4

Background

I know the receiver in the Dungeons manifest (the in app billing example, for those who don't know) does not include a permission element, yet Lint warns me: "Exported receiver does not require permission (...) Without this, any application can use this receiver".

If I understood this right, an application could spoof me with fake data (perhaps in a crafted system, not sure), possibly impersonating the Play application and supplying faked billing records.

Questions

  1. Is that right? What are the implications in a regular, consumer Android device?

  2. What I should write into that to expect normal behavior? Which I presume is allowing my receiver to only receive broadcasts from a legitimate Play app. Is it com.android.vending.BILLING? In this case, I think a spoofed system can possibly declare that. That leads to 3:

  3. Should I also compare to well known Google public signatures, to avoid a spoofed system?

Comments

I know some of this may seem too much for some, yet I'm thinking about the theory here. :-)

Also, I don't have use for manifest-defined receivers, so I never paid much attention to them. That said, if I'm not getting it right, please correct me. Yes, I did read the documentation before and just now.

Thank you.

davidcesarino
  • 16,160
  • 16
  • 68
  • 109

1 Answers1

1

The transaction data is signed with a unique key, tied to your developer account. If you are verifying those properly, no one can spoof the transactions.

As for why there is no permission defined, the way the signature permission system works in Android is like this: you say 'this broadcast can only be received by an app signed with the same key as the sender'. As obviously your app is signed with a different key than the Google Play app, signature based permissions cannot be used, and this has to be public.

Technically, you could check who send the broadcast, get the package name for that UID and compare with known Google Play packages. Those tend to change as new versions are released and are different on some devices (most notably Honeycomb devices), so this might not scale too well and give you false alarms.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • In the first paragraph, you mean the asymmetric encryption with Google storing the private key with themselves, right? And making sure that process is performed as securely as possible (unique salt etc etc)... – davidcesarino Jul 26 '12 at 05:15
  • It's actually signing -- you get the data and it's signature, but essentially, yes. – Nikolay Elenkov Jul 26 '12 at 05:48