Friday, June 10, 2011

How Android prevents Google Transport Spoof

Few days back, I was reading a blog which says that Google has managed to tighten it's security to prevent apps from siphoning personal data of the users from an Android device. Now that is interesting!
In the Gingerbread sdk, if one looks at the BackupManagerService.java, one can see a very interesting piece of code with explanatory comments.

try {
            // If there's something out there that is supposed to be the Google
            // backup transport, make sure it's legitimately part of the OS build
            // and not an app lying about its package name.

            ApplicationInfo info = mPackageManager.getApplicationInfo(
                    transportComponent.getPackageName(), 0);
            if ((info.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
                if (DEBUG) Slog.v(TAG, "Binding to Google transport");
                Intent intent = new Intent().setComponent(transportComponent);
                context.bindService(intent, mGoogleConnection, Context.BIND_AUTO_CREATE);
            } else {
                Slog.w(TAG, "Possible Google transport spoof: ignoring " + info);
            }
        } catch (PackageManager.NameNotFoundException nnf) {
            // No such package?  No binding.
            if (DEBUG) Slog.v(TAG, "Google transport not present");
        }

I guess this wasn't there prior to Gingerbread, but I am not sure, if the blog talks about some other security.
What I understand is that, without this check any app could have actually tricked the BackupManagerService to bind to itself to get the data that the user is trying to backup, assuming this service was enabled.

Using Simple API to marshal and unmarshal xml

I had been using Simple Api for quite some time now to marshal and UN-marshal xml files to Java classes on Android. While I tried my hand with XPP, Spring Android but I found Simple to be absolutely simple!! It works like a charm. Interestingly, Spring also uses Simple Api. It has support for posts like atom, rss feeds. But all these can be done using only Simple as well. Here is the link for Simple. The code examples are easy to follow. All one needs to do is to put the jar into Android (or any java project) project's classpath.
In addition to all the serialization/de-serialization magic that it performs,one thing that I like about Simple is the ability to write the data from the class into an OutputStream. For e.g:

//MyXml is the class
 MyXml myXml = new MyXml();
 myXml.description = "some_desc";
  myXml.name = "some_name";
//assuming MyXml has already been defined the way the xml is going to be parsed, //with it's root, elements, attributes.

Serializer serializer = new Persister();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
try {
serializer.write(myXml, bos);
}catch(Exception e) {//whatever}

I do not appreciate putting a try/catch block with a generic "Exception" but that is how the api is written. It mandates you to catch a generic Exception. Hope they will modify that later.
 
It can be used to generate the xml in the form of a String:
String xmlString = new String(bos.toByteArray(), "UTF-8");
This String can be sent as a data to some server over Http from Android, if the need be.
One can also write the contents to a file instead of a OutputStream.
File file = new File(Environment.getExternalStorageDirectory()
                        + "/some.xml");
serializer.write(myXml, file);
Again that should be inside a try/catch...ah what an innovative way to catch Exception... pun intended!!
But I just love Simple...somebody had once said, "Simple living and high thinking"....I can attribute this to Simple api..."Simple parsing and high performing"!