On Android, declaring an intent filter for an activity in the AndroidManifest.xml file means exporting the activity to other apps. If the activity is intended solely for the internal use of the app and an intent filter is declared, any other apps including malware can activate the activity for unintended use.
In the case of the twicca the Twicca app, by launching twiccaTwicca's activity, another app that does not have permission to access the SD card or network could upload images or movies stored on the SD card to an SNS service with the twicca the Twicca user's twitter Twitter account.
Noncompliant Code Example
...
By declaring android:exported="false" for an activity tag in the AndroidManifest.xml file, the activity is restricted to only accept intents from within the same app or from an app with the same user ID.
Compliant Solution (Twicca)
This vulnerability was fixed in Twicca v0.9.31. Instead of declaring the activity exported="false" in AndroidManifest.xml, twicca Twicca fixed this vulnerability by validating the caller of this activity. In the onCreate() method of the activity class, code was added to check if the package name of the callier is the same as the package name of itself. If the package names are different, the activity exits:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
public void onCreate(Bundle arg5) {
super.onCreate(arg5);
...
ComponentName v0 = this.getCallingActivity();
if(v0 == null) {
this.finish();
}
else if(!"jp.r246.twicca.equals(v0.getPackageName())) {
this.finish();
}
else {
this.a = this.getIntent().getData();
if(this.a == null) {
this.finish();
}
...
}
}
|
An Android developer can arbitrarily choose a package name, so different app developers could choose the same package name. Therefore, it is generally not recommended to use the package name for validating the caller of the activity. [JSSEC 2013] The recommended alternative is to check the developer's certificate instead of the package name.
...