I want to load dynamic classes from not trusted source.
I found this tutorial to load dynamic classes using DexClassLoader. How can I prevent loaded classes to hack in to my database or do any damage to my application? Is it possible?
Asked
Active
Viewed 185 times
1 Answers
0
The article you cite is a bit dated. The dx script in the SDK's build-tools directory is a much easier way to add the classes.dex file; just export code to a .jar file, then run dx --dex --output result.jar exported.jar.
But that doesn't answer your question! This is something I've looked at a bit myself. I don't have what I think of as a definitive answer, yet, but I sure haven't seen any way to sandbox part of your app: Any plugin you load will run with your app's permissions. The best solution I've come up with so far is to run your plugins in a separate process, with limited permissions, but of course this has its own problems:
- You can't add a
Viewfrom a child process to aViewGroupfrom the host process. - Providing app services to the plugin now requires IPC. The Binder and AIDL make this pretty easy - but don't make this any cheaper.
- Getting any results back from the plugin also requires IPC. Maybe you can use the Binder to do two-way communication - I haven't looked at that yet - but maybe you will have to use raw Linux IPC mechanisms.
Jon Shemitz
- 1,235
- 13
- 29