【正文】 [6]Enck,W., Ongtang,M.,McDaniel,P. Understanding Android Security[J]. Security amp。自從這時(shí)起谷歌開起了自己的時(shí)代，TMobile的G1的制造商臺灣 HTC估算G1的發(fā)貨量在2008年底已經(jīng)超過100萬部。Android和許多企業(yè)尋找新途徑來整合他們的自己已有的業(yè)務(wù)到android上。Android使用一個簡單的許可標(biāo)簽分配模式限制訪問的資源，但其他應(yīng)用程序的原因必要性和便利，其設(shè)計(jì)師們增加了困惑對這個系統(tǒng)。我們進(jìn)行功能拆分，分成兩個應(yīng)用程序：一個用于跟蹤查看朋友和?？此麄?。FriendTracker和FriendViewer應(yīng)用由多個不同類型的組件，每個提供一個不同的組功能。當(dāng)一個活動需要進(jìn)行一些操作，在用戶界面消失以后（如下載一個文件或播放音樂），它通常采取此種動作特殊設(shè)計(jì)的服務(wù)。因此，廣播接收器訂閱這些目的地接收發(fā)送給它的消息。在在FriendTracker應(yīng)用，例如，F(xiàn)riendTrackerControl活動被標(biāo)記為主用戶界面的啟動點(diǎn)。FriendReceiver將會等待接收附近的手機(jī)發(fā)送的消息這個消息來一個所指定的朋友。Android的一個最強(qiáng)大的特點(diǎn)是允許的多種intent尋址機(jī)制。在每一種情況下，發(fā)起一個組件與其他的溝通。在我們的例子，F(xiàn)riendTracker結(jié)合到系統(tǒng)中的服務(wù)器位置的管理。 however, the specifc activity chosen on launch is marked by meta information in the manifest. In the FriendTracker application, for example, the FriendTrackerControl activity is marked as the main user interface entry point. In this case, we reserved the name “FriendTracker” for the service ponent performing the core application FriendTracker application contains each of the four ponent types. The FriendTracker service polls an external service to discover friends’ locations. In our example code, we generate locaFriendTracker application BootReceiver Broadcast receiver ActivityFriendTracker FriendProvider Content provider Service FriendTracker control FriendViewer application FriendReceiver Broadcast receiver Activity FriendTracker Activity FriendViewer Figure 1. Example Android application. The FriendTracker and FriendViewer applications consist of multiple ponents of different types, each of which provides a different set of functionalities. Activities provide a user interface, services execute background processing, content providers are data storage facilities, and broadcast receivers act as mailboxes for messages from other randomly, but extending the ponent to interface with a Web service is straightforward. The FriendProvider content provider maintains the most recent geographic coordinates for friends, the FriendTrackerControl activity defnes a user interface for starting and stopping the tracking functionality, and the BootReceiver broadcast receiver obtains a notifcation from the system once it boots (the application uses this to utomatically start the FriendTracker service).The FriendViewer application bis primarily concerned with showing information about friends’ locations. The FriendViewer activity lists all friends and their geographic coordinates, and the FriendMap activity displays them on a map. The FriendReceiver broadcast receiver waits for messages that indicate the physical phone is near a particular friend and displays a message to the user upon such an event. Although we could have placed these ponents within the FriendTracker application, we created a separate application to demonstrate crossapplication munication. dditionally, by separating the tracking and user interface logic, we can create alternative user interfaces with different displays and features—that is, many applications can reuse the logic performed in Interaction The primary mechanism for ponent interaction is an intent, which is simply a message object containing a destination ponent address and data. The Android API defnes methods that accept intents, and uses that information to start activities (startActivity(Intent)), start services (startService (Intent)), and broadcast messages (sendBroadcast(Intent)). The invocation of these methods tells the Android framework to begin executing code in the target application. This process of interponent munication is known as an action. Simply put, an intent object defnes the “intent” to perform an “action.”O(jiān)ne of Android’s most powerful features is the fexibility allowed by its intentaddressing mechanism. Although developers can uniquely address a target ponent using its application’s namespace, they can also specify an implicit name. In the latter case, the system determines the best ponent for an action by considering the set of installed applications and user choices. The implicit name is called an action string because it specifes the type of requested action—for example, if the “VIEW” action string is specifed in an intent with data felds pointing to an image fle, the system will direct the intent to the preferred image viewer. Developers also use action strings to broadcast a message to a group of broadcast receivers. On the receiving end, developers use an intent flter to subscribe to specifc action strings. Android includes additional destination resolution rules, but action strings with optional data types are the most 2 shows the interaction between ponents in the FriendTracker and FriendViewer applications and with ponents in applications defned as part of the base Android distribution. In each case, one ponent initiates munication with another. For simplicity, we call this interponent munication (ICC). In many ways, ICC is analogous to interprocess munication (IPC) in Unixbased systems. To the developer, ICC functions identically regardless of whether the target is in the same or diferent application, with the exception of the security rules defned later in this available ICC actions depend on the target ponent. Each ponent type supports interaction specifc to its type for example, when FriendViewer starts FriendMap, the FriendMap activity appears on the screen. Service ponents support start, stop, and bind actions, so the FriendTrackerControl activity, for instance, can start and stop the FriendTracker service that runs in the background. The bind action establishes a connection between ponents, allowing the initiator to exe