附錄二外文文獻(xiàn)（原文）ThebasicofdescriptionofandroidsystemThemainstreamofthenextgenerationofopenoperatingsystemswillnotbeonthedesktop,butwillappearinthephonethatwecarryeveryday.Openenvironmentwillleadthesenewapplicationsmaybeintegratedintotheseonlineservicesthatalreadyexist,ofcourse,aswithgrowingdataservicesonmobilephonessupportthesecurityflawsonthephoneisalsobecomingincreasinglyclear.Thenatureofthenext-generationoperatingsystem,whethertoprovideacompleteintegratedsecurityplatform.

BytheOpenMobileAlliance(openHandsetAllianceledbyGoogle)developedtheandroidsystemisawidelyoptimisticaboutanopensourcephonesystem,thesystemprovidesabasicoperatingsystem,amiddlewareapplicationlayer,ajavadevelopmenttoolsandasystemApplicationcollector(collectionofsystemapplications).TheandroidtheSDKsince2023onthereleaseofthefirstandroidphoneinOctober2023beforethebirth.Googleopenedsincethenonhisowntime,Taiwan'sHTC,themanufactureroftheT-MobileG1estimateG1shipmentshavemorethanonemillionattheendof2023.AccordingtoindustryinsidersexpecttheG1mobilephonesalesin2023continue.Manyothermobilephonesuppliersinthenearfutureplanstosupportthissystem.

Aroundanandroidandahugedevelopercommunityhasbeenestablished,whilealotofnewproductsandapplicationsontheandroid.Android'smainsellingpointisthatitenablesdeveloperstoseamlesslyexpandonlineservicestomobilephones.ThisisthemostobviousexampleisGoogle'stightlyintegratedwithGmail,CalendarandContactsWebapplicationsthroughthesystem.Usersonlyneedtoprovideanandroidusernameandpassword,thephoneautomaticallysyncwithGoogleservices.Theothervendorsarequicklyadapttheirexistinginstantmessaging,socialnetworkingandgamingservices.Androidandmanycompaniesfindnewwaystointegratetheirexistingbusinesstotheandroid.

Traditionaldesktopandserveroperatingsystemhasbeenworkingfortheintegrationofsecurityfeatures.Theseindividualsandbusinessapplicationsonasingleplatformisverygood,howeverabusinessphoneplatformlikeandroidisnotveryuseful.Itgivesthehopeofmanyresearchers.Androidisnotparkedinthebodyforotherplatformapplicationsupport:theimplementationoftheapplicationdependsonatop-levelJAVAmiddleware,themiddlewarerunningontheembeddedLinuxkernel.Therefore,developersshoulddeploytheirapplicationstotheAndroidmustuseacustomuserinterfaceenvironment.

Inaddition,theandroidsystemapplicationslimittheapplicationtocalleachotherAPIcollaboration,andtheothertoauthenticatetheuserapplication.Althoughtheseapplicationshavecertainsafetyfeatures,someofourexperienceddeveloperstocreateAndroidapplicationswhorevealedthatthedesignofsecurityapplicationsisnotalwaysstraightforward.Androidusesasimplepermissionlabeldistributionmodetorestrictaccesstoresources,butthereasonsforthenecessityandconvenienceofotherapplications,thedesignershaveincreasedtheconfusiononthissystem.ThispaperattemptstoexplainthecomplexityoftheAndroidsecurity,andpayattentiontosomeofthepossibledevelopmentdefectsandapplicationsecurity.Wetrytodrawsomelessonslearned,andhopethatthesafetyofthefuture.

Androidapplicationframeworkfordevelopersisamandatoryframework.Itdoesnothaveamain()functionfunctionorasingleentrypointfortheimplementationofthecontrary,thedevelopermustinthedesignofapplicationcomponents.WedevelopedapplicationstohelptheAPIoftheandroidsdk

TheAndroidsystemdefinesfourkindsofcomponenttype.

Activitycomponentthatdefinestheapplicationuserinterface.Usually,theapplicationdeveloperdefineseachactivityscreen.Activitycanstart,itmaypassandreturnvalues.CanbehandledatatimeonlyakeyboardsystemActivity,allotherActivitywillbesuspendedatthistime.

Servicecomponentsperformbackgroundprocessing.Theneedforsomeoperationswhenanactivity,afterthedisappearanceoftheuserinterface(suchasdownloadingafileorplayingmusic),itusuallytakesuchactionspeciallydesignedservices.Developerscanalsouseaspecialdaemonatsystemstartup,theserviceisusuallydefinedaremoteprocedurecall(RPC),andothersystemcomponentscanbeusedtosendtheinterfacecommandandretrievedata,aswellastoregisteracallbackfunction.

ContentProvidercomponentstorageandsharedatawithrelationaldatabaseinterfaces.EachContentsupplierhasanassociated"rights"todescribeitscontentscontains.OthercomponentswhenusedasahandletoexecuteSQLqueries(egSELECT,INSERT,orDELETEcontent.Contentsuppliersaretypicallystoredthevalues??onthedatabaserecords,dataretrievalisaspecialcase,thefileisalsosharedbythecontentproviderinterface.

Thecomponentsofthebroadcastreceiverastosendamessagefromthemailboxtotheapplication.Typically,thebroadcastmessage,theapplicationcodeimplicitdestination.Therefore,theradioreceiversubscribetothesedestinationsreceivemessagessenttoit.Theapplicationcodecanalsobesolvedexplicitlybroadcastreceivers,includingthenamespaceallocation.

ThemainmechanismoftheinteractionofthecomponentsoftheComponentInteraction,isanintent,whichisasimplemessageobject,whichcontainsadestinationaddressanddatacomponents.TheAndroidAPIdefineshisapproachintointent,andusethatinformationtoinitiateanactivitysuchasstartanactivity(startActivity(Anintent))startservices(thestartService(Anintent))andradio(sendBroadcast(Anintent)).Androidframeworktoinformthecallstothesemethodsbegantoperforminthetargetapplicationcode.Thisprocess,theinternalcomponentsofcommunicationiscalledanaction.Simplyput,theIntentobjectdefinedinthe"Intenttoimplementthe"action".OneofthemostpowerfulfeaturesoftheAndroidisallowedavarietyofintentaddressingmechanism.Thedevelopercansolvethespaceofatargetcomponentusingitsapplications,theycanalsospecifyanimplicitname.Inthelattercase,thesystemdeterminesthebestcomponentsofanactionbyconsideringtheinstalledapplicationsanduserchoice.

Implicitnameiscalledtheactionstringbecauseofhisspecialtypeoftherequestedaction.Suchasaviewactionstring,inanintentdatafieldpointstoanimagefile,thesystemwilldirectlyreferringtothepreferredimageviewer.

Developerscanalsousetheactionstringalargenumberofradiotosendandreceive.Receiveratthereceivingend,thedevelopersuseanintentfiltertocustomizethespecialactionstring.AndroidDepartment,includingtheadditionalgoaloftheresolutionrules,butanoptionalstringtypeofdatamanipulationisthemostcommon.AndroidapplicationsarewrittenintheJavaprogramminglanguage.ThecompiledJavacode—alongwithanydataandresourcefilesrequiredbytheapplication—isbundledbytheapttoolintoanAndroidpackage,anarchivefilemarkedbyan.apksuffix.Thisfileisthevehiclefordistributingtheapplicationandinstallingitonmobiledevices;it'sthefileusersdownloadtotheirdevices.Allthecodeinasingle.apkfileisconsideredtobeoneapplication.Inmanyways,eachAndroidapplicationlivesinitsownworld:Bydefault,everyapplicationrunsinitsownLinuxprocess.Androidstartstheprocesswhenanyoftheapplication'scodeneedstobeexecuted,andshutsdowntheprocesswhenit'snolongerneededandsystemresourcesarerequiredbyotherapplications.Eachprocesshasitsownvirtualmachine(VM),soapplicationcoderunsinisolationfromthecodeofallotherapplications.Bydefault,eachapplicationisassignedauniqueLinuxuserID.Permissionsaresetsothattheapplication'sfilesarevisibleonlytothatuserandonlytotheapplicationitself—altoughtherearewaystoexportthemtootherapplicationsaswell. It'spossibletoarrangefortwoapplicationstosharethesameuserID,inwhilecasetheywillbeabletoseeeachother'sfiles.Toconservesystemresources,applicationswiththesameIDcanalsoarrangetoruninthesameLinuxprocess,sharingthesameVM.ApplicationComponents AcentralfeatureofAndroidisthatoneapplicationcanmakeuseofelementsofotherapplication(providedthoseapplicationpermitit).Forexample,ifyourapplicationneedstodisplayascrollinglistofimagesandanotherapplicationhasdevelopedasuitablescrollerandmadeitavailabletoothers,youcancalluponthatscrollertodothework,ratherthandevelopyourown.Yourapplicationdoesn'tincorporatethecodeoftheotherapplicationorlinktoit.Rather,itsimplystartsupthatpieceoftheotherapplicationwhentheneedarises. Forthistowork,thesystemmustbeabletostartanapplicationprocesswhenanypartofitisneeded,andinstantiatetheJavaobjectsforthatpart.Therefore,unlikeapplicationsonmostothersystems,Androidapplicationsdon'thaveasingleentrypointforeverythingintheapplication(nomain()function,forexample).Rather,theyhaveessentialcomponentsthatthesystemcaninstantiateandrunasneeded.Therearefourtypesofcomponents:Activities Anactivitypresentsavisualuserinterfaceforonefocusedendeavortheusercanundertake.Forexample,anactivitymightpresentalistofmenuitemsuserscanchoosefromoritmightdisplayphotographsalongwiththeircaptions.Atextmessagingapplicationmighthaveoneactivitythatshowsalistofcontactstosendmessagesto,asecondactivitytowritethemessagetothechosencontact,andotheractivitiestoreviewoldmessagesorchangeorchangesettings.Toughtheyworktogethertoformacohesiveuserinterface,eachactivityisindependentoftheothers.EachoneisimplementedasasubclassoftheActivitybaseclass. Anapplicationmightconsistofjustoneactivityor,likethetextmessagingapplicationjustmentioned,itmaycontainseveral.Whattheactivitiesare,andhowmanytherearedepends,ofcourse,ontheapplicationanditsdesign.Typically,oneoftheactivitiesismarkedasthefirstonethatshouldbepresentedtotheuserwhentheapplicationislaunched.Movingfromoneactivitytoanotherisaccomplishedbyhavingthecurrentactivitystartthenextone. Eachactivityisgivenadefaultwindowtodrawin.Typically,thewindowfillsthescreen,butitmightbesmallerthanthescreenandfloatontopofotherwindows.Anactivitycanalsomakeuseofadditionalwindows—forexample,apop-updialogthatcallsforauserresponseinthemidstoftheactivity,orawindowthatpresentsuserswithvitalinformationwhentheyselectaparticularitemon-screen. Thevisualcontentofthewindowisprovidedbyahierarchyofviews—objectsderivedfromthebaseViewclass.Eachviewcontrolsaparticularrectangularspacewithinthewindow.Parentviewscontainandorganizethelayoutoftheirchildren.Leafviews(thoseatthebottomofthehierarchy)drawintherectanglestheycontrolandrespondtouseractionsdirectedatthatspace.Thus,viewsarewheretheactivity'sinteractionwiththeusertakesplace. Forexample,aviewmightdisplayasmallimageandinitiateanactionwhentheusertapsthatimage.Androidhasanumberofready-madeviewsthatyoucanuse—includingbuttons,textfields,scrollbars,menuitems,checkboxes,andmore. Aviewhierarchyisplacedwithinanactivity'swindowbytheActivity.setContentView()method.ThecontentviewistheViewobjectattherootofthehierarchy.(SeetheseparateUserInterfaceumentformoreinformationonviewsandthehierarchy.)Services Aservicedoesn'thaveavisualuserinterface,butratherrunsinthebackgroundforanindefiniteperiodoftime.Forexample,aservicemightplaybackgroundmusicastheuserattendstoothermatters,oritmightfetchdataoverthenetworkorcalculatesomethingandprovidetheresulttoactivitiesthatneedit.EachserviceextendstheServicebaseclass. Aprimeexampleisamediaplayersongsfromaplaylist.Theplayerapplicationwouldprobablyhaveoneormoreactivitiesthatallowtheusertochoosesongsandstartplayingthem.However,themusicplaybackitselfwouldbotbehandledbyanactivitybecauseuserswillexpectthemusictokeepthemusicgoing,themediaplayeractivitycouldstartaservicetoruninthebackground.Thesystemwouldthenkeepthemusicplaybackservicerunningevenaftertheactivitythatstarteditleavesthescreen. It'spossibletoconnectto(bindto)anongoingservice(andstarttheserviceifit'snotalreadyrunning).Whileconnected,youcancommunicatewiththeservicethroughaninterfacethattheserviceexposes.Forthemusicservice,thisinterfacemightallowuserstopause,rewind,stop,andrestarttheplayback. Likeactivitiesandtheothercomponents,servicesruninthemainthreadoftheapplicationprocess.Sothattheywon'tblockothercomponentsortheuserinterface,theyoftenspawnanotherthreadfortime-consumingtasks(likemusicplayback).SeeProcessesandThread,later.Broadcastreceivers Abroadcastreceiverisacomponentthatdoesnothingbutreceiveandreacttobroadcastannouncements.Manybroadcastsoriginateinsystemcode—forexample,announcementsthatthetimezonehaschanged,thatthebatteryislow,thatapicturehasbeentaken,orthattheuserchangedalanguagepreference.Applicationscanalsoinitiatebroadcasts—forexample,toletotherapplicationsknowthatsomedatahasbeendownloadedtothedeviceandisavailableforthemtouse. Anapplicationcanhaveanynumberofbroadcastreceiverstorespondtorespondtorespondtoanyannouncementsitconsidersimportant.AllreceiversextendtheBroadcastReceiverbaseclass. Broadcastreceiversdonotdisplayauserinterface.However,theymaystartanactivityinresponsetotheinformationtheyreceive,ortheymayusetheNotificationManagertoalerttheuser.Notificationscangettheuser'sattentioninvariousways—flashingthebacklight,vibratingthedevice,playingasound,andsoon,Theytypicallyplaceapersistenticoninthestatusbar,whichuserscanopentogetthemessage.Contentproviders Acontentprovidermakesaspecificsetoftheapplication'sdataavailabletootherapplications.Thedatacanbestoredinthefilesystem,inanSQLitedatabase,orinanyothermannerthatmakessense.ThecontentproviderextendstheContentProviderbaseclasstoimplementastandardsetofmethodsthatenableotherapplicationstoretrieveandstoredataofthetypeitcontrols.However,applicationsdonotcallthesemethodsdirectly.RathertheyuseaContentResolverobjectandcallitsmethodsinstead.AContentResolvercantalktoanycontentprovider;itcooperateswiththeprovidertomanageanyinterprocesscommunicationthat'sinvolved. SeetheseparateContentProvidersumentformoreinformationonusingcontentproviders. Wheneverthere'sarequestthatshouldbehandledbyaparticularcomponent,Androidmakessurethattheapplicationprocessofthecomponentisrunning,startingitifnecessary,andthatanappropriateinstanceofthecomponentisavailable,creatingtheinstanceifnecessary.Activatingcomponents:intents Contentprovidersareactivatedwhenthey'retargetedbyarequestfromaContentResolver.Theotherthreecomponents—activities,services,andbroadcastreceivers—areactivatedbyasynchronousmessagescalledintents.AnintentisanIntentobjectthatholdsthecontentofthemessage.Foractivitiesandservices,itnamestheactionbeingrequestedandspecifiestheURIofthedatatoacton,amongotherthings.Forexample,itmightconveyarequestforanactivitytopresentanimagettheuserorlettheusereditsometext.Forbroadcastreceivers,theIntentobjectnamestheactionbeingannounced.Forexample,itmightannouncetointerestedpartiesthatthecamerabuttonhasbeenpressed. Thereareseparatemethodsforactivatingeachtypeofcomponent: 1.Anactivityislaunched(orgivensomethingnewtodo)bypassinganIntentobjecttoContext.startActivity()orActivity.startActivityForResult().TherespondingactivitycanlookattheinitialintentthatcausedittobelaunchedbycallingitsgetIntent()method.Androidcallstheactivity'sonNewIntent()methodtopassitanysubsequentintents.Oneactivityoftenstartsthenextone.Ifitexpectsaresultbackfromtheactivityit'sstarting,itcallsstartActivityForResult()insteadofstartActivity().Forexample,ifitstartsanactivitythatletstheuserpickaphoto,itmightexpecttobereturnedthechosenphoto.TheresultisreturnedinanIntentobjectthat'spassedtothecallingactivity'sonActivityResult()method. 2.Aserviceisstarted(ornewinstructionsaregiventoanongoingservice)bypassinganIntentobjecttoContext.startService().Androidcallstheservice'sonStart()methodandpassesittheIntentobject.Similarly,anintentcanbepassedtoContext.bindService()toestablishanongoingconnectionbetweenthecallingcomponentandatargetservice.TheservicereceivestheIntentobjectinanonBind()call.(Iftheserviceisnotalreadyrunning,bindService()canoptionallystartit.)Forexample,anactivitymightestablishaconnectionwiththemusicplaybackservicementionedearliersothatitcanprovidetheuserwiththemeans(auserinterface)forcontrollingtheplayback.TheactivitywouldcallbindService()tosetupthatconnection,andthencallmethodsdefinedbytheservicetoaffecttheplayback. Alatersection,Remoteprocedurecalls,hasmoredetailsaboutbindingtoaservice. 3.AnapplicationcaninitiateabroadcastbypassinganIntentobjecttomethodslikeContext.sendStickyBroadcast()inanyoftheirvariations.AndroiddeliverstheintenttoallinterestedbroadcastreceiversbycallingtheironReceive()methods.Formoreonintentmessages,seetheseparatearticle,IntentsandIntentFilters.Shuttingdowncomponents Acontentproviderisactiveonlywhileit'srespondingtoarequestfromaContentResolver.Andabroadcastreceiverisactiveonlywhileit'srespondingtoabroadcastmessage.Sothere'snoneedtoexplicitlyshutdownthesecomponents.Activities,ontheotherhand,providetheuserinterface.They'reinalong-runningconversationwiththeuserandmayremainactive,evenwhenidle,aslongtime.SoAndroidhasmethodstoshutdownactivitiesandservicesinanorderlyway: 1.Anactivitycanbeshutdownbycallingitsfinish()method.Onteactivitycanshutdownanotheractivity(oneitstartedwithstartActivityForResult())bycallingfinishActivity(). 2.AservicecanbestoppedbycallingitsstopSelf()method,orbycallingContext.stopService(). ComponentsmightalsobeshutdownbythesystemwhentheyarenolongerbeingusedorwhenAndroidmustreclaimmemoryformoreactivecomponents.Alatersection,ComponentLifecycles,discussesthispossibilityanditsramificationsinmoredetail.Themanifestfile BeforeAndroidcanstartanapplicationcomponent,itmustlearnthatthecomponentexists.Therefore,applicationsdeclaretheircomponentsinamanifestfilethat'sbundledintotheAndroidpackage,the.apkfilethatalsoholdstheapplication'scode,files,andresources. ThemanifestisastructuredXMLfileandisalwaysnamedAndroidManifest.xmlforallapplications.Itdoesanumberofthingsinadditiontodeclaringtheapplication'scomponents,suchasnaminganylibrariestheapplicationneedstobelinkedagainst(besidesthedefaultAndroidlibrary)andidentifyinganypermissionstheapplicationexpectstobegranted. ButtheprincipaltaskofthemanifestistoinformAndroidabouttheapplication'scomponents.Forexample,anactivitymightbedeclaredasfollows: Thenameattributeofthe<activity>elementnamestheActivitysubclassthatimplementstheactivity.Theiconandlabelattributespointtoresourcefilescontaininganiconandlabelthatcanbedisplayedtouserstoresourcefilescontaininganiconandlabelthatcanbedisplayedtouserstorepresenttheactivity. Theothercomponentsaredeclaredinasimilarway—<service>elementsforservices,<receiver>elementsforbroadcastreceivers,and<provider>elementsforcontentproviders.Activities,services,andcontentprovidersthatarenotdeclaredinthemanifestarenotvisibletothesystemandareconsequentlyneverrun.However,broadcastreceiverscaneitherbedeclaredinthemanifest,ortheycanbecreateddynamicallyicode(asBroadcastReceiverobjects)andregisteredwiththesystembycallingContext.registerReceiber(). Formoreonhowtostructureamanifestfileforyourapplication,seeTheAndroidManifest.xmlFile.Intentfilters AnIntentobjectcanexplicitlynameatargetcomponent.Ifitdoes,Androidfindsthatcomponent(basedonthedeclarationsinthemanifestfile)andactivatesit.Butifatargetisnotexplicitlynamed,Androidmustlocatethebestcomponenttorespondtotheintent.ItdoessbycomparingtheIntentobjecttotheintentfiltersofpotentialtargets.Acomponent'sintentfiltersinformAndroidofthekindsofintentsthecomponentisabletohandle.Likeotheressentialinformationaboutthecomponent,they'redeclaredinthemanifest.Here'sanextensionofthepreviousexamplethataddstwointentfilterstotheactivity:Thefirstfilterintheexample—thecombinationoftheaction"ent.action.MAIN"andthecategory"ent.category.LAUNCHER"—isacommonone.Itmarkstheactivityasonethatshouldberepresentedintheapplicationlauncher,thescreenlistingapplicationsuserscanlaunchonthedevice.Inotherwords,theactivityistheentrypointfortheapplication,theinitialoneuserswouldseewhentheychoosetheapplicationinthelauncher. Thecomponentcanhaveanynumberofintentfilters,eachonedeclaringadifferentsetofcapabilities.Ifitdoesn'thaveanyfilters,itcanbeactivatedonlybyintentsthatexplicitlynamethecomponentasthetarget. Forabroadcastreceiverthat'screatedandregisteredincode,theintentfilterisinstantiateddirectlyasanIntentFilterobject.Allotherfiltersaresetupinthemanifest. Formoreonintentfilters,seeaseparateument,IntentsandIntentFilters.附錄三外文文獻(xiàn)（譯文）安卓系統(tǒng)的基本描述下一代開放操作系統(tǒng)的主流將不會(huì)在桌面上，但是將會(huì)出現(xiàn)在我們每天攜帶的上。這些開放性的環(huán)境將會(huì)帶領(lǐng)這些新的應(yīng)用可能集成這些已經(jīng)存在的在線服務(wù)，當(dāng)然隨著日以具增的數(shù)據(jù)與服務(wù)在上的支持，上的安全缺陷也越發(fā)明顯。下一代操作系統(tǒng)本質(zhì)在于是否提供一個(gè)完整綜合的安全平臺(tái)。由開放聯(lián)盟（openHandsetAlliance谷歌領(lǐng)導(dǎo)）所開發(fā)的android系統(tǒng)是一個(gè)被廣泛看好的一個(gè)開源系統(tǒng)，該系統(tǒng)提供一個(gè)基本的操作系統(tǒng)，一個(gè)中間件應(yīng)用層，一個(gè)java開發(fā)工具和一個(gè)系統(tǒng)應(yīng)用收集器（collectionofsystemapplications）。盡管androidSDK自2023年就發(fā)布了，但是第一部android卻在2023年10月才誕生。自從這時(shí)起谷歌開起了自己的時(shí)代，T-Mobile的G1的制造商臺(tái)灣HTC估算G1的發(fā)貨量在2023年底已經(jīng)超過(guò)100萬(wàn)部。據(jù)業(yè)內(nèi)人士預(yù)期該G1的銷量將會(huì)在2023年繼續(xù)保持。不久的將來(lái)其他許多供應(yīng)商要計(jì)劃支持這個(gè)系統(tǒng)。一個(gè)圍繞android龐大的開發(fā)者社區(qū)已經(jīng)建立，同時(shí)很多新的產(chǎn)品和應(yīng)用已經(jīng)可以在android上使用。一個(gè)Android的主要賣點(diǎn)是它使開發(fā)人員無(wú)縫把在線服務(wù)擴(kuò)展到。這方面最明顯的例子是谷歌的緊密集成Gmail，日歷和聯(lián)系人Web應(yīng)用程序通過(guò)該系統(tǒng)。用戶只需提供一個(gè)android用戶名和密碼，其自動(dòng)同步與谷歌的服務(wù)。其他廠商正在迅速適應(yīng)自己的現(xiàn)有的即時(shí)通訊，社交網(wǎng)絡(luò)和游戲服務(wù)。Android和許多企業(yè)尋找新途徑來(lái)整合他們的自己已有的業(yè)務(wù)到android上。傳統(tǒng)的臺(tái)式機(jī)和服務(wù)器的操作系統(tǒng)一直在努力進(jìn)行安全功能的集成。這些個(gè)人和商業(yè)應(yīng)用在單一平臺(tái)的很出色，然而這一塊業(yè)務(wù)一個(gè)平臺(tái)上像android上不是很有用。它給了許多研究人員希望。Android沒(méi)有停在為其他平臺(tái)體用應(yīng)用支持：應(yīng)用的執(zhí)行依賴于頂層JAVA中間件，這個(gè)中間件運(yùn)行在嵌入式Linux內(nèi)核之上。所以開發(fā)人員要把他們的應(yīng)用部署到Android必須使用其自定義的用戶界面環(huán)境。此外，android系統(tǒng)應(yīng)用限制各應(yīng)用相互調(diào)用API協(xié)作，并且對(duì)方為自己的用戶應(yīng)用進(jìn)行身份驗(yàn)證。盡管這些應(yīng)用有一定的安全特性，我們一些有經(jīng)驗(yàn)的開發(fā)人員開發(fā)android應(yīng)用人士透露，設(shè)計(jì)安全應(yīng)用程序并不總是直線前進(jìn)的。Android使用一個(gè)簡(jiǎn)單的許可標(biāo)簽分配模式限制訪問(wèn)的資源，但其他應(yīng)用程序的原因必要性和便利，其設(shè)計(jì)師們?cè)黾恿死Щ髮?duì)這個(gè)系統(tǒng)。本文試圖對(duì)Android的安全的復(fù)雜性進(jìn)行講解，并注意一些可能的發(fā)展缺陷以及應(yīng)用程序的安全。我們通過(guò)嘗試得出一些經(jīng)驗(yàn)教訓(xùn)，希望對(duì)未來(lái)的安全有用。Android應(yīng)用程序框架對(duì)開發(fā)者來(lái)說(shuō)是一個(gè)強(qiáng)制架構(gòu)。它沒(méi)有一個(gè)main（）函數(shù)功能或單一入口點(diǎn)執(zhí)行，相反，開發(fā)人員必須在設(shè)計(jì)方面的應(yīng)用組件。我們開發(fā)的應(yīng)用對(duì)android的sdk的幫助的APIAndroid系統(tǒng)定義了4種組件類型。Activity組件定義應(yīng)用程序的用戶界面。通常，應(yīng)用程序開發(fā)者定義每一個(gè)活動(dòng)“畫面?！盇ctivity可以自己開始，也可能通過(guò)傳遞和返回值。在一時(shí)間只有一個(gè)鍵盤的系統(tǒng)Activity可以進(jìn)行處理，在這個(gè)時(shí)候所有其他的Activity都會(huì)被暫停。Service組件執(zhí)行后臺(tái)處理。當(dāng)一個(gè)活動(dòng)需要進(jìn)行一些操作，在用戶界面消失以后（如下載一個(gè)文件或播放音樂(lè)），它通常采取此種動(dòng)作特殊設(shè)計(jì)的服務(wù)。開發(fā)人員還可以在系統(tǒng)啟動(dòng)使用特殊的守護(hù)進(jìn)程，Service通常定義一個(gè)遠(yuǎn)程過(guò)程調(diào)用（RPC），其他系統(tǒng)組件可以用來(lái)傳送接口命令和檢索數(shù)據(jù)，以及注冊(cè)一個(gè)回調(diào)函數(shù)。ContentProvider組件存儲(chǔ)和共享數(shù)據(jù)用關(guān)系數(shù)據(jù)庫(kù)接口。每個(gè)Content供應(yīng)者都有一個(gè)關(guān)聯(lián)的“權(quán)限”來(lái)形容它的內(nèi)容包含。其他組件使用時(shí)作為一個(gè)handle執(zhí)行SQL查詢（如SELECT，INSERT或DELETE內(nèi)容。雖然Content供應(yīng)者通常存儲(chǔ)把數(shù)值放在數(shù)據(jù)庫(kù)記錄中，數(shù)據(jù)檢索是實(shí)現(xiàn)特殊的例子，文件也同時(shí)通過(guò)內(nèi)容提供商共享接口。Broadcastreceiver該組件作為為從郵件信箱發(fā)送信息給他應(yīng)用程序。通常，廣播消息的應(yīng)用程序代碼隱含的目的地。因此，廣播接收器訂閱這些目的地接收發(fā)送給它的消息。應(yīng)用程序代碼也可以解決明確廣播接收機(jī)包括命名空間分配。ComponentInteraction該組件交互的主要機(jī)制是一個(gè)intent，這是一個(gè)簡(jiǎn)單的消息對(duì)象，其中包含一個(gè)目的地組件的地址和數(shù)據(jù)。Android的API定義了他的方法中傳入intent，并使用該信息來(lái)啟動(dòng)一個(gè)activity例如開始一個(gè)activity(startActivity(intent))，啟動(dòng)服務(wù)（startService（intent））和廣播信息（sendBroadcast（intent））。Android框架來(lái)通知這些方法的調(diào)用開始執(zhí)行在目標(biāo)應(yīng)用程序代碼。這個(gè)過(guò)程中內(nèi)部組件通信稱為一個(gè)動(dòng)作。簡(jiǎn)單地說(shuō)，Intent對(duì)象定義的“Intent”以執(zhí)行“action”。Android的一個(gè)最強(qiáng)大的特點(diǎn)是允許的多種intent尋址機(jī)制。開發(fā)人員可以解決一個(gè)目標(biāo)組件使用其應(yīng)用的空間，他們也可以指定一個(gè)隱含的名稱。在后一種情況下，系統(tǒng)決定了一個(gè)action的最佳組件，通過(guò)考慮安裝的應(yīng)用程序和用戶的選擇。這個(gè)隱含的名字被稱為動(dòng)作字符串因?yàn)樗厥獾念愋偷恼?qǐng)求動(dòng)作。例如一個(gè)view動(dòng)作字符串，在一個(gè)intent中和數(shù)據(jù)域指向一個(gè)圖像文件，系統(tǒng)將會(huì)直接指首選圖像瀏覽器。開發(fā)者也能使用動(dòng)作字符串進(jìn)行大量廣播發(fā)送和接收。在接收端的接收者，開發(fā)者使用一intent過(guò)濾器來(lái)定制特殊的動(dòng)作字符串。Android系包括附加目標(biāo)的決議規(guī)則，但可選的數(shù)據(jù)操作字符串類型是最常見(jiàn)的。Android應(yīng)用程序使用Java編程語(yǔ)言開發(fā)。apt工具吧編譯后的Java代碼連同應(yīng)用程序所需的其他數(shù)據(jù)和資源文件一起打包到一個(gè)Android包文件中，這個(gè)文件使用.apk作為擴(kuò)展名。此文件是分發(fā)并安裝應(yīng)用程序到移動(dòng)設(shè)備的載體；是用戶下載到他們的設(shè)備的文件。單一.apk文件中的所有代碼被認(rèn)為是一個(gè)應(yīng)用程序。從多個(gè)角度來(lái)看，每個(gè)Android應(yīng)用程序都存在于它自己的世界之中：默認(rèn)情況下，每個(gè)應(yīng)用程序均運(yùn)行于它自己的Linux進(jìn)程中。當(dāng)應(yīng)用程序中的任何代碼需要被執(zhí)行時(shí)，Android啟動(dòng)此進(jìn)程，而當(dāng)不再需要此進(jìn)程并且其它應(yīng)用程序又請(qǐng)求系統(tǒng)資源時(shí)，則關(guān)閉這個(gè)進(jìn)程。每個(gè)進(jìn)程都有其獨(dú)有的虛擬機(jī)(VM)，所以應(yīng)用程序代碼與其它應(yīng)用程序代碼是隔離運(yùn)行的。默認(rèn)情況下，每個(gè)應(yīng)用程序均被賦予一個(gè)唯一的Linux用戶ID，并加以權(quán)限設(shè)置，使得應(yīng)用程序的文件僅對(duì)此用戶及此應(yīng)用程序可見(jiàn)—盡管也有其它的方法使得這些文件同樣能為其他應(yīng)用程序訪問(wèn)。應(yīng)用程序組件Android的一個(gè)核心特性就是一個(gè)應(yīng)用程序可以使用其它應(yīng)用程序的元素（如果那個(gè)應(yīng)用程序允許的話）。例如，如果你的應(yīng)用程序需要顯示一個(gè)圖片卷動(dòng)列表，而另一個(gè)應(yīng)用程序已經(jīng)開發(fā)了一個(gè)合用的而又允許別的應(yīng)用程序使用的話，你可以直接調(diào)用那個(gè)卷動(dòng)列表來(lái)完成工作，而不用自己再開發(fā)一個(gè)。你的應(yīng)用程序并沒(méi)有吸納或鏈接其它應(yīng)用程序的代碼。它只是在有需求的時(shí)候啟動(dòng)了其它應(yīng)用程序的那個(gè)功能部分。為達(dá)到這個(gè)目的，系統(tǒng)必須能夠在一個(gè)應(yīng)用程序的任何一部分被需要時(shí)啟動(dòng)一個(gè)此應(yīng)用程序的進(jìn)程，并將那個(gè)部分的Java對(duì)象實(shí)例化。因此，不像其它大多數(shù)系統(tǒng)上的應(yīng)用程序，Android應(yīng)用程序并沒(méi)有為應(yīng)用程序提供一個(gè)單獨(dú)的入口點(diǎn)（比如說(shuō)，沒(méi)有main()函數(shù)），而是為系統(tǒng)提供了可以實(shí)例化和運(yùn)行所需要的必備組件。一共四種組件類型：ActivityActivity是為用戶操作而展示的可視化用戶界面。例如，一個(gè)activity可以展示一個(gè)菜單項(xiàng)列表供用戶選擇，接著顯示一些包含說(shuō)明文字的照片。一個(gè)短消息應(yīng)用程序可以包括一個(gè)用于顯示要發(fā)送消息到的聯(lián)系人列表的activity，一個(gè)給選定的聯(lián)系人寫短信的activity以及翻閱以前的短信或改變?cè)O(shè)置的其他activity。盡管它們一起組成了一個(gè)內(nèi)聚的用戶界面，但其中每個(gè)activity都不與其它的保持獨(dú)立。每一個(gè)都實(shí)現(xiàn)為以Activity類為基類的子類。一個(gè)應(yīng)用程序可以只有一個(gè)activity，或者，如剛才提到的短信應(yīng)用程序那樣，包含很多個(gè)。每個(gè)activity的作用，以及有多少個(gè)activity，當(dāng)然是取決于應(yīng)用程序及其設(shè)計(jì)的。一般情況下，總有一個(gè)應(yīng)用程序被標(biāo)記為用戶在應(yīng)用程序啟動(dòng)的時(shí)候第一個(gè)看到的。從一個(gè)activity轉(zhuǎn)向另一個(gè)activity靠的是用當(dāng)前的activity啟動(dòng)下一個(gè)。每個(gè)activity都被給予一個(gè)默認(rèn)的窗口以進(jìn)行繪制。一般情況下，這個(gè)窗口是滿屏的，但它也可以是一個(gè)小的位于其它窗口之上的浮動(dòng)窗口。一個(gè)activity也可以使用附加窗口—例如，一個(gè)在activity運(yùn)行過(guò)程中彈出的供用戶響應(yīng)的對(duì)話框，或是一個(gè)當(dāng)用戶選擇了屏幕上特定項(xiàng)目后顯示的必要信息的窗口。窗口顯示的可視內(nèi)容是由一系列層次化view構(gòu)成的，這些view均繼承自View基類。每個(gè)view均控制著窗口中一塊特定的矩形區(qū)域中進(jìn)行繪制，并對(duì)用戶直達(dá)其區(qū)域的操作做出響應(yīng)。因此，view是activity與用戶進(jìn)行交互的界面。例如，view可以顯示一個(gè)小圖片，并在用戶指定它的時(shí)候產(chǎn)生動(dòng)作。Android有一些預(yù)置的view供開發(fā)者使用—包括按鈕、文本域、滾動(dòng)條、菜單項(xiàng)、復(fù)選框等等。view層次結(jié)構(gòu)是由Activity.setContentView()方法放入activity的窗口之中的。contentview是位于層次結(jié)構(gòu)根位置的View對(duì)象。（參見(jiàn)獨(dú)立的用戶界面文檔以讀取關(guān)于view及層次結(jié)構(gòu)的更多信息。）2.ServiceService沒(méi)有可視化的用戶界面，而是在一段時(shí)間內(nèi)在后臺(tái)運(yùn)行，例如，一個(gè)service可以在用戶做其它事情的時(shí)候在后臺(tái)播放背景音樂(lè)、從網(wǎng)絡(luò)上獲取數(shù)據(jù)或者計(jì)算一些東西并提供給需要這個(gè)運(yùn)算結(jié)果的activity使用。每個(gè)service都繼承自Service基類。一個(gè)媒體播放器播放列表中的曲目是一個(gè)不錯(cuò)的例子。播放器應(yīng)用程序可能有一個(gè)或多個(gè)activity來(lái)給用戶選擇歌曲并進(jìn)行播放。然而，音樂(lè)播放這個(gè)任務(wù)本身應(yīng)該由任何activity來(lái)處理，因?yàn)橛脩羝谕词乖谒麄冸x開播放器應(yīng)用程序而開始做別的事情時(shí)，