1

I have two application which are signed with different certs/keys.

I want to make authenticated call (to a service) from application A to app B (so no 3rd party can make such call).

Common solution for such things in Android is custom permissions with signature protection level. However, it won't work in my case, because two apps are signed with different certs (developed by different companies)

So, the question is. What is the best practice for this case, if I want allow only application A (or any apps developed by this company) to call/bind a service in app B?

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • This looks a lot like the web-service API client authentication problem, so perhaps you can find inspiration from solutions used there. – Chris Stratton Apr 19 '13 at 18:39

1 Answers1

2

There really isn't one, IMHO.

If the permission is not signature-based, the user can grant it to any app that asks for it, so a permission will not help you.

If you use services with the binding pattern, your Binder has getCallingUid(), which you can use to find the UID of the calling app. With some work, you can find out the package name for that UID from PackageManager. How you validate that package name is up to you (baked-in whitelist, try to make sense of the package's signature from PackageManager, whatever). That doesn't prevent somebody from messing with your APK and hacking your validation routine, though.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • What about a validation of signature of your package? I mean, if you get Uid, get package, get signature and validate it against a certificate stored in application B? In this way, I think nobody can mess with application A APK, because the signature will be checked. – Victor Ronin Apr 19 '13 at 18:21
  • When you said "hacking your validation routine", did you mean changing application B (not A)? – Victor Ronin Apr 19 '13 at 18:22
  • @VictorRonin: Sorry, my answer was referring pretty much entirely to Application B, as it is the one that has to defend itself from attacks. – CommonsWare Apr 19 '13 at 18:23
  • That idea would not work! Package name means nothing, as anyone is free to create an application in any package name they want, so long as such is not already installed *on that device*. – Chris Stratton Apr 19 '13 at 18:32
  • @ChrisStratton: Agreed that anyone can try to write an Application A, though there's some chance checking Application A's signature might still be of use. If you have a better solution, though, post it as another answer. – CommonsWare Apr 19 '13 at 18:34
  • Checking application A's signature is only useful if you have some other knowledge of application A's legitimate signature. – Chris Stratton Apr 19 '13 at 18:39
  • @ChrisStratton: I interpreted "or any apps developed by this company" to mean that the OP has up-front info about Application A's authors. – CommonsWare Apr 19 '13 at 18:40
  • @CommonsWare & ChrisStratton: Yes, both company A and B collaborate, so adding certificate for signature check isn't a problem. – Victor Ronin Apr 19 '13 at 20:36
  • @CommonsWare: I would appreciate, if you can look at continuation of my original question here: http://stackoverflow.com/questions/16724389/what-exactly-is-signature-class-in-android-and-how-to-get-signing-certificate – Victor Ronin May 23 '13 at 21:43