Login/Register
Is there a way to keep meta-data in the Android manifest private to the package?
Asked Answered
Solved androidservicemetadataandroid-manifestandroid-package-managers
B

2

6

I want to use meta-data in the Android manifest to customize the behavior of a service. 

<service
    android:name=".SampleService"
    android:exported="false">
    <meta-data
        android:name="sampleName"
        android:resource="@string/sampleValue" />
</service>

My service is part of a library, and it is possible some may put sensitive data into these attributes when they use my service. Are these meta-data attributes visible to other installed packages on the phone via the PackageManager even if the service is not exported?

Bloomery answered 27/4, 2012 at 14:34 Comment(0)
P
9

Are these meta-data attributes visible to other installed packages on the phone via the PackageManager even if the service is not exported?

Yes. Everything in the manifest, and everything in your resources and assets, is accessible to all applications on the device.

Patristic answered 27/4, 2012 at 14:40 Comment(0)
B
1

After doing some tests I confirmed that all meta-data fields are visible to all packages, as CommonsWare said. However, I also discovered that you can keep the content of the value private, by using android:resource instead of android:value. When you use android:resource only the integer id of the resource is returned from the PackageManager, and therefore only your package will have access to the actual resource value.

Update: It turns out that CommonsWare was right again. After investigating further, all resources and assets are publicly visible to ALL packages installed on the device. No permissions are required.

PackageManager pm = getPackageManager();
PackageInfo info = pm.getPackageInfo("test.package", PackageManager.GET_META_DATA|PackageManager.GET_SERVICES);
int resourceId = info.services[0].metaData.getInt("sampleName");
String resourceValue = pm.getResourcesForApplication("test.package").getString(resourceId);
Bloomery answered 27/4, 2012 at 15:25 Comment(6)
Doing so may exclude the information from the package manager's public offerings to other apps, but it is fairly simple to locate and open the apk, extract the binary manifest, and demangle it back to plain text - the situation with resources should be similar. One should perhaps not rely on always being able to do that going forward, but one must definitely not rely on someone else not being able to do so.Celestecelestia
Isn't that true for all dex files, assets, and resources?Bloomery
Yes, but values which are assembled in code would require a bit more specific effort than values which are stored in a standard way.Celestecelestia
I see what you are saying. In my case I don't think the metadata would be sensitive enough to warrant that sort of obfuscation (no passwords, keys, etc.). Thanks for the advice though.Bloomery
Can someone explain to me why Android made the choice to make all resources and assets visible to all other packages? Is there any good place that is private to put resources? Or do you just have to download them at runtime and put it in a private directory?Bloomery
Originally they didn't as part of a long deprecated copy protection mechanism, but the existence of rooted devices was inevitable, and made it trivial to overcome. Perhaps they currently choose to leave it world readable as a reminder that userid level privacy should not be relied on in any case where compromising it on one device would have implications on another. Ie, data belonging to the enduser might be somewhat private, but packaged data common to all installations of a given build of the app must be assumed compromised, since it takes but a single compromised device to leak it.Celestecelestia

© 2022 - 2024 — McMap. All rights reserved.