Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 89430735 authored by Arc Wang's avatar Arc Wang
Browse files

Prevent side channel package installation enumeration

From Android 11, apps need the permission QUERY_ALL_PACKAGES
to probe existence of arbitrary installed packages.

However, an Activity which declares android:scheme="package
in intent-filter may be vulnerable and attacker app can
use it to probe installed packages.

This change add permission QUERY_ALL_PACKAGES to protect
vulnerable Activity.

Bug: 185477439
Test: Install POC and check if it can probe installed packages
      by each vulnerable Activity.
Change-Id: I521545436102f72f2e0c5053e30fd03bd6bc756f
parent 1ee60270
Loading
Loading
Loading
Loading
+7 −3
Original line number Diff line number Diff line
@@ -1423,7 +1423,8 @@
        <activity
            android:name=".datausage.AppDataUsageActivity"
            android:exported="true"
            android:noHistory="true">
            android:noHistory="true"
            android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter android:priority="1">
                <action android:name="android.settings.IGNORE_BACKGROUND_DATA_RESTRICTIONS_SETTINGS" />
                <category android:name="android.intent.category.DEFAULT" />
@@ -1493,6 +1494,7 @@
        <activity-alias android:name=".applications.InstalledAppDetails"
                android:label="@string/application_info_label"
                android:exported="true"
                android:permission="android.permission.QUERY_ALL_PACKAGES"
                android:targetActivity=".applications.InstalledAppDetailsTop">
            <intent-filter android:priority="1">
                <action android:name="android.settings.APPLICATION_DETAILS_SETTINGS" />
@@ -1504,7 +1506,8 @@

        <activity android:name=".applications.InstalledAppOpenByDefaultActivity"
                  android:label="@string/application_info_label"
                  android:exported="true">
                  android:exported="true"
                  android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter android:priority="1">
                <action android:name="android.settings.APP_OPEN_BY_DEFAULT_SETTINGS" />
                <!-- Also catch legacy "com." prefixed action. -->
@@ -1861,7 +1864,8 @@
        <activity
            android:name="Settings$AppUsageAccessSettingsActivity"
            android:exported="true"
            android:label="@string/usage_access_title">
            android:label="@string/usage_access_title"
            android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter>
                <action android:name="android.settings.USAGE_ACCESS_SETTINGS"/>
                <category android:name="android.intent.category.DEFAULT"/>