Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 89430735 authored by Arc Wang's avatar Arc Wang
Browse files

Prevent side channel package installation enumeration 

From Android 11, apps need the permission QUERY_ALL_PACKAGES
to probe existence of arbitrary installed packages.

However, an Activity which declares android:scheme="package
in intent-filter may be vulnerable and attacker app can
use it to probe installed packages.

This change add permission QUERY_ALL_PACKAGES to protect
vulnerable Activity.

Bug: 185477439
Test: Install POC and check if it can probe installed packages
      by each vulnerable Activity.
Change-Id: I521545436102f72f2e0c5053e30fd03bd6bc756f
parent 1ee60270

AndroidManifest.xml

+7 −3
Original line number Diff line number Diff line
@@ -1423,7 +1423,8 @@ 
        <activity

            android:name=".datausage.AppDataUsageActivity"

            android:exported="true"

            android:noHistory="true">

            android:noHistory="true"

            android:permission="android.permission.QUERY_ALL_PACKAGES">

            <intent-filter android:priority="1">

                <action android:name="android.settings.IGNORE_BACKGROUND_DATA_RESTRICTIONS_SETTINGS" />

                <category android:name="android.intent.category.DEFAULT" />
@@ -1493,6 +1494,7 @@ 
        <activity-alias android:name=".applications.InstalledAppDetails"

                android:label="@string/application_info_label"

                android:exported="true"

                android:permission="android.permission.QUERY_ALL_PACKAGES"

                android:targetActivity=".applications.InstalledAppDetailsTop">

            <intent-filter android:priority="1">

                <action android:name="android.settings.APPLICATION_DETAILS_SETTINGS" />
@@ -1504,7 +1506,8 @@ 


        <activity android:name=".applications.InstalledAppOpenByDefaultActivity"

                  android:label="@string/application_info_label"

                  android:exported="true">

                  android:exported="true"

                  android:permission="android.permission.QUERY_ALL_PACKAGES">

            <intent-filter android:priority="1">

                <action android:name="android.settings.APP_OPEN_BY_DEFAULT_SETTINGS" />

                <!-- Also catch legacy "com." prefixed action. -->
@@ -1861,7 +1864,8 @@ 
        <activity

            android:name="Settings$AppUsageAccessSettingsActivity"

            android:exported="true"

            android:label="@string/usage_access_title">

            android:label="@string/usage_access_title"

            android:permission="android.permission.QUERY_ALL_PACKAGES">

            <intent-filter>

                <action android:name="android.settings.USAGE_ACCESS_SETTINGS"/>

                <category android:name="android.intent.category.DEFAULT"/>