9

When you import third party APIs (packet dependency injection, generated libraries, source code, etc) in your Android project, you assume they will behave as advertised. Most of the times code is not open source, it is obfuscated or just compiled.

Is there a way to control the access of this APIs to important system resources such as network, contacts, video and audio, location?

The best approach would be to provide a proxy to them for the system resources. This would have the following benefits:

  • Tests could be performed by providing mock data in the proxies
  • Your application would not have to provide all the permissions the API require if they are not necessary and the proxy would allow the API to not break because of permission by emulating permission granted
  • Filter possible data collected locally about user and sent to an API home repo, used for advertising or malicious intent

I have failed to find how one such solution can be implemented since the user's defined activities and services can not control the services of the third party APIs or even prevent them for making direct calls to any Android public interface.

The solution should not require root access, since you do not want to have this control outside the boundaries of your own app.

The content of this question is linked to several questions which address particularities of this broad question (log data of content providers, network requests - that got me to think of this problem while researching an answer for it)

Note: The short answer is no, but one can be creative enough (maybe going for native level hacks may resolve this issue - idk)

Community
  • 1
  • 1
Radu Ionescu
  • 3,462
  • 5
  • 24
  • 43
  • 1
    You can run that code in a separate sandboxed process, one that has no permissions. However, since typically that code will be expecting to have certain permissions, that code probably will crash. If the library supports dependency injection, perhaps with an eye towards mocks for testing, you might be able to rig up a means to inject a "mock" that uses IPC from the sandbox process back to your own, for managed access to protected APIs. However, few libraries will support that. – CommonsWare Feb 17 '16 at 13:51
  • @CommonsWare that is a good way to test for this, although some malwares can detect when they are under test if malicious intent is al you are after. However, if you do not plan to build a new framework and still use the API, the question still stands – Radu Ionescu Feb 17 '16 at 13:57

1 Answers1

2

Build proxy class for your desired android resource you want to protect in a package named com.myproxies (e.g. MediaRecorder, SensorManager, Camera, java.net.HTTPURLConnection).In the proxy you need to implement all of the public methods of the class you are mocking and you need to implemented logic to allow for access (forward to appropriate method) or deny. One helpful step would be to check the caller of the method.

  • If you plan to import source code, refactor code to change package to your proxy (proguard can help with this).

  • If you are using a library, get Jar Jar Links,a utility that makes it easy to repackage Java libraries and embed them into your own distribution, and change the package names internally to that of a class in your package that will serve as a proxy.

  • If you are using Maven or Gradle package dependency injection, you can also try to import Jar Jar Links and perform the package refactoring at compile time (not very sure it can be done)

Unfortunately it is very easy to break the API, as I experienced myself, and there is a lot of manual labour involved.

Community
  • 1
  • 1
Radu Ionescu
  • 3,462
  • 5
  • 24
  • 43