I'm tring to figure out how to share data in a secure way between an unknow number of applications, each application has a different certification. In my opinion, content provider is the best way to do this.(?) But my problem is how can i secure the data from malicious applications without encrypting the data. I want to set up a URI for each application and prevent malicious applications from approaching. How can i do this?
The most secure way to do this is with an RSA key pair. Your content provider would need a connection to a web service to stay up to date on acceptable key pairs. The content would then verify the signature provided by the querying application, proceed to provide data.
Any other method would be open to attacks. For example, checking against the package name of the querying application can be easily spoofed, by simply installing a debug or signed version of the malicious application with an approved package name.
You would have to "squeeze" the key pair into the existing ContentProvider calls. The simplest way to do this is to have the RSA key passed as part of the Uri. Preferably, always the first path segment, ie:
content://mysharedcontent/rsakey/somegroup/sometable
Arguable, have the RSA key as the last path segment is good design:
content://mysharedcontent/somegroup/sometable/rsakey
Ultimately, it's a style choice.
Upon receiving a request, you should check your secure store (a file encrypted with SHA-1) if the rsakey is legitimate. If not check against server, to verify and update your local store at the same time.
With this, applications will have a relatively concrete and secure way of authenticating with your ContentProvider.