Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 38a58371 authored by Tadashi G. Takaoka's avatar Tadashi G. Takaoka
Browse files

Remove SHOW_INPUT_METHOD_PICKER receiver 

Although there is a security check for IMM#showInputMethodPicker() [1],
any background application can virtually call the method via explicit
broadcast intent to Settings app.

Since showing IME picker from the notification has implemented in
InputMethodManagerService using protected-broadcast [2], the receiver in
Settings app isn't necessary and should be removed to close the security
bypass.

Note that this broadcast receiver stops working from Android-O due to
background check [3].

 [1]: I4f0fc21268200c64d12b31ca54416acfbf62f37b
 [2]: Id36c8c34159bea8b72557b40bcf024d401f580b6
 [3]: https://developer.android.com/preview/features/background.html#broadcasts

Test: The following broadcast intent will not show IME picker.
  $ adb shell am broadcast \
        -a android.settings.SHOW_INPUT_METHOD_PICKER \
        com.android.settings
Fixes: 64008672
Bug: 63644555
Change-Id: Id990c66516c9b3ed7ada6891746ec0e0eecbe545
parent 7edaa603
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment