4

I need to do security check on an IBinder instance carried from other process via IPC. The creator/receiver of this IBinder may not be the direct caller of the IPC carrying it, so I can't simply use Binder.getCallingUid().

How can I detect the UID or PID of a specific IBinder instance?

Onik
  • 19,396
  • 14
  • 68
  • 91
Oasis Feng
  • 7,490
  • 3
  • 31
  • 44
  • where do you want to get caller's UID or PID? note you are getting UID or PID of the caller of the active Binder transaction (so it has to be done inside `onTransact` method) – pskink Jul 31 '16 at 05:25
  • @pskink The IBinder instance is not necessarily owned the caller. It might be carried on from another process via earlier IPC. – Oasis Feng Jul 31 '16 at 16:00
  • where do you want to get pid or uid? – pskink Jul 31 '16 at 16:02
  • @pskink the code in my Activity or Service. – Oasis Feng Aug 01 '16 at 02:30
  • ok, where do you create your `Binder`? your `Binder` has `onTransact` method and its is the place where you should call `getCallingPid` / `getCallingUid,` then you can pass your `Binder` to some different process `A`, process `A` could call `transact` method or pass the `Binder` to process `B`, the `Binder`passing can be done multiple times but finally in order to use the `Binder` the `transact` method must be used and when called `onTransact` method will be executed where you can get the caller's pid / uid – pskink Aug 01 '16 at 05:17
  • @pskink Sorry, the IBinder was not created by my app, it's received from another app. That's why I need to do security check. – Oasis Feng Aug 01 '16 at 12:48
  • what do you want to check when calling `IBinder#transact()` ? it makes no sense... the only reasonable check is inside `Binder#onTransact` method to see if the calling party is allowed to do so or not... – pskink Aug 01 '16 at 12:59
  • @pskink This IBinder instance is a callback AIDL, to which my app will hand sensitive data asynchronously. That's why I need to check the identity of it. Never mind, I switch to PendingIntent for this purpose now. – Oasis Feng Aug 02 '16 at 03:34
  • if this is a AIDL callback that it means that in your code you have something like this: `class AIDLTestCallbackImpl extends AIDLTestCallback.Stub {...` so just override `onTransact` method and before calling `super.onTransact` add your checks, also i dont see how `PendingIntent` could help you with that AIDL callback... – pskink Aug 02 '16 at 05:18
  • @pskink This AIDL callback is an IPC interface, that means the implementation is in the code base of another app, not mine. – Oasis Feng Aug 02 '16 at 12:35
  • PendingIntent gives me the opportunity to verify the identify of its creator with PendingIntent.getCreatorPackage() or getCreatorUid(), and of course it can be used to send back data with PendingIntent.send(), like an AIDL callback. – Oasis Feng Aug 02 '16 at 12:38
  • if this AIDL callback is an IPC interface of another app, not your, so how `PendingIntent.send()` could solve your problem if you cannot receive it in that app (it uses `AIDL` / `Binder` and you cannot change it as it is not your app)? can you clearly describe what do you want to achieve actually and what is the architecture of your and third party app? – pskink Aug 02 '16 at 13:45
  • @pskink One of the most important use cases of PendingIntent.send() is to mix-in more data (with given intent) before sending back to its creator. – Oasis Feng Aug 02 '16 at 14:16

1 Answers1

-1

i think you must insert a hook in IPCtreadState for give uid and send it from copy_to_user function!

ali molazem
  • 1
  • 1