4.4.1.3 创建/使用伙伴服务
伙伴服务是只能由特定应用使用的服务。 系统由伙伴公司的应用和内部应用组成,用于保护在伙伴应用和内部应用之间处理的信息和功能。
以下是 AIDL 绑定类型服务的示例。
要点(创建服务):
不要定义意图过滤器,并将导出属性显式设置为
true。验证请求应用的证书是否已在自己的白名单中注册。
请勿(无法)通过
onBind(onStartCommand, onHandleIntent)识别请求应用是否为伙伴。小心并安全地处理接收到的意图,即使意图是从伙伴应用发送的。
仅返回公开给伙伴应用的信息。
另外,请参阅“5.2.1.3 如何验证应用证书的哈希值”,来了解如何验证目标应用的哈希值,它在白名单中指定。
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="http://schemas.android.com/apk/res/android"package="org.jssec.android.service.partnerservice.aidl" ><applicationandroid:icon="@drawable/ic_launcher"android:label="@string/app_name"android:allowBackup="false" ><!-- Service using AIDL --><!-- *** POINT 1 *** Do not define the intent filter and explicitly set the exported attribute totrue. --><serviceandroid:name="org.jssec.android.service.partnerservice.aidl.PartnerAIDLService"android:exported="true" /></application></manifest>
在这个例子中,将创建 2 个 AIDL 文件。 一个是回调接口,将数据从服务提供给活动。 另一个接口将数据从活动提供给服务,并获取信息。 另外,AIDL 文件中描述的包名称,应与 AIDL 文件的目录层次一致,与java文件中描述的包名称相同。
IExclusiveAIDLServiceCallback.aidl
package org.jssec.android.service.exclusiveservice.aidl;interface IExclusiveAIDLServiceCallback {/*** It's called when the value is changed.*/void valueChanged(String info);}
IExclusiveAIDLService.aidl
package org.jssec.android.service.exclusiveservice.aidl;import org.jssec.android.service.exclusiveservice.aidl.IExclusiveAIDLServiceCallback;interface IExclusiveAIDLService {/*** Register Callback.*/void registerCallback(IExclusiveAIDLServiceCallback cb);/*** Get Information*/String getInfo(String param);/*** Unregister Callback*/void unregisterCallback(IExclusiveAIDLServiceCallback cb);}
PartnerAIDLService.java
package org.jssec.android.service.partnerservice.aidl;import org.jssec.android.shared.PkgCertWhitelists;import org.jssec.android.shared.Utils;import android.app.Service;import android.content.Context;import android.content.Intent;import android.os.Handler;import android.os.IBinder;import android.os.Message;import android.os.RemoteCallbackList;import android.os.RemoteException;import android.widget.Toast;public class PartnerAIDLService extends Service {private static final int REPORT_MSG = 1;private static final int GETINFO_MSG = 2;// The value which this service informs to clientprivate int mValue = 0;// *** POINT 2 *** Verify that the certificate of the requesting application has been registered in the own white list.private static PkgCertWhitelists sWhitelists = null;private static void buildWhitelists(Context context) {boolean isdebug = Utils.isDebuggable(context);sWhitelists = new PkgCertWhitelists();// Register certificate hash value of partner application "org.jssec.android.service.partnerservice.aidluser"sWhitelists.add("org.jssec.android.service.partnerservice.aidluser", isdebug ?// Certificate hash value of debug.keystore "androiddebugkey""0EFB7236 328348A9 89718BAD DF57F544 D5CCB4AE B9DB34BC 1E29DD26 F77C8255" :// Certificate hash value of keystore "partner key""1F039BB5 7861C27A 3916C778 8E78CE00 690B3974 3EB8259F E2627B8D 4C0EC35A");// Register other partner applications in the same way}private static boolean checkPartner(Context context, String pkgname) {if (sWhitelists == null) buildWhitelists(context);return sWhitelists.test(context, pkgname);}// Object to register callback// Methods which RemoteCallbackList provides are thread-safe.private final RemoteCallbackList<IPartnerAIDLServiceCallback> mCallbacks =new RemoteCallbackList<IPartnerAIDLServiceCallback>();// Handler to send data when callback is called.private static class ServiceHandler extends Handler{private Context mContext;private RemoteCallbackList<IPartnerAIDLServiceCallback> mCallbacks;private int mValue = 0;public ServiceHandler(Context context, RemoteCallbackList<IPartnerAIDLServiceCallback> callback, int value){this.mContext = context;this.mCallbacks = callback;this.mValue = value;}@Overridepublic void handleMessage(Message msg) {switch (msg.what) {case REPORT_MSG: {if(mCallbacks == null){return;}// Start broadcast// To call back on to the registered clients, use beginBroadcast().// beginBroadcast() makes a copy of the currently registered callback list.final int N = mCallbacks.beginBroadcast();for (int i = 0; i < N; i++) {IPartnerAIDLServiceCallback target = mCallbacks.getBroadcastItem(i);try {// *** POINT 5 *** Information that is granted to disclose to partner applications can be returned.target.valueChanged("Information disclosed to partner application (callback from Service) No." + (++mValue));} catch (RemoteException e) {// Callbacks are managed by RemoteCallbackList, do not unregister callbacks here.// RemoteCallbackList.kill() unregister all callbacks}}// finishBroadcast() cleans up the state of a broadcast previously initiated by calling beginBroadcast().mCallbacks.finishBroadcast();// Repeat after 10 secondssendEmptyMessageDelayed(REPORT_MSG, 10000);break;}case GETINFO_MSG: {if(mContext != null) {Toast.makeText(mContext,(String) msg.obj, Toast.LENGTH_LONG).show();}break;}default:super.handleMessage(msg);break;} // switch}protected final ServiceHandler mHandler = new ServiceHandler(this, mCallbacks, mValue);// Interfaces defined in AIDLprivate final IPartnerAIDLService.Stub mBinder = new IPartnerAIDLService.Stub() {private boolean checkPartner() {Context ctx = PartnerAIDLService.this;if (!PartnerAIDLService.checkPartner(ctx, Utils.getPackageNameFromUid(ctx, getCallingUid()))) {mHandler.post(new Runnable(){@Overridepublic void run(){Toast.makeText(PartnerAIDLService.this, "Requesting application is not partner application.", Toast.LENGTH_LONG).show();}});return false;}return true;}public String getInfo(String param) {// *** POINT 2 *** Verify that the certificate of the requesting application has been registered in the own white list.if (!checkPartner()) {return null;}// *** POINT 4 *** Handle the received intent carefully and securely,// even though the intent was sent from a partner application// Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely."Message msg = new Message();msg.what = GETINFO_MSG;msg.obj = String.format("Method calling from partner application. Recieved ¥"%s¥"", param);PartnerAIDLService.this.mHandler.sendMessage(msg);// *** POINT 5 *** Return only information that is granted to be disclosed to a partner application.return "Information disclosed to partner application (method from Service)";}public void unregisterCallback(IPartnerAIDLServiceCallback cb) {// *** POINT 2 *** Verify that the certificate of the requesting application has been registered in the own white list.if (!checkPartner()) {return;}if (cb != null) mCallbacks.unregister(cb);}};@Overridepublic IBinder onBind(Intent intent) {// *** POINT 3 *** Verify that the certificate of the requesting application has been registered in the own white list.// So requesting application must be validated in methods defined in AIDL every time.return mBinder;}@Overridepublic void onCreate() {Toast.makeText(this, this.getClass().getSimpleName() + " - onCreate()", Toast.LENGTH_SHORT).show();// During service is running, inform the incremented number periodically.mHandler.sendEmptyMessage(REPORT_MSG);}@Overridepublic void onDestroy() {Toast.makeText(this, this.getClass().getSimpleName() + " - onDestroy()", Toast.LENGTH_SHORT).show();// Unregister all callbacksmCallbacks.kill();mHandler.removeMessages(REPORT_MSG);}}
PkgCertWhitelists.java
package org.jssec.android.shared;import java.util.HashMap;import java.util.Map;import android.content.Context;public class PkgCertWhitelists {private Map<String, String> mWhitelists = new HashMap<String, String>();public boolean add(String pkgname, String sha256) {if (pkgname == null) return false;if (sha256 == null) return false;sha256 = sha256.replaceAll(" ", "");if (sha256.length() != 64) return false; // SHA-256 -> 32 bytes -> 64 charssha256 = sha256.toUpperCase();if (sha256.replaceAll("[0-9A-F]+", "").length() != 0) return false; // found non hex charmWhitelists.put(pkgname, sha256);return true;}public boolean test(Context ctx, String pkgname) {// Get the correct hash value which corresponds to pkgname.String correctHash = mWhitelists.get(pkgname);// Compare the actual hash value of pkgname with the correct hash value.return PkgCert.test(ctx, pkgname, correctHash);}}
PkgCert.java
package org.jssec.android.shared;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import android.content.Context;import android.content.pm.PackageInfo;import android.content.pm.PackageManager;import android.content.pm.PackageManager.NameNotFoundException;import android.content.pm.Signature;public class PkgCert {public static boolean test(Context ctx, String pkgname, String correctHash) {if (correctHash == null) return false;correctHash = correctHash.replaceAll(" ", "");return correctHash.equals(hash(ctx, pkgname));}public static String hash(Context ctx, String pkgname) {if (pkgname == null) return null;try {PackageManager pm = ctx.getPackageManager();PackageInfo pkginfo = pm.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);if (pkginfo.signatures.length != 1) return null; // Will not handle multiple signatures.Signature sig = pkginfo.signatures[0];byte[] cert = sig.toByteArray();byte[] sha256 = computeSha256(cert);return byte2hex(sha256);} catch (NameNotFoundException e) {return null;}}private static byte[] computeSha256(byte[] data) {try {return MessageDigest.getInstance("SHA-256").digest(data);} catch (NoSuchAlgorithmException e) {return null;}}private static String byte2hex(byte[] data) {if (data == null) return null;final StringBuilder hexadecimal = new StringBuilder();for (final byte b : data) {hexadecimal.append(String.format("%02X", b));}return hexadecimal.toString();}}
下面是使用伙伴服务的活动代码:
要点(使用服务):
验证目标应用的证书是否已在自己的白名单中注册。
仅返回公开给伙伴应用的信息。
使用显式意图调用伙伴服务。
即使数据来自伙伴应用,也要小心并安全地处理收到的结果数据。
ExclusiveAIDLUserActivity.java
package org.jssec.android.service.partnerservice.aidluser;import org.jssec.android.service.partnerservice.aidl.IPartnerAIDLService;import org.jssec.android.service.partnerservice.aidl.IPartnerAIDLServiceCallback;import org.jssec.android.shared.PkgCertWhitelists;import org.jssec.android.shared.Utils;import android.app.Activity;import android.content.ComponentName;import android.content.Context;import android.content.Intent;import android.content.ServiceConnection;import android.os.Bundle;import android.os.Handler;import android.os.IBinder;import android.os.Message;import android.os.RemoteException;import android.view.View;import android.widget.Toast;public class PartnerAIDLUserActivity extends Activity {private boolean mIsBound;private Context mContext;private final static int MGS_VALUE_CHANGED = 1;// *** POINT 6 *** Verify if the certificate of the target application has been registered in the own white list.private static PkgCertWhitelists sWhitelists = null;private static void buildWhitelists(Context context) {boolean isdebug = Utils.isDebuggable(context);sWhitelists = new PkgCertWhitelists();// Register certificate hash value of partner service application "org.jssec.android.service.partnerservice.aidl"sWhitelists.add("org.jssec.android.service.partnerservice.aidl", isdebug ?// Certificate hash value of debug.keystore "androiddebugkey""0EFB7236 328348A9 89718BAD DF57F544 D5CCB4AE B9DB34BC 1E29DD26 F77C8255" :// Certificate hash value of keystore "my company key""D397D343 A5CBC10F 4EDDEB7C A10062DE 5690984F 1FB9E88B D7B3A7C2 42E142CA");// Register other partner service applications in the same way}private static boolean checkPartner(Context context, String pkgname) {if (sWhitelists == null) buildWhitelists(context);return sWhitelists.test(context, pkgname);}// Information about destination (requested) partner activity.private static final String TARGET_PACKAGE = "org.jssec.android.service.partnerservice.aidl";private static final String TARGET_CLASS = "org.jssec.android.service.partnerservice.aidl.PartnerAIDLService";private static class ReceiveHandler extends Handler{private Context mContext;public ReceiveHandler(Context context){this.mContext = context;}@Overridepublic void handleMessage(Message msg) {switch (msg.what) {case MGS_VALUE_CHANGED: {String info = (String)msg.obj;Toast.makeText(mContext, String.format("Received ¥"%s¥" with callback.", info), Toast.LENGTH_SHORT).show();break;}default:super.handleMessage(msg);break;} // switch}private final ReceiveHandler mHandler = new ReceiveHandler(this);// Interfaces defined in AIDL. Receive notice from serviceprivate final IPartnerAIDLServiceCallback.Stub mCallback =new IPartnerAIDLServiceCallback.Stub() {@Overridepublic void valueChanged(String info) throws RemoteException {Message msg = mHandler.obtainMessage(MGS_VALUE_CHANGED, info);mHandler.sendMessage(msg);}};// Interfaces defined in AIDL. Inform service.private IPartnerAIDLService mService = null;// Connection used to connect with service. This is necessary when service is implemented with bindService().private ServiceConnection mConnection = new ServiceConnection() {// This is called when the connection with the service has been established.@Overridepublic void onServiceConnected(ComponentName className, IBinder service) {mService = IPartnerAIDLService.Stub.asInterface(service);try{// connect to servicemService.registerCallback(mCallback);}catch(RemoteException e){// service stopped abnormally}Toast.makeText(mContext, "Connected to service", Toast.LENGTH_SHORT).show();}// This is called when the service stopped abnormally and connection is disconnected.@Overridepublic void onServiceDisconnected(ComponentName className) {Toast.makeText(mContext, "Disconnected from service", Toast.LENGTH_SHORT).show();}};@Overridepublic void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.partnerservice_activity);mContext = this;}// --- StartService control ---public void onStartServiceClick(View v) {// Start bindServicedoBindService();}public void onGetInfoClick(View v) {getServiceinfo();}public void onStopServiceClick(View v) {doUnbindService();}@Overridepublic void onDestroy() {super.onDestroy();doUnbindService();}/*** Connect to service*/private void doBindService() {if (!mIsBound){// *** POINT 6 *** Verify if the certificate of the target application has been registered in the own white list.if (!checkPartner(this, TARGET_PACKAGE)) {Toast.makeText(this, "Destination(Requested) sevice application is not registered in white list.", Toast.LENGTH_LONG).show();return;}Intent intent = new Intent();// *** POINT 7 *** Return only information that is granted to be disclosed to a partner application.intent.putExtra("PARAM", "Information disclosed to partner application");// *** POINT 8 *** Use the explicit intent to call a partner service.intent.setClassName(TARGET_PACKAGE, TARGET_CLASS);bindService(intent, mConnection, Context.BIND_AUTO_CREATE);mIsBound = true;}}/*** Disconnect service*/private void doUnbindService() {if (mIsBound) {// Unregister callbacks which have been registered.if(mService != null){try{mService.unregisterCallback(mCallback);}catch(RemoteException e){// Service stopped abnormally// Omitted, since it' s sample.}}unbindService(mConnection);Intent intent = new Intent();// *** POINT 8 *** Use the explicit intent to call a partner service.intent.setClassName(TARGET_PACKAGE, TARGET_CLASS);stopService(intent);mIsBound = false;}}/*** Get information from service*/void getServiceinfo() {if (mIsBound && mService != null) {String info = null;try {// *** POINT 7 *** Return only information that is granted to be disclosed to a partner application.info = mService.getInfo("Information disclosed to partner application (method from activity)");} catch (RemoteException e) {e.printStackTrace();}// *** POINT 9 *** Handle the received result data carefully and securely,// even though the data came from a partner application.// Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely."Toast.makeText(mContext, String.format("Received ¥"%s¥" from service.", info), Toast.LENGTH_SHORT).show();}}}
PkgCertWhitelists.java
package org.jssec.android.shared;import java.util.HashMap;import java.util.Map;import android.content.Context;public class PkgCertWhitelists {private Map<String, String> mWhitelists = new HashMap<String, String>();public boolean add(String pkgname, String sha256) {if (pkgname == null) return false;if (sha256 == null) return false;sha256 = sha256.replaceAll(" ", "");if (sha256.length() != 64) return false; // SHA-256 -> 32 bytes -> 64 charssha256 = sha256.toUpperCase();if (sha256.replaceAll("[0-9A-F]+", "").length() != 0) return false; // found non hex charmWhitelists.put(pkgname, sha256);return true;}public boolean test(Context ctx, String pkgname) {// Get the correct hash value which corresponds to pkgname.String correctHash = mWhitelists.get(pkgname);// Compare the actual hash value of pkgname with the correct hash value.return PkgCert.test(ctx, pkgname, correctHash);}}
PkgCert.java
package org.jssec.android.shared;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import android.content.Context;import android.content.pm.PackageInfo;import android.content.pm.PackageManager;import android.content.pm.PackageManager.NameNotFoundException;import android.content.pm.Signature;public class PkgCert {public static boolean test(Context ctx, String pkgname, String correctHash) {if (correctHash == null) return false;correctHash = correctHash.replaceAll(" ", "");return correctHash.equals(hash(ctx, pkgname));}public static String hash(Context ctx, String pkgname) {if (pkgname == null) return null;try {PackageManager pm = ctx.getPackageManager();PackageInfo pkginfo = pm.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);if (pkginfo.signatures.length != 1) return null; // Will not handle multiple signatures.Signature sig = pkginfo.signatures[0];byte[] cert = sig.toByteArray();byte[] sha256 = computeSha256(cert);return byte2hex(sha256);} catch (NameNotFoundException e) {return null;}}private static byte[] computeSha256(byte[] data) {try {return MessageDigest.getInstance("SHA-256").digest(data);} catch (NoSuchAlgorithmException e) {return null;}}private static String byte2hex(byte[] data) {if (data == null) return null;final StringBuilder hexadecimal = new StringBuilder();for (final byte b : data) {hexadecimal.append(String.format("%02X", b));}return hexadecimal.toString();}}
若有收获,就点个赞吧
0 人点赞
