Hi all,
This question isn't about something specific like problematic code. It's about understanding the concept of secure inter-app communication.
I've read up on how apps communicate, and it seems to be mainly using intents, sockets and running a local webserver on the phone. (Did I miss a method?) If we ignore the complexity factor of the methods for the time being, is one method more secure than the other? And I mean this mainly from a "don't allow sniffing or manipulating the communication" perspective. (It's my understanding that it's somewhat simple to intercept and log intents, for instance.)
Like, for instance, in Sweden, there is a standard method of identifying yourself using your mobile: BankID (https://play.google.com/store/apps/details?id=com.bankid.bus). And pretty much all banks have their own apps also, like Swedbank for example (https://play.google.com/store/apps/details?id=se.swedbank.mobil), which rely on BankID for authenticating its users. (BankID is such a dominating standard that it's also used for pretty much all government communcation, including doing your taxes once per year.)
When I want to look at my bank accounts, these are the steps:
The BankID app obviously communicates with an online webservice somewhere, but let's ignore those parts for now. I'm simply trying to understand how the two apps communicate in a secure way. Especially considering that if one uses a rooted device, everything can be transparent and recordable. Is the way around that to ensure the BankID app simply doesn't run if the device is rooted? (My phone isn't rooted, so I've never encountered the situation.)
Thanks
This question isn't about something specific like problematic code. It's about understanding the concept of secure inter-app communication.
I've read up on how apps communicate, and it seems to be mainly using intents, sockets and running a local webserver on the phone. (Did I miss a method?) If we ignore the complexity factor of the methods for the time being, is one method more secure than the other? And I mean this mainly from a "don't allow sniffing or manipulating the communication" perspective. (It's my understanding that it's somewhat simple to intercept and log intents, for instance.)
Like, for instance, in Sweden, there is a standard method of identifying yourself using your mobile: BankID (https://play.google.com/store/apps/details?id=com.bankid.bus). And pretty much all banks have their own apps also, like Swedbank for example (https://play.google.com/store/apps/details?id=se.swedbank.mobil), which rely on BankID for authenticating its users. (BankID is such a dominating standard that it's also used for pretty much all government communcation, including doing your taxes once per year.)
When I want to look at my bank accounts, these are the steps:
- Launch the bank app, enter my social security number and press Next
- BankID launches automatically and I identify myself in it using a very secret code and press Next
- I automatically return to my bank app and can do whatever I wanted to do
The BankID app obviously communicates with an online webservice somewhere, but let's ignore those parts for now. I'm simply trying to understand how the two apps communicate in a secure way. Especially considering that if one uses a rooted device, everything can be transparent and recordable. Is the way around that to ensure the BankID app simply doesn't run if the device is rooted? (My phone isn't rooted, so I've never encountered the situation.)
Thanks