我使用 Firebase Messaging 创建了一个简单的项目,使用以下依赖项.
I created a simple project using Firebase Messaging, using the following dependency.
implementation 'com.google.firebase:firebase-messaging:20.0.0'
我已经构建了应用程序并检查了它的 merged AndroidManifest.xml 文件.Firebase Messaging SDK 唯一导出的组件是以下接收器:
I have built the app and checked its merged AndroidManifest.xml file. The only exported component by Firebase Messaging SDK is the following receiver:
<receiver
android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver"
android:exported="true"
android:permission="com.google.android.c2dm.permission.SEND" >
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE" />
</intent-filter>
</receiver>
我找不到权限 com.google.android.c2dm.permission.SEND 的定义,即使我已经解码了 Google Play Services APK 的 AndroidManifest.xml 并且在那里什么也没找到.除了它的定义之外,它不能阻止恶意应用程序use-permission它并广播伪造的 Intent.另外由于system_server传递的Intents,接收方无法检查发送方的身份.
I couldn't find the definition of the permission com.google.android.c2dm.permission.SEND, even though I have decoded AndroidManifest.xml of Google Play Services APK and found nothing there. Apart from its definition whatever it is, it cannot prevent a malicious app to use-permission it and broadcast forged Intents. Also because of Intents being delivered by system_server, the receiver cannot check the identity of the sender.
Firebase Messageing SDK 如何应对这种威胁?
How does Firebase Messageing SDK counterattack this threat?
从 Play 商店安装的恶意应用无法使用以com.google.android"开头的任何权限.这些是为系统特权应用保留的.
A malicious app installed from the Play Store cannot use any permission that starts with "com.google.android". Those are reserved for system privileged apps.
安装在具有 Play 商店的每台设备上的 Play 服务后端"应用实际上直接处理传入的 FCM 消息.它是一个特权应用,并且是唯一会使用这些权限向您的应用发送数据的应用.
The Play services "backend" app, which is installed on every device that has the Play store, actually handles incoming FCM messages directly. It is a privileged app, and is the only one that will use those permissions to send data to your app.
如果您设法 root 设备并安装具有系统权限的恶意应用程序,那么您可能会遇到问题.但这就是您绕过设备内置的安全措施时所冒的风险.
If you manage to root your device and install a malicious app with system privileges, then you might have a problem. But that's the risk you take when you bypass the security measures built into the device.
这篇关于Android Firebase 消息传递 SDK 如何防止 Intent 欺骗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!