Skip to main content

Can a signed app load unsigned classes?

2 replies [Last post]
howardteece
Offline
Joined: 2010-06-17
Points: 0

If a start a signed app, can it download unsigned classes [for execution]. Or will the ClassLoader check the classes are signed too?
E.g.
<code>
class MySafeApp {
void ohDear() {
DVBClassLoader dcl = DVBClassLoader.getInstance("http://some.dodgy.place/");
Class cl = dcl.findClass("DoSomeTrouble");
// Etc.
}
}
</code>
And will the classes loaded inherit the permissions of the App that started them?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
greg80303
Offline
Joined: 2008-07-03
Points: 0

The answers to your questions are 1) no 2) yes.
1) Classloaders created by an application inherit the authentication context of that application. If a dually signed app creates a DVBClassLoader, any classes loaded by it must be dually signed as well and their certificates must chain to the root certs present on the device.
2) Since classloaders are not shared between applications, classes loaded by a custom classloader are only accessible to the application that created them. Therefore, those classes inherit the permissions of the app that created the classloader.
G

greg80303
Offline
Joined: 2008-07-03
Points: 0

Sorry for the late response. I will look into this within the next day or so
G