android安全-Broadcast Receiver
一、Broadcast Receiver简介
在Android中,Broadcast是一种广泛运用的在应用程序之间传输信息的机制。而BroadcastReceiver是对发送出来的 Broadcast进行过滤接受并响应的一类组件。
broadcast receiver使用时,可以静态注册在AndroidManifest.xml中,也可以在activity初始化函数中动态生成
静态注册:
|
1
2
3
4
5
6
7
8
9
|
//MyBroadcastReceiver继承BroadcastReceiver,重写onReceiver方法<receiver android:name="com.xiaod.mybroadcast.MyBroadcastReceiver"> <intent-filter> //使用过滤器,接收指定action广播 <action android:name=""com.xiaod.mybroadcast""></action> </intent-filter></receiver> |
动态注册:
|
1
2
3
|
IntentFilter intentFilter = new IntentFilter();intentFilter.addAction("com.xiaod.mybroadcast"); //为BroadcastReceiver指定action,使之用于接收同action的广播registerReceiver(BroadcastReceiver,intentFilter); |
一般在activity的onStart/onResume中注册,onStop中取消unregisterReceiver
发送广播:
指定广播目标Action:Intent intent = new Intent(actionString);
并且可通过Intent携带消息 :intent.putExtra(“msg”, “hi,i send a message”);
发送广播消息:Context.sendBroadcast(intent);
二、实例
两个应用Mybroadcast用于广播接收,MySendBro用于广播发送
MyBroadcast用于广播接收,指定响应action为”com.xiaod.mybroadcast”,处理类com.xiaod.mybroadcast.MyBroadcastReceiver
androidmanifest.xml文件如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
<?xml version="1.0" encoding="utf-8"?> package="xiaod.mybroadcast" android:versionCode="1" android:versionName="1.0"> <uses-sdk android:minSdkVersion="8" /> <application android:icon="@drawable/icon" android:label="@string/app_name"> <activity android:name="com.xiaod.mybroadcast.MyBroadcastActivity" android:label="@string/app_name"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <receiver android:name="com.xiaod.mybroadcast.MyBroadcastReceiver" android:exported="true"> <intent-filter> <action android:name="com.xiaod.mybroadcast"></action> </intent-filter> </receiver> </application></manifest> |
MyBroadcastReceiver.java
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
package com.xiaod.mybroadcast;import android.content.BroadcastReceiver;import android.content.Context;import android.content.Intent;import android.util.Log;import android.widget.TextView;import android.widget.Toast;public class MyBroadcastReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { // TODO Auto-generated method stub String action = intent.getAction(); Toast.makeText(context, "InentAction is: \n"+action+"\nmsg is:\n"+ intent.getStringExtra("msg")+"\nid is:\n"+ android.os.Process.myPid(), Toast.LENGTH_SHORT).show(); }} |
MySendBro用于广播发送
MySendBroActivity.java如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
package com.xiaod.mysendbro;import android.app.Activity;import android.content.Intent;import android.os.Bundle;import android.view.View;import android.view.View.OnClickListener;import android.widget.Button;import android.widget.TextView;public class MySendBroActivity extends Activity { /** Called when the activity is first created. */ private Button btn; private TextView tv; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); btn = (Button)findViewById(R.id.button1); tv = (TextView)findViewById(R.id.tv); tv.setText("id is:"+android.os.Process.myPid()); btn.setOnClickListener(new OnClickListener(){ @Override public void onClick(View v) { // TODO Auto-generated method stub Intent intent = new Intent(); intent.setAction("com.xiaod.mybroadcast"); intent.putExtra("msg", "Message"); sendBroadcast(intent); }}); }} |
然后,先启动MyBroadcast,pid为598
之后启动MySendBro,pid为498,点击button给MyBroadcast发送广播
Mybroadcast响应并显示了信息
三、漏洞和修复方式
按照上述应用间广播发送的过程,如果我们分析某应用的代码(apktool反编译),在androidmanifest.xml中或在 activity中动态生成,找到该应用使用哪些broadcast receiver,对应哪个action进行处理。通过构造一个恶意的应用,标识此action,给正常应用发送broadcast,那么应用就会处理。 如果某些诸如通过internet发送短信的应用,自身注册一个receiver,是否可能通过恶意应用发送钓鱼短信欺骗用户。
修复方式:
在receiver中通过标识android:exported来开启和关闭receiver对外部应用的响应,
如果不允许外部调用,在receiver中指定exported=”false”
|
1
2
3
4
|
<receiver android:name="com.xiaod.mybroadcast.MyBroadcastReceiver" android:exported="false">......</receiver> |
如果必须要外部调用,指定exported=”true”,增加android:permission指定权限,在receiver方的 androidmanifest.xml中增加<permission>自定义权限项,并在sendbroadcast方得 androidmanifest.xml中增加<uses-permission>匹配此权限
receiver方配置如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
<?xml version="1.0" encoding="utf-8"?>...... <permission android:name="com.xiaod.mybroadcast.permission.Receiver" /> <application android:icon="@drawable/icon" android:label="@string/app_name"> <activity android:name=".MyBroadcastActivity" android:label="@string/app_name">...... </activity> <receiver android:name="com.xiaod.mybroadcast.MyBroadcastReceiver" android:exported="true" android:permission="com.xiaod.mybroadcast.permission.Receiver"> <intent-filter> <action android:name="com.xiaod.mybroadcast.action.Receiver"></action> </intent-filter> </receiver> </application></manifest> |
sendbroadcast方配置如下:
|
1
2
3
4
5
6
7
8
9
10
11
|
<?xml version="1.0" encoding="utf-8"?>...... <uses-permission android:name="com.xiaod.mybroadcast.permission.Receiver" /> <application android:icon="@drawable/icon" android:label="@string/app_name"> <activity android:name=".MySendBroActivity" android:label="@string/app_name">...... </activity> </application></manifest> |
四、关于sticky broadcast
sticky broadcast是一种特殊的broadcast,具有以下特点:
1、投递后,不会被系统删除,会持久保留
2、所有receiver都可接收,无法设定独立权限
3、其他应用具有BROADCAST_STICKY权限,即可删除任意sticky broadcast
综合以上特点,我们尽量避免使用sticky broadcast
标签分类:
下一篇:iPhone屏幕密码锁验证绕过
