Friday, June 10, 2011

How Android prevents Google Transport Spoof

Few days back, I was reading a blog which says that Google has managed to tighten it's security to prevent apps from siphoning personal data of the users from an Android device. Now that is interesting!
In the Gingerbread sdk, if one looks at the BackupManagerService.java, one can see a very interesting piece of code with explanatory comments.

try {
            // If there's something out there that is supposed to be the Google
            // backup transport, make sure it's legitimately part of the OS build
            // and not an app lying about its package name.

            ApplicationInfo info = mPackageManager.getApplicationInfo(
                    transportComponent.getPackageName(), 0);
            if ((info.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
                if (DEBUG) Slog.v(TAG, "Binding to Google transport");
                Intent intent = new Intent().setComponent(transportComponent);
                context.bindService(intent, mGoogleConnection, Context.BIND_AUTO_CREATE);
            } else {
                Slog.w(TAG, "Possible Google transport spoof: ignoring " + info);
            }
        } catch (PackageManager.NameNotFoundException nnf) {
            // No such package?  No binding.
            if (DEBUG) Slog.v(TAG, "Google transport not present");
        }

I guess this wasn't there prior to Gingerbread, but I am not sure, if the blog talks about some other security.
What I understand is that, without this check any app could have actually tricked the BackupManagerService to bind to itself to get the data that the user is trying to backup, assuming this service was enabled.

No comments:

Post a Comment