我正在编写一个 Android 应用程序,其中我需要接收系统发送的一些广播。我想确保广播确实是由系统发送的。我找到了这个 OWASP视频。
在视频中的 18:00 时间,演讲者建议验证广播来源的方法之一是使用(查看他的幻灯片):
Binder.getCallingUid () == Process.SYSTEM_UID
我试图在我的应用程序中对此进行测试,但是这个 API 为我提供了我自己的应用程序的 uid。
我从 Dianne Hackborn找到了这个解释:
Binder.getCallingUid() returns the UID of the caller when processing
an incoming Binder IPC. The value that is returned will vary depending
on whether you are in the context of dispatching an incoming IPC or
something else.
Also, code will often call Binder.clearCallingIdentity() to clear the
calling information after it has verified it so that further operations
are considered to be coming from the current uid.
此外,来自文档:
Return the Linux uid assigned to the process that sent you the current
transaction that is being processed. This uid can be used with
higher-level system services to determine its identity and check permissions.
If the current thread is not currently executing an incoming transaction,
then its own uid is returned.
鉴于这两种解释,Binder.getCallingUid在Android组件的生命周期事件中是否有任何使用的API(我在BroadcastReceiver的onReceive,Service的onStartCommand中测试过)?
如果没有,为什么 OWASP 要求我们使用它?