firefox app from the Marketplace and click on a link in an email, you'll get a prompt asking if you want to use the Browser or Firefox to open the URL.
2) That's for intercepting a custom URL scheme or overlaying HTTP requests. Sounds like that not something you're interested in doing, you can safely ignore it unless you need to use it. If you do want more info about it there's a question with some good answers already:
Launch custom android application from android browser
1) see #mikerowehl answer
2) data is referenced through Uniform Resource Indentifiers (URI's). In Android, scheme could be http, tel, file, content (don't know about others) and by specifying a certain scheme in a filter you're saying that your component can handle data provided that way.
host+port=authority. In case of a data whose scheme is http, host will of course be something like stackoverflow.com, port will probably be left unspecified (if you're accessing a proxy it could be 8080). In case of a content provider, the authority is by convention "the fully-qualified class name of the content provider (made lowercase)", without a port.
This should be the general idea. Documentation in this field is pretty scattered but you should be able to find information on a particular task (say opening email attachments) when you'll need.