

android 进程与线程 - 开发文档翻译 - 进程

android 进程与线程 - 开发文档翻译 - 线程

android activity开发文档翻译 - 1 - 基础篇

android activity开发文档翻译 - 2 - 生命周期篇

android task与back stack 开发文档翻译 - 1

android task与back stack 开发文档翻译 - 2

android task与back stack 开发文档翻译 - 3

android Fragment开发文档翻译 - 1

android Fragment开发文档翻译 - 2

android - 为安全而设计 - 1 - 开发文档翻译

android - 为安全而设计 - 2 - 开发文档翻译

android - 为安全而设计 - 3 - 开发文档翻译


Using Interprocess Communication (IPC)


Some Android applications attempt to implement IPC using traditional Linux techniques such as network sockets and shared files.

We strongly encourage the use of Android system functionality for IPC such as Intents, Binders, Services, and Receivers.

The Android IPC mechanisms allow you to verify the identity of the application connecting to your IPC and set security policy for each IPC mechanism.



Android IPC机制允许你为每一个IPC机制验证连接到你的IPC和设置安全策略的应用的身份。

Many of the security elements are shared across IPC mechanisms.

Broadcast Receivers, Activities, and Services are all declared in the application manifest.

If your IPC mechanism is not intended for use by other applications, set the android:exported to false.

This is useful for applications that consist of multiple processes within the same UID, or if you decide late in development that you do not actually want to expose functionality as IPC but you don’t want to rewrite the code.


Broadcast Receiver, Activitie,和Service都在应用的manifest中声明。



If your IPC is intended to be accessible to other applications, you can apply a security policy by using the Permission tag.

If IPC is between applications built by the same developer, it is preferable to use signature level permissions.

Signature permissions do not require user confirmation, so they provide a better user experience and more controlled access to the IPC mechanism.




One area that can introduce confusion is the use of intent filters.

Note that Intent filters should not be considered a security feature -- components can be invoked directly and may not have data that would conform to the intent filter.

You should perform input validation within your intent receiver to confirm that it is properly formatted for the invoked receiver, service, or activity.


注意,Intent过滤器应该不被认为是一个安全功能 -- 组件可以直接的被执行并且也许没有符合intent过滤器的数据


Using intents


Intents are the preferred mechanism for asynchronous IPC in Android.

Depending on your application requirements, you might use sendBroadcast(), sendOrderedBroadcast(), or direct an intent to a specific application component.


根据你应用的需求,你也许使用sendBroadcast(), sendOrderedBroadcast()或者直接的intent来指定一个应用组件。

Note that ordered broadcasts can be “consumed” by a recipient, so they may not be delivered to all applications.

If you are sending an Intent where delivery to a specific receiver is required, the intent must be delivered directly to the receiver.



Senders of an intent can verify that the recipient has a permission specifying a non-Null Permission upon sending.

Only applications with that Permission will receive the intent.

If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications cannot register to receive those messages without appropriate permissions.

In those circumstances, you may also consider invoking the receiver directly, rather than raising a broadcast.

intent的发送者能在发送的时候验证接受者是否有一个许可指定了一个non-Null Permission。




Using binder and AIDL interfaces


Binders are the preferred mechanism for RPC-style IPC in Android.

They provide a well-defined interface that enables mutual authentication of the endpoints, if required.

在Android中,Binders是RPC-style IPC的首选机制。


We strongly encourage designing interfaces in a manner that does not require interface specific permission checks.

Binders are not declared within the application manifest, and therefore you cannot apply declarative permissions directly to a Binder.

Binders generally inherit permissions declared in the application manifest for the Service or Activity within which they are implemented.

If you are creating an interface that requires authentication and/or access controls on a specific binder interface, those controls must be explicitly added as code in the interface.





If providing an interface that does require access controls, use checkCallingPermission() to verify whether the caller of the Binder has a required permission.

This is especially important before accessing a Service on behalf of the caller, as the identify of your application is passed to other interfaces.

If invoking an interface provided by a Service, the bindService() invocation may fail if you do not have permission to access the given Service.

If calling an interface provided locally by your own application, it may be useful to use the clearCallingIdentity() to satisfy internal security checks.





Using broadcast receivers

使用broadcast receivers

Broadcast receivers are used to handle asynchronous requests initiated via an intent.

Broadcast receivers是用来处理通过intent发起的异步请求

By default, receivers are exported and can be invoked by any other application.

If your BroadcastReceivers is intended for use by other applications, you may want to apply security permissions to receivers using the <receiver> element within the application manifest.

This will prevent applications without appropriate permissions from sending an intent to the BroadcastReceivers.




Using Services


Services are often used to supply functionality for other applications to use.

Each service class must have a corresponding declaration in its package's AndroidManifest.xml.



By default, Services are exported and can be invoked by any other application.

Services can be protected using the android:permission attribute within the manifest’s <service> tag.

By doing so, other applications will need to declare a corresponding <uses-permission> element in their own manifest to be able to start, stop, or bind to the service.




A Service can protect individual IPC calls into it with permissions, by calling checkCallingPermission() before executing the implementation of that call.

We generally recommend using the declarative permissions in the manifest, since those are less prone to oversight.



Using Activities


Activities are most often used for providing the core user-facing functionality of an application.

By default, Activities are exported and invokable by other applications only if they have an intent filter or binder declared.

In general, we recommend that you specifically declare a Receiver or Service to handle IPC, since this modular approach reduces the risk of exposing functionality that is not intended for use by other applications.




If you do expose an Activity for purposes of IPC, the android:permission attribute in the <activity> declaration in the application manifest can be used to restrict access to only those applications which have the stated permissions.


Using Permissions


Requesting Permissions


We recommend minimizing the number of permissions requested by an application.

Not having access to sensitive permissions reduces the risk of inadvertently misusing those permissions, can improve user adoption, and makes applications less attractive targets for attackers.



If it is possible to design your application in a way that does not require a permission, that is preferable.

For example, rather than requesting access to device information to create an identifier, create a GUID for your application. (This specific example is also discussed in Handling User Data)

Or, rather than using external storage, store data in your application directory.


例如:与其请求访问设备信息来建立一个标识,不如建立一个GUID(这个例子也在Handling User Data中有讨论)

If a permission is not required, do not request it.

This sounds simple, but there has been quite a bit of research into the frequency of over-requesting permissions.

If you’re interested in the subject you might start with this research paper published by U.C. Berkeley: http://www.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-48.pdf



如果你对此感兴趣,你也许可以从由U.C. Berkeley发布的研究论文http://www.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-48.pdf开始

In addition to requesting permissions, your application can use permissions to protect IPC that is security sensitive and will be exposed to other applications -- such as a ContentProvider.

In general, we recommend using access controls other than user confirmed permissions where possible since permissions can be confusing for users.

For example, consider using the signature protection level on permissions for IPC communication between applications provided by a single developer.

除了请求许可之外,你的应用可以使用许可来保护安全敏感的IPC并且会暴露给其他应用 -- 比如ContentProvider



Do not cause permission re-delegation.

This occurs when an app exposes data over IPC that is only available because it has a specific permission, but does not require that permission of any clients of it’s IPC interface.

More details on the potential impacts, and frequency of this type of problem is provided in this research paper published at USENIX: http://www.cs.be rkeley.edu/~afelt/felt_usenixsec2011.pdf



潜在影响的更多细节,和这种问题发生的频率在USENIX:http://www.cs.be rkeley.edu/~afelt/felt_usenixsec2011.pdf研究论文中都有提供。

Creating Permissions


Generally, you should strive to create as few permissions as possible while satisfying your security requirements.

Creating a new permission is relatively uncommon for most applications, since system-defined permissions cover many situations.

Where appropriate, perform access checks using existing permissions.




If you must create a new permission, consider whether you can accomplish your task with a Signature permission.

Signature permissions are transparent to the user and only allow access by applications signed by the same developer as application performing the permission check.

If you create a Dangerous permission, then the user needs to decide whether to install the application.

This can be confusing for other developers, as well as for users.





If you create a Dangerous permission, there are a number of complexities that you need to consider.


The permission must have a string that concisely expresses to a user the security decision they will be required to make.

The permission string must be localized to many different languages.

Uses may choose not to install an application because a permission is confusing or perceived as risky.

Applications may request the permission when the creator of the permission has not been installed.

Each of these poses a significant non-technical challenge for an application developer, which is why we discourage the use of Dangerous permission.












  1. Android(安卓)SQLite使用方法
  2. 用PHP编写Android应用程序
  3. 用VS2010开发Android应用的配置方法
  4. android下socket的ip配置
  5. Android(安卓)UI开发第二十八篇——Fragment中使用左右滑动菜单
  6. android - 为安全而设计 - 2 - 开发文档翻译
  7. 应用兼容性Android(安卓)Studio IDEA:基于IDEA的安卓开发环境
  8. Android(安卓)监控程序安装和删除的实现
  9. Android热点回顾第一期


  1. 2021.1.23
  2. PXE 批量自动装win10系统(winserver2016+A
  3. 程序员是如何淡定的渡过七夕的?
  4. 被裁老程序员再就业计划之我可以用Dijkst
  5. Java8中使用lambda不为null时才过滤值
  6. 疫情下的一些感触
  7. 程序员如何多赚钱?
  8. Android(安卓)短信列表的时间显示
  9. Spring Boot使用MongoDB
  10. JumpServer部署使用