Android 安全细节 (1)
Android faces a lot of security hole nowaday. And as a android app developer, we should know some secruity features and knows how to fix these security holes.
I will write several posts about the security tips in the android app developing. This is the starter.
Activity/Service/Broadcast has a attribute called "android:exported" in the AndroidManifest.xml. This attribute is tricky. The default value of this attribute is false. This means other app cannot access your Activity/Service/Broadcast, which is good for your security.
However, if you add a
<intent-filter> to your Activity/Service/Broadcast, this means your Activity/Service/Broadcast's "andorid:exported" attribute is assigned a value of "true". This is a tricky
one, and you have to remember it.
2.1 JS Bridge
WebView has many problem, especially the low version one. In the android that is lower than 4.2,
When you add this
javaObject to the webview, the webview can get the
javaObject.getClass() later . Therefore it can get Linux permission to do nearly everything, like showing the whole content
of the SD card. In that way, your personal privacy leaks.
Solution 1.For the Android whose version >= 4.2, you can use the
2.For the Android whose version is < 4.2 WebChromeClient has three functions :
2.2 WebView's cache
When you fill the form (like the login form) and choose to save the data, the form data is actually saved in the
If your phone is not a rooted phone, that's okay。 But if your phone is rooted, then hackers may have the chance to hack you.
So if you want to fix this, use this notation:
More details : WebView's cache leaks
SD card is a public place that everyone can place their data here, and everyone can access all the data in the SD card too. Sounds dangerous, right? So if you want to save some private information in the SD card, please not. If you insist, please encrypt the information first.
p.s. Andorid N seems import an system that can limit one app to visit only one directory, rather than the whole SD card. Even more, user must agree the permission to access one directory first, then you are allowed to access the very directory. This is a great news for Android security.