Android - Broadcast Receiver - Caller Check
I am writing an Android application where I need to receive some broadcasts sent by the system. I want to make sure the broadcasts are indeed sent by the system. I found this OWASP video .
At 18:00 in the video, the speaker suggests one way to check the broadcast source to use (check his slide):
Binder.getCallingUid () == Process.SYSTEM_UID
I tried to test this in my application, but this API gives me the uid of my own application.
I found this explanation from Dianne Hackborn:
Binder.getCallingUid() returns the UID of the caller when processing
an incoming Binder IPC. The value that is returned will vary depending
on whether you are in the context of dispatching an incoming IPC or
something else.
Also, code will often call Binder.clearCallingIdentity() to clear the
calling information after it has verified it so that further operations
are considered to be coming from the current uid.
Also, from the docs :
Return the Linux uid assigned to the process that sent you the current
transaction that is being processed. This uid can be used with
higher-level system services to determine its identity and check permissions.
If the current thread is not currently executing an incoming transaction,
then its own uid is returned.
Given these two explanations, API of Binder.getCallingUid
any use in Android component lifecycle events (I tested in onReceive of BroadcastReceiver, onStartCommand of Service)?
If not, why is OWASP asking us to use it?
source to share
No one has answered this question yet
See similar questions:
or similar: