I want to use a library in my project. But I do not want this library to have permissions to access files, database or download something from the network in my application. How can I achieve my aim?
The library is provided by others, I need to use some function in it, but I do not want it to have permission to hack my app. Maybe I need something like a sandbox to run this library, but I do not know how to achieve this.
If you are embedding the library (JAR or .so) in your app, then you cannot limit its access. The library code is running in the context of your app and is effectively "linked" with your code. It has access to anything your app's process does since it is running within it.
If you want separation, you would need to isolate the library into another APK package and interface with that package via binder or Intent. Even then, you would need to ensure the other package was not using shared user IDs (which is the default) and you would probably want to sign it with a different key.
Related
I'd like to allow specific third party developers to write plugins for my app without them accessing my app's main source code. And without me accessing their plugin code.
These plugins would extend specific classes, which the main app would scan for, register, and execute dynamically. I have this part working in a project with dynamic feature modules (DFM's), however so far these are all signed by the same cert and built together, by me.
However, the ask is that we each don't see each other's code. I believe you can only execute code in another package which was signed by the same cert.. so herein lies the issue.
I can definitely expose some code for them (the abstract classes / interfaces they'd be extending), but don't want to expose much more than that.
I'm thinking along the lines of a public api module + a private app module, but need help filling in the details as to who builds what with who's certificate. Any good ways to get this done?
Thanks..
I would like to determine which third-party SDKs (like Mixpanel, Google Analytics, Facebook SDKs) are being used in an app, if any. Is there a way to find this out?
Assume for the purposes of this question that I am not the developer of the app, and therefore I don't have access to the source code.
You can use a service like Appbrain to find that out. It's free for the first few lookups.
It's not possible to reliably enumerate the libraries used by an application, for a few reasons.
The main reason is obfuscation: If a user turns on Proguard or R8, they will rename the library's classes, potentially in such a way as to make them unrecognizable.
Another reason is that there's simply not a comprehensive list of every Android library in existence, or a mapping of class names to libraries.
However, if you did want to try to do this, you'd want to retrieve the application's class files and then hunt through them for the start of package names from libraries you care about (as obfuscators are less likely to rename the entirety package names, though they still might). For example, if you wanted to see if an application uses okhttp3, you'd look to see if there are is an okhttp/okhttp3 folder (for the package okhttp.okhttp3).
You could maybe even automate this by finding a list of popular Maven/Gradle packages, downloading them, extracting the class names, and using that as your dataset.
Background: I have an android application that has been published in GooglePlay and I want to create SDK from that existing application so that others can use it as a library inside their apps.
So far: I was able to generate .ARR file from the existing app source code with little tweaks. and it is working pretty good.
The problem: is I have some sensitive information stored inside my app
since I made .arr file from my app codebase I'm little worried that they can easily get access to my SharedPreferenceManager (util class of mine to deal with SharedPreference) DataBaseManager so on and they can subclass library class and tweak the behaviors
So How can I avoid library users not to misuse my library to exploit my existing app?
is there any other way to export my app as a library?
The basic process would be as follows:
Figure out what you want to expose in your SDK
Move all of this into an android library module
Deploy the AAR
Can you explain a little more what you mean by "I'm little worried that they can easily get access to my SharedPreferenceManager (util class of mine to deal with SharedPreference) DataBaseManager so on and they can subclass library class and tweak the behaviors" ?
You can always utilize obfuscation techniques and finalize classes to make it difficult. I don't think you can guarantee absolutely no misuse, but I am not sure how this would effect your application. If you have a server, for instance, then you would still control the software there and be able to sanitize and sort through the input.
I would like to determine which third-party SDKs (like Mixpanel, Google Analytics, Facebook SDKs) are being used in an app, if any. Is there a way to find this out?
Assume for the purposes of this question that I am not the developer of the app, and therefore I don't have access to the source code.
You can use a service like Appbrain to find that out. It's free for the first few lookups.
It's not possible to reliably enumerate the libraries used by an application, for a few reasons.
The main reason is obfuscation: If a user turns on Proguard or R8, they will rename the library's classes, potentially in such a way as to make them unrecognizable.
Another reason is that there's simply not a comprehensive list of every Android library in existence, or a mapping of class names to libraries.
However, if you did want to try to do this, you'd want to retrieve the application's class files and then hunt through them for the start of package names from libraries you care about (as obfuscators are less likely to rename the entirety package names, though they still might). For example, if you wanted to see if an application uses okhttp3, you'd look to see if there are is an okhttp/okhttp3 folder (for the package okhttp.okhttp3).
You could maybe even automate this by finding a list of popular Maven/Gradle packages, downloading them, extracting the class names, and using that as your dataset.
Let' say i have an requirement . i have to give my application to the client. so i created an AAR and gave it to them ,so they can integrate this library to their own application.
However, how can i make ensure so i don't want to expose all my methods and classes,api and manifest.xml files to them. Is there any way to so they are invisible to them or limited to some extent.
Also if possible they should be restricted to particular classes so they can't be able to redirect to my super classes.I don't want to expose them at all.