一、注意事项
1、定义内部签名许可@b@2、请求内部签名许可。@b@3、不定义intent filter,并显式定义exported属性为真。@b@4、验证内部签名许可的正确性。@b@5、处理由到的数据,确认其真实性和可用性。@b@6、敏感数据可以被内部应用请求。@b@7、当导出一个APK,用请求应用相同的developer key进行签名。
二、原代码示例
AndroidManifest.xml@b@@b@<?xml version="1.0" encoding="utf-8"?>@b@<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="org.jssec.android.service.inhouseservice.messenger" >@b@ @b@ <!-- *** POINT 1 *** Define an in-house signature permission -->@b@ <permission@b@ android:name="org.jssec.android.service.inhouseservice.messenger.MY_PERMISSION"@b@ android:protectionLevel="signature" />@b@ @b@ <application@b@ android:icon="@drawable/ic_launcher"@b@ android:label="@string/app_name"@b@ android:allowBackup="false" >@b@ @b@ <!-- Service using Messenger -->@b@ <!-- *** POINT 2 *** Require the in-house signature permission -->@b@ <!-- *** POINT 3 *** Do not define the intent filter and explicitly set the exported attribute to true. -->@b@ <service@b@ android:name="org.jssec.android.service.inhouseservice.messenger.InhouseMessengerService"@b@ android:exported="true"@b@ android:permission="org.jssec.android.service.inhouseservice.messenger.MY_PERMISSION" />@b@ </application>@b@</manifest>
import org.jssec.android.shared.SigPerm;@b@import org.jssec.android.shared.Utils;@b@ @b@import java.lang.reflect.Array;@b@import java.util.ArrayList;@b@import java.util.Iterator;@b@ @b@import android.app.Service;@b@import android.content.Context;@b@import android.content.Intent;@b@import android.os.Bundle;@b@import android.os.Handler;@b@import android.os.IBinder;@b@import android.os.Message;@b@import android.os.Messenger;@b@import android.os.RemoteException;@b@import android.widget.Toast;@b@ @b@public class InhouseMessengerService extends Service{@b@ // In-house signature permission@b@ private static final String MY_PERMISSION = "org.jssec.android.service.inhouseservice.messenger.MY_PERMISSION";@b@ @b@ // In-house certificate hash value@b@ private static String sMyCertHash = null;@b@ private static String myCertHash(Context context) {@b@ if (sMyCertHash == null) {@b@ if (Utils.isDebuggable(context)) {@b@ // Certificate hash value of debug.keystore "androiddebugkey"@b@ sMyCertHash = "0EFB7236 328348A9 89718BAD DF57F544 D5CCB4AE B9DB34BC 1E29DD26 F77C8255";@b@ } else {@b@ // Certificate hash value of keystore "my company key"@b@ sMyCertHash = "D397D343 A5CBC10F 4EDDEB7C A10062DE 5690984F 1FB9E88B D7B3A7C2 42E142CA";@b@ }@b@ }@b@ return sMyCertHash;@b@}@b@ @b@ // Manage clients(destinations of sending data) in a list@b@ private ArrayList<Messenger> mClients = new ArrayList<Messenger>();@b@ @b@ // Messenger used when service receive data from client@b@ private final Messenger mMessenger = new Messenger(new ServiceSideHandler(mClients));@b@ @b@ // Handler which handles message received from client@b@ private static class ServiceSideHandler extends Handler{@b@ @b@ private ArrayList<Messenger> mClients;@b@ @b@ public ServiceSideHandler(ArrayList<Messenger> clients){@b@ mClients = clients;@b@ }@b@ @b@ @Override@b@ public void handleMessage(Message msg){@b@ switch(msg.what){@b@ case CommonValue.MSG_REGISTER_CLIENT:@b@ // Add messenger received from client@b@ mClients.add(msg.replyTo);@b@ break;@b@ case CommonValue.MSG_UNREGISTER_CLIENT:@b@ mClients.remove(msg.replyTo);@b@ break;@b@ case CommonValue.MSG_SET_VALUE:@b@ // Send data to client@b@ sendMessageToClients(mClients);@b@ break;@b@ default:@b@ super.handleMessage(msg);@b@ break;@b@ }@b@ }@b@ }@b@ @b@ //Send data to client@b@ private static void sendMessageToClients(ArrayList<Messenger> mClients){@b@ @b@ // *** POINT 6 *** Sensitive information can be returned since the requesting application is in-house.@b@ String sendValue = "Sensitive information (from Service)";@b@ @b@ // Send data to the registered client one by one.@b@ // Use iterator to send all clients even though clients are removed in the loop process.@b@ Iterator<Messenger> ite = mClients.iterator();@b@ while(ite.hasNext()){@b@ try{@b@ Message sendMsg = Message.obtain(null, CommonValue.MSG_SET_VALUE, null);@b@ @b@ Bundle data = new Bundle();@b@ data.putString("key", sendValue);@b@ sendMsg.setData(data);@b@ @b@ Messenger next = ite.next();@b@ next.send(sendMsg);@b@ } catch (RemoteException e) {@b@ // If client does not exits, remove it from a list.@b@ ite.remove();@b@ }@b@ }@b@ }@b@ @b@ @Override@b@ public IBinder onBind(Intent intent) {@b@ @b@ // *** POINT 4 *** Verify that the in-house signature permission is defined by an in-house application.@b@ if (!SigPerm.test(this, MY_PERMISSION, myCertHash(this))) {@b@ Toast.makeText(this, "In-house defined signature permission is not defined by in-house application.", Toa st.LENGTH_LONG).show();@b@ return null;@b@ }@b@ @b@ // *** POINT 5 *** Handle the received intent carefully and securely,@b@ // even though the intent was sent from an in-house application.@b@ // Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely."@b@ String param = intent.getStringExtra("PARAM");@b@ Toast.makeText(this, String.format("Received parameter ¥"%s¥".", param), Toast.LENGTH_LONG).show();@b@ @b@ return mMessenger.getBinder();@b@ }@b@ @b@ @Override@b@ public void onCreate() {@b@ Toast.makeText(this, "Service - onCreate()", Toast.LENGTH_SHORT).show();@b@ }@b@ @b@ @Override@b@ public void onDestroy() {@b@ Toast.makeText(this, "Service - onDestroy()", Toast.LENGTH_SHORT).show();@b@ }@b@}import android.content.Context;@b@import android.content.pm.PackageManager;@b@import android.content.pm.PackageManager.NameNotFoundException;@b@import android.content.pm.PermissionInfo;@b@ @b@public class SigPerm {@b@ @b@ public static boolean test(Context ctx, String sigPermName, String correctHash) {@b@ if (correctHash == null) return false;@b@ correctHash = correctHash.replaceAll(" ", "");@b@ return correctHash.equals(hash(ctx, sigPermName));@b@ }@b@ @b@ public static String hash(Context ctx, String sigPermName) {@b@ if (sigPermName == null) return null;@b@ try {@b@ // Get the package name of the application which declares a permission named sigPermName.@b@ PackageManager pm = ctx.getPackageManager();@b@ PermissionInfo pi;@b@ pi = pm.getPermissionInfo(sigPermName, PackageManager.GET_META_DATA);@b@ String pkgname = pi.packageName;@b@ @b@ // Fail if the permission named sigPermName is not a Signature Permission@b@ if (pi.protectionLevel != PermissionInfo.PROTECTION_SIGNATURE) return null;@b@ @b@ // Return the certificate hash value of the application which declares a permission named sigPermName.@b@ return PkgCert.hash(ctx, pkgname);@b@ } catch (NameNotFoundException e) {@b@ return null;@b@ }@b@ }@b@}import java.security.MessageDigest;@b@import java.security.NoSuchAlgorithmException;@b@ @b@import android.content.Context;@b@import android.content.pm.PackageInfo;@b@import android.content.pm.PackageManager;@b@import android.content.pm.PackageManager.NameNotFoundException;@b@import android.content.pm.Signature;@b@ @b@public class PkgCert {@b@ @b@ public static boolean test(Context ctx, String pkgname, String correctHash) {@b@ if (correctHash == null) return false;@b@ correctHash = correctHash.replaceAll(" ", "");@b@ return correctHash.equals(hash(ctx, pkgname));@b@ }@b@ @b@ public static String hash(Context ctx, String pkgname) {@b@ if (pkgname == null) return null;@b@ try {@b@ PackageManager pm = ctx.getPackageManager();@b@ PackageInfo pkginfo = pm.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);@b@ if (pkginfo.signatures.length != 1) return null; // Will not handle multiple signatures.@b@ Signature sig = pkginfo.signatures[0];@b@ byte[] cert = sig.toByteArray();@b@ byte[] sha256 = computeSha256(cert);@b@ return byte2hex(sha256);@b@ } catch (NameNotFoundException e) {@b@ return null;@b@ }@b@ }@b@ @b@ private static byte[] computeSha256(byte[] data) {@b@ try {@b@ return MessageDigest.getInstance("SHA-256").digest(data);@b@ }catch (NoSuchAlgorithmException e) {@b@ return null;@b@ }@b@ }@b@ @b@ private static String byte2hex(byte[] data) {@b@ if (data == null) return null;@b@ final StringBuilder hexadecimal = new StringBuilder();@b@ for (final byte b : data) {@b@ hexadecimal.append(String.format("%02X", b));@b@ }@b@ return hexadecimal.toString();@b@ }@b@}
三、安全代码示例
1、声明使用内部签名许可。@b@2、验证内部签名许由的正确性。@b@3、验证目标应用由内部证书签名。@b@4、敏感数据可以发到内部应用。@b@5、使用显式intent去调用内部服务。@b@6、处理收到的结果数据,验证真实性和可用性。@b@7、当导出APK的时候,使用与目标应用相同的developer key进行签名。
AndroidManifest.xml@b@ @b@<?xml version="1.0" encoding="utf-8"?>@b@ @b@<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="org.jssec.android.service.inhouseservice.messengeruser" >@b@ @b@ <!-- *** POINT 8 *** Declare to use the in-house signature permission. -->@b@ <uses-permission@b@ android:name="org.jssec.android.service.inhouseservice.messenger.MY_PERMISSION" />@b@ @b@ <application@b@ android:icon="@drawable/ic_launcher"@b@ android:label="@string/app_name"@b@ android:allowBackup="false" >@b@ <activity@b@ android:name="org.jssec.android.service.inhouseservice.messengeruser.InhouseMessengerUserActivity"@b@ android:label="@string/app_name"@b@ android:exported="true" >@b@ <intent-filter>@b@ <action android:name="android.intent.action.MAIN" />@b@ <category android:name="android.intent.category.LAUNCHER" />@b@ </intent-filter>@b@ </activity>@b@ </application>@b@</manifest>
import org.jssec.android.shared.PkgCert;@b@import org.jssec.android.shared.SigPerm;@b@import org.jssec.android.shared.Utils;@b@ @b@import android.app.Activity;@b@import android.content.ComponentName;@b@import android.content.Context;@b@import android.content.Intent;@b@import android.content.ServiceConnection;@b@import android.os.Bundle;@b@import android.os.Handler;@b@import android.os.IBinder;@b@import android.os.Message;@b@import android.os.Messenger;@b@import android.os.RemoteException;@b@import android.view.View;@b@import android.widget.Toast;@b@ @b@public class InhouseMessengerUserActivity extends Activity {@b@ @b@ private boolean mIsBound;@b@ private Context mContext;@b@ @b@ // Destination (Requested) service application information@b@ private static final String TARGET_PACKAGE = "org.jssec.android.service.inhouseservice.messenger";@b@ private static final String TARGET_CLASS = "org.jssec.android.service.inhouseservice.messenger.InhouseMessengerService";@b@ @b@ // In-house signature permission@b@ private static final String MY_PERMISSION = "org.jssec.android.service.inhouseservice.messenger.MY_PERMISSION";@b@ @b@ // In-house certificate hash value@b@ private static String sMyCertHash = null;@b@ private static String myCertHash(Context context) {@b@ if (sMyCertHash == null) {@b@ if (Utils.isDebuggable(context)) {@b@ // Certificate hash value of debug.keystore "androiddebugkey"@b@ sMyCertHash = "0EFB7236 328348A9 89718BAD DF57F544 D5CCB4AE B9DB34BC 1E29DD26 F77C8255";@b@ } else {@b@ // Certificate hash value of keystore "my company key"@b@ sMyCertHash = "D397D343 A5CBC10F 4EDDEB7C A10062DE 5690984F 1FB9E88B D7B3A7C2 42E142CA";@b@ }@b@ }@b@ return sMyCertHash;@b@ }@b@ @b@ // Messenger used when this application receives data from service.@b@ private Messenger mServiceMessenger = null;@b@ @b@ // Messenger used when this application sends data to service.@b@ private final Messenger mActivityMessenger = new Messenger(new ActivitySideHandler());@b@ @b@ // Handler which handles message received from service@b@ private class ActivitySideHandler extends Handler {@b@ @Override@b@ public void handleMessage(Message msg) {@b@ switch (msg.what) {@b@ case CommonValue.MSG_SET_VALUE:@b@ Bundle data = msg.getData();@b@ String info = data.getString("key");@b@ // *** POINT 13 *** Handle the received result data carefully and securely,@b@ // even though the data came from an in-house application@b@ // Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely."@b@ Toast.makeText(mContext, String.format("Received ¥"%s¥" from service.", info), Toast.LENGTH_SHORT).show();@b@ break;@b@ default:@b@ super.handleMessage(msg);@b@ }@b@ }@b@ }@b@ @b@ // Connection used to connect with service. This is necessary when service is implemented with bindService().@b@ private ServiceConnection mConnection = new ServiceConnection() {@b@ @b@ // This is called when the connection with the service has been established.@b@ @Override@b@ public void onServiceConnected(ComponentName className, IBinder service) {@b@ mServiceMessenger = new Messenger(service);@b@ Toast.makeText(mContext, "Connect to service", Toast.LENGTH_SHORT).show();@b@ @b@ try{@b@ // Send own messenger to service@b@ Message msg = Message.obtain(null, CommonValue.MSG_REGISTER_CLIENT); msg.replyTo = mActivityMessenger;@b@ mServiceMessenger.send(msg);@b@ } catch (RemoteException e) {@b@ // Service stopped abnormally@b@ }@b@ }@b@ @b@ // This is called when the service stopped abnormally and connection is disconnected.@b@ @Override@b@ public void onServiceDisconnected(ComponentName className) {@b@ mServiceMessenger = null;@b@ Toast.makeText(mContext, "Disconnected from service", Toast.LENGTH_SHORT).show();@b@ }@b@ };@b@ @b@ @Override@b@ public void onCreate(Bundle savedInstanceState) {@b@ super.onCreate(savedInstanceState);@b@ @b@ setContentView(R.layout.inhouseservice_activity);@b@ @b@ mContext = this;@b@ }@b@ @b@ // --- StartService control ---@b@ @b@ public void onStartServiceClick(View v) {@b@ // Start bindService@b@ doBindService();@b@ }@b@ @b@ public void onGetInfoClick(View v) {@b@ getServiceinfo();@b@ }@b@ @b@ public void onStopServiceClick(View v) {@b@ doUnbindService();@b@ }@b@ @b@ @Override@b@ protected void onDestroy() {@b@ super.onDestroy();@b@ doUnbindService();@b@ }@b@ @b@ @b@ //Connect to service@b@ void doBindService() {@b@ if (!mIsBound){@b@ // *** POINT 9 *** Verify that the in-house signature permission is defined by an in-house application.@b@ if (!SigPerm.test(this, MY_PERMISSION, myCertHash(this))) {@b@ Toast.makeText(this, "In-house defined signature permission is not defined by in-house application.", Toast.LENGTH_LONG).show();@b@ return;@b@ }@b@ @b@ // *** POINT 10 *** Verify that the destination application is signed with the in-house certificate.@b@ if (!PkgCert.test(this, TARGET_PACKAGE, myCertHash(this))) {@b@ Toast.makeText(this, "Destination(Requested) service application is not in-house application.", Toast .LENGTH_LONG).show();@b@ return;@b@ }@b@ @b@ Intent intent = new Intent();@b@ @b@ // *** POINT 11 *** Sensitive information can be sent since the destination application is in-house one.@b@ intent.putExtra("PARAM", "Sensitive information");@b@ @b@ // *** POINT 12 *** Use the explicit intent to call an in-house service.@b@ intent.setClassName(TARGET_PACKAGE, TARGET_CLASS);@b@ @b@ bindService(intent, mConnection, Context.BIND_AUTO_CREATE);@b@ mIsBound = true;@b@ }@b@ }@b@ @b@ //Disconnect service@b@ void doUnbindService() {@b@ if (mIsBound) {@b@ unbindService(mConnection);@b@ mIsBound = false;@b@ }@b@ }@b@ @b@ //Get information from service@b@ void getServiceinfo() {@b@ if (mServiceMessenger != null) {@b@ try{@b@ // Request sending information@b@ Message msg = Message.obtain(null, CommonValue.MSG_SET_VALUE);@b@ mServiceMessenger.send(msg);@b@ } catch (RemoteException e) {@b@ // Service stopped abnormally@b@ }@b@ }@b@ }@b@}import android.content.Context;@b@import android.content.pm.PackageManager;@b@import android.content.pm.PackageManager.NameNotFoundException;@b@import android.content.pm.PermissionInfo;@b@ @b@public class SigPerm {@b@ @b@ public static boolean test(Context ctx, String sigPermName, String correctHash) {@b@ if (correctHash == null) return false;@b@ correctHash = correctHash.replaceAll(" ", "");@b@ return correctHash.equals(hash(ctx, sigPermName));@b@ }@b@ @b@ public static String hash(Context ctx, String sigPermName) {@b@ if (sigPermName == null) return null;@b@ try {@b@ // Get the package name of the application which declares a permission named sigPermName.@b@ PackageManager pm = ctx.getPackageManager();@b@ PermissionInfo pi;@b@ pi = pm.getPermissionInfo(sigPermName, PackageManager.GET_META_DATA);@b@ String pkgname = pi.packageName;@b@ @b@ // Fail if the permission named sigPermName is not a Signature Permission@b@ if (pi.protectionLevel != PermissionInfo.PROTECTION_SIGNATURE) return null;@b@ @b@ // Return the certificate hash value of the application which declares a permission named sigPermName.@b@ return PkgCert.hash(ctx, pkgname);@b@ } catch (NameNotFoundException e) {@b@ return null;@b@ }@b@ }@b@}import java.security.MessageDigest;@b@import java.security.NoSuchAlgorithmException;@b@ @b@import android.content.Context;@b@import android.content.pm.PackageInfo;@b@import android.content.pm.PackageManager;@b@import android.content.pm.PackageManager.NameNotFoundException;@b@import android.content.pm.Signature;@b@ @b@public class PkgCert {@b@ @b@ public static boolean test(Context ctx, String pkgname, String correctHash) {@b@ if (correctHash == null) return false;@b@ correctHash = correctHash.replaceAll(" ", "");@b@ return correctHash.equals(hash(ctx, pkgname));@b@ }@b@ @b@ public static String hash(Context ctx, String pkgname) {@b@ if (pkgname == null) return null;@b@ try {@b@ PackageManager pm = ctx.getPackageManager();@b@ PackageInfo pkginfo = pm.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);@b@ if (pkginfo.signatures.length != 1) return null; // Will not handle multiple signatures.@b@ Signature sig = pkginfo.signatures[0];@b@ byte[] cert = sig.toByteArray();@b@ byte[] sha256 = computeSha256(cert);@b@ return byte2hex(sha256);@b@ } catch (NameNotFoundException e) {@b@ return null;@b@ }@b@ }@b@ @b@ private static byte[] computeSha256(byte[] data) {@b@ try {@b@ return MessageDigest.getInstance("SHA-256").digest(data);@b@ } catch (NoSuchAlgorithmException e) {@b@ return null;@b@ }@b@ }@b@ @b@ private static String byte2hex(byte[] data) {@b@ if (data == null) return null;@b@ final StringBuilder hexadecimal = new StringBuilder();@b@ for (final byte b : data) {@b@ hexadecimal.append(String.format("%02X", b));@b@ }@b@ return hexadecimal.toString();@b@ }@b@}