Android Firebase 消息传递 SDK 如何防止 Intent 欺骗?

How is Android Firebase messaging SDK secure against Intent spoofing?(Android Firebase 消息传递 SDK 如何防止 Intent 欺骗?)
本文介绍了Android Firebase 消息传递 SDK 如何防止 Intent 欺骗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用 Firebase Messaging 创建了一个简单的项目,使用以下依赖项.

I created a simple project using Firebase Messaging, using the following dependency.

implementation 'com.google.firebase:firebase-messaging:20.0.0'

我已经构建了应用程序并检查了它的 merged AndroidManifest.xml 文件.Firebase Messaging SDK 唯一导出的组件是以下接收器:

I have built the app and checked its merged AndroidManifest.xml file. The only exported component by Firebase Messaging SDK is the following receiver:

<receiver
    android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver"
    android:exported="true"
    android:permission="com.google.android.c2dm.permission.SEND" >
    <intent-filter>
        <action android:name="com.google.android.c2dm.intent.RECEIVE" />
    </intent-filter>
</receiver>

我找不到权限 com.google.android.c2dm.permission.SEND 的定义,即使我已经解码了 Google Play Services APK 的 AndroidManifest.xml 并且在那里什么也没找到.除了它的定义之外,它不能阻止恶意应用程序use-permission它并广播伪造的 Intent.另外由于system_server传递的Intents,接收方无法检查发送方的身份.

I couldn't find the definition of the permission com.google.android.c2dm.permission.SEND, even though I have decoded AndroidManifest.xml of Google Play Services APK and found nothing there. Apart from its definition whatever it is, it cannot prevent a malicious app to use-permission it and broadcast forged Intents. Also because of Intents being delivered by system_server, the receiver cannot check the identity of the sender.

Firebase Messageing SDK 如何应对这种威胁?

How does Firebase Messageing SDK counterattack this threat?

推荐答案

从 Play 商店安装的恶意应用无法使用以com.google.android"开头的任何权限.这些是为系统特权应用保留的.

A malicious app installed from the Play Store cannot use any permission that starts with "com.google.android". Those are reserved for system privileged apps.

安装在具有 Play 商店的每台设备上的 Play 服务后端"应用实际上直接处理传入的 FCM 消息.它是一个特权应用,并且是唯一会使用这些权限向您的应用发送数据的应用.

The Play services "backend" app, which is installed on every device that has the Play store, actually handles incoming FCM messages directly. It is a privileged app, and is the only one that will use those permissions to send data to your app.

如果您设法 root 设备并安装具有系统权限的恶意应用程序,那么您可能会遇到问题.但这就是您绕过设备内置的安全措施时所冒的风险.

If you manage to root your device and install a malicious app with system privileges, then you might have a problem. But that's the risk you take when you bypass the security measures built into the device.

这篇关于Android Firebase 消息传递 SDK 如何防止 Intent 欺骗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

How to target newer versions in .gitlab-ci.yml using auto devops (java 11 instead of 8 and Android 31 instead of 29)(如何在.gitlab-ci.yml中使用自动开发工具(Java 11而不是8,Android 31而不是29)瞄准较新的版本)
Android + coreLibraryDesugaring: which Java 11 APIs can I expect to work?(Android+core LibraryDesugering:我可以期待哪些Java 11API能够工作?)
How to render something in an if statement React Native(如何在If语句中呈现某些内容Reaction Native)
How can I sync two flatList scroll position in react native(如何在本机Reaction中同步两个平面列表滚动位置)
Using Firebase Firestore in offline only mode(在仅脱机模式下使用Firebase FiRestore)
Crash on Google Play Pre-Launch Report: java.lang.NoSuchMethodError(Google Play发布前崩溃报告:java.lang.NoSuchMethodError)