Skip to content

Commit 0c49469

Browse files
committed
javadoc
1 parent a0e76af commit 0c49469

1 file changed

Lines changed: 14 additions & 10 deletions

File tree

binder/src/main/java/io/grpc/binder/BinderChannelBuilder.java

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -284,22 +284,26 @@ public BinderChannelBuilder strictLifecycleManagement() {
284284
}
285285

286286
/**
287-
* Checks server addresses against this channel's {@link SecurityPolicy} *before* connecting.
287+
* Checks servers against this channel's {@link SecurityPolicy} *before* binding.
288288
*
289289
* <p>Android users can be tricked into installing a malicious app with the same package name as a
290290
* legitimate server. That's why we don't send calls to a server until it has been authorized by
291-
* an appropriate {@link SecurityPolicy}. But merely connecting to a malicious server can enable
292-
* "keep-alive" and "background activity launch" attacks, even if that server is ultimately
293-
* disallowed by the channel's security policy. Pre-authorization is even more important for
294-
* security when the server's address isn't known in advance but rather resolved via target URI or
295-
* discovered by other means.
291+
* an appropriate {@link SecurityPolicy}. But merely binding to a malicious server can enable
292+
* "keep-alive" and "background activity launch" attacks, even if security policy ultimately
293+
* causes the grpc connection to fail. Pre-authorization is especially important for security when
294+
* the server's address isn't known in advance but rather resolved via target URI or discovered by
295+
* other means.
296296
*
297-
* <p>Pre-authorization is strongly recommended but it remains optional for now because of the
298-
* small performance cost and because it precludes servers that proxy their "endpoint binder"
299-
* through another (unauthorized) app (not recommended, but technically a behavior change).
297+
* <p>Note that, unlike ordinary authorization, pre-authorization is performed against the server
298+
* app's UID, not the UID of the server process. These can be different, most commonly due to
299+
* services that set `android:isolatedProcess=true`.
300+
*
301+
* <p>Pre-authorization is strongly recommended but it remains optional for now because of this
302+
* behavior change and the small performance cost.
300303
*
301304
* <p>The default value of this property is false but it will become true in a future release.
302-
* Clients that require a particular behavior should configure it explicitly using this method.
305+
* Clients that require a particular behavior should configure it explicitly using this method
306+
* rather than relying on the default.
303307
*/
304308
public BinderChannelBuilder preAuthorizeServers(boolean preAuthorize) {
305309
transportFactoryBuilder.setPreAuthorizeServers(preAuthorize);

0 commit comments

Comments
 (0)