3

Passing values through static variables is focused from other technical perspective here, however I want to know if using static variables as global variables across all application scope, lead to security issues or information leakage since android apps are running inside standalone sandboxes?

VSB
  • 9,825
  • 16
  • 72
  • 145
  • 1
    `static` variables are still inside your process. If anything, they are safer than `Intent` extras, as most uses of an `Intent` cause it to be transferred to another process. If by "all application scope" you mean "the entire device", that is incorrect. – CommonsWare Mar 03 '18 at 12:55
  • @CommonsWare 1) I did not get the point correctly. You mean `Intent` can be said less secure than `static variables`? 2) from `all application scope` I meant static variables are shared and everybody inside application can see it. 3)By the way, if an application have several process, static variables are shared among them or each process hold different instances of static variable? – VSB Mar 03 '18 at 13:11

1 Answers1

4

You mean Intent can be said less secure than static variables?

Whenever you call startActivity(), startService(), bindService(), or sendBroadcast() on a Context, the Intent leaves your process, goes to a core OS process, and then goes to whatever process contains the component you are trying to work with. That includes cases where the component calling the method is in the same process as the component it is trying to work with. All else being equal, a static variable is more secure, in that it does not leave the process (unless you do that yourself).

As far as we know, Intent objects are secure against spies. However, there have been bugs in this area in the past, and I cannot rule out the possibility of bugs in the future.

from all application scope I meant static variables are shared and everybody inside application can see it

You are responsible for all of the code in your application, except for the framework implementation.

if an application have several process, static variables are shared among them

No.

or each process hold different instances of static variable?

Yes.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • I do not see why I should pass data between intents rather than using static variables.. any thoughts? – ruben Mar 09 '18 at 14:03
  • 3
    @ruben: Static variables get lost when your process goes away. Your process can go away even once your UI moves to the background, even if the user quickly returns to your app. In this scenario, `Intent` data, like the saved instance state `Bundle`, provide your app with data that you can use to rebuild your UI, so the user does not notice any problems caused by your process being terminated. – CommonsWare Mar 09 '18 at 14:09
  • Ok makes sense. Thanks – ruben Mar 09 '18 at 14:28