I'm developing an Android application that allows plugins to run via OSGi (using Apache Felix). However, I want to enforce certain security aspects on a per-plugin basis. I.e. which Plugin is allowed to to access the filesystem. Also, I want to prevent reflection in general.
All the tutorials I've found so far refer to using OSGi security in combination with loading the standard Java SecurityManager. However, the latter doesn't exist on Android thus rendering the whole approach completely unusable. I don't want to go as far as to use Bytecode Manipulation to prevent things from happening in the various plugins, as this would be both cumbersome and I could always miss something.
So, does anyone have any idea, how I could get a security architecture similar to standard Java security on Android? Most importantly, how can I prevent reflection from being used?
But also, is there a way to prevent I/O access i.e. on a per thread basis?
Unless you are willing to modify the core OS, you can't. Android standard permissions can restrict access to files and APIs, but there is nothing to stop reflection. The OS uses it, so you if you block it completely things will break. Blocking by UID, process might be doable, but you'd have to modify the core Java API's implementation (in libcore).