Security vendor has reported a VAPT issue with my flutter app. CWE-926: Improper Export of Android Application Components. The flutter app by default has only one main-activity.
<application
android:label="MyApp"
android:icon="#mipmap/ic_launcher"
android:allowBackup="false"
android:fullBackupContent="false">
<activity
android:name=".MainActivity"
android:launchMode="singleTop"
android:theme="#style/LaunchTheme"
android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|layoutDirection|fontScale|screenLayout|density|uiMode"
android:hardwareAccelerated="true"
android:windowSoftInputMode="adjustResize">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<meta-data
android:name="flutterEmbedding"
android:value="2" />
</application>
There are 2 recommendations to fix this issue as per CWE page
Add android:exportable="false"
The main activity is exportable. If I add android:exportable="false" to the main activity, I am not able to run the app. it ends with error, when I try to run it on emulator.
Use android:protectionLevel="signature"
I am new to android development. I tried to create new permission and use it for application, but again getting error as permission denied.
I am clueless as to how to solve this issue? As I understand, MainActivity has to be exportable. So not sure how to solve this.
Related
When create empty android project with no activity by default, and then add empty activity through android studio GUI, debug is showing error
Waiting for application to come online
Manifest file seems to be fine, what step in app setup might have been missed? When creating project with empty activity by default, there is no error
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<application
android:allowBackup="true"
android:dataExtractionRules="#xml/data_extraction_rules"
android:fullBackupContent="#xml/backup_rules"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:roundIcon="#mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="#style/Theme.MyApplication"
tools:targetApi="31">
<activity
android:name=".MainActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
<meta-data
android:name="android.app.lib_name"
android:value="" />
</activity>
</application>
I tried to compare contents of two new created project, one with manually added mainActivity and another project with empty activity created by default, but it seems no diff
Try to clean project and rebuild it , then try again
I do have a problem with my current flutter project. My project was already built in release and also I put also the correct keystore file and the targetsdkversion. Now, when I am uploading my app in the playstore it always shows android exported property set (which as I was already know how to solve it.) I set all the receivers and tags that uses intent-filter to android:exported' true or false. Now, the problem is when I upload it to playstore it still showing the android exported error. I tried to migrate it to android studio in order to modify the merged manifest but I am unable to do so because I doesn't show the merged manifest. I also tried to manually edit the one on the app/build/intermediates/merged_manifest folder but still same results. I am using latest flutter with dart for it. Any more tips for me to fix? Attached also here is my manifest file.
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.jerrybuyer.app" xmlns:tools="http://schemas.android.com/tools">
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="com.google.android.gms.permission.AD_ID" tools:node="remove"/>
<application
android:label="Jerry App"
android:name="${applicationName}"
android:icon="#mipmap/ic_launcher" tools:node="merge">
<activity
android:name=".MainActivity"
android:exported="true"
android:launchMode="singleTop"
android:theme="#style/LaunchTheme"
android:configChanges="orientation|keyboardHidden|keyboard|screenSize|smallestScreenSize|locale|layoutDirection|fontScale|screenLayout|density|uiMode"
android:hardwareAccelerated="true"
android:windowSoftInputMode="adjustResize">
<!-- Specifies an Android theme to apply to this Activity as soon as
the Android process has started. This theme is visible to the user
while the Flutter UI initializes. After that, this theme continues
to determine the Window background behind the Flutter UI. -->
<meta-data
android:name="io.flutter.embedding.android.NormalTheme"
android:resource="#style/NormalTheme"
/>
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<!-- Don't delete the meta-data below.
This is used by the Flutter tool to generate GeneratedPluginRegistrant.java -->
<meta-data
android:name="flutterEmbedding"
android:value="2" />
<!-- facebook configs -->
<meta-data android:name="com.facebook.sdk.ApplicationId" android:value="#string/facebook_app_id"/>
<meta-data android:name="com.facebook.sdk.ClientToken" android:value="#string/facebook_client_token"/>
<activity android:name="com.facebook.FacebookActivity"
android:configChanges=
"keyboard|keyboardHidden|screenLayout|screenSize|orientation"
android:label="#string/app_name" android:exported="true"/>
<activity
android:name="com.facebook.CustomTabActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="#string/fb_login_protocol_scheme" />
</intent-filter>
</activity>
</application>
</manifest>
PS: I have now managed to unlock my merged manifest but even though I saw the merged manifest file, it doesnt show any intent-filter that needs an android exported
Here is the screenshot of the android merged-manifest that I managed to show. It doesn't show any errors regarding the intent-filter android:exported
INTRO
Greetings, all!
My Android Studio 4.0.1 project refused to build due to not being able to find an AndroidManifest.xml file that's in /main/ where it should be, according to the documentation. Mass replacing the occurrences of "api" with "implementation" or vice versa hasn't helped.
Thus, what other information do you want for clarification, and what should change to ensure this works?
Thankee!
MANIFEST FILE
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.hornet">
<uses-permission android:name="android.permission.INTERNET" />
<application
android:name=".MainApplication"
android:label="#string/app_name"
android:icon="#mipmap/ic_launcher"
android:roundIcon="#mipmap/ic_launcher_round"
android:allowBackup="false"
android:theme="#style/AppTheme">
<activity
android:name=".MainActivity"
android:label="#string/app_name"
android:configChanges="keyboard|keyboardHidden|orientation|screenSize|uiMode"
android:launchMode="singleTask"
android:windowSoftInputMode="adjustResize">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:name="com.facebook.react.devsupport.DevSettingsActivity" />
</application>
</manifest>
RUN ERRORS WITH DEBUG MODE ACTIVE
Moved to this Google Doc for being too long for this post!
https://docs.google.com/document/d/19OO-OIzFy6IXPEOAdvGZLgXNsW_1sfiZsLDs6H0Jjzs/edit?usp=sharing
Try to rebuild the project or modify project structure. It happens when something was wrong
I am developing an android application using android studio, which has 2 activity so far, LoginActivity and the MainActivity, But when I run the application it installs in my cellphone or virtual machine, but does not appear anywhere. I looked into the installed application and the application is installed. I believe my problem is on the Manifest, but I do not know how to solve it.
The complete code is here on GitHub: https://github.com/SoftwareEngineeringClass/MobileApplication/tree/master/Minerva
and here is my manifest:
<?xml version="1.0" encoding="utf-8"?>
<uses-permission android:name="android.permission.INTERNET" />
<application
android:allowBackup="true"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:supportsRtl="true"
android:theme="#style/AppTheme" >
<activity
android:name=".Minerva"
android:label="#string/app_name"
android:theme="#style/AppTheme.NoActionBar" >
<intent-filter>
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
<activity
android:name=".LoginActivity"
android:label="#string/app_name" >
<itent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</itent-filter>
</activity>
<activity
android:name="com.facebook.FacebookActivity"
android:configChanges="keyboard|keyboardHidden|screenLayout|screenSize|orientation"
android:label="#string/app_name"
android:theme="#android:style/Theme.Translucent.NoTitleBar" />
<meta-data
android:name="com.facebook.sdk.ApplicationId"
android:value="#string/facebook_app_id" />
</application>
I believe the first thing I'd do is set a breakpoint at the beginning of the launcher Activity and see if execution gets there or not. No matter what Logcat will tell you something is wrong. You have to run it in debug mode of course. Attach the debugger. If you give me all your code I'd be more than happy to take a look and give you a definitive answer quickly.
Do you know if you require permissions? , maybe it is the problem that not allow you to run. Also if you can share your activity I can help you.
After pausing with work on an Android Studio project for a while, and then coming back and adding it to SVN, I can't get the project to run anymore; it seems to me that the original AndroidManifest.xml was probably lost due to a lack of proper "SVN ignore" rules, and as I created a new Android Studio project on a new machine, updated it from SVN and later commited (and also unfortunately already updated on the other machine I work on), it seems that SVN used the newer manifest file and maybe other files needed for a proper build of the project.
Besides the fact that in the current manifest file, there are several activites missing that I'll have to try to reconstruct there, I now have the problem that I always get the "Default Activity not found" error when trying to build. When I set it to .MainActivity (which is absolutely present in app/src/main/java/com.example.bla.logintest) it says "The activity 'MainActivity' is not declared in AndroidManifest.xml" and thus doesn't compile.
My manifest file now looks like this:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.bla.logintest" >
<uses-permission android:name="android.permission.READ_PHONE_STATE">
<application
android:allowBackup="true"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:theme="#style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="#string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name=".EditDB"
android:label="#string/title_activity_edit_diags"
android:parentActivityName=".MenuActivity">
<meta-data
android:name="android.support.PARENT_ACTIVITY"
android:value="com.example.bla.logintest.MenuActivity" />
</activity>
<activity
android:name=".EditAnswers"
android:label="#string/title_activity_edit_questions"
android:parentActivityName=".MenuActivity">
<meta-data
android:name="android.support.PARENT_ACTIVITY"
android:value="com.example.bla.logintest.MenuActivity" />
</activity>
</application>
</uses-permission>
</manifest>
Note: I already tried the solutions in [this similar question][1].
[1]: Default Activity not found in Android Studio "this similar question". Rebuilding and invalidating the cache doesn't get me anywhere. I also added
sourceSets {
main {
manifest.srcFile 'src/main/AndroidManifest.xml'
}
to my build.gradle, and this also didn't change anything.
I am aware that the parent to the other 2 activities is still missing and wanted to work on that problem next, but first wanted to have a working default activity.
Do you have any suggestions what I could try? I'm using Android Studio 1.3.2.
This should solve your problem.
You shouldn't write the tag inside the tag.
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.bla.logintest" >
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<application
android:allowBackup="true"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:theme="#style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="#string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name=".EditDB"
android:label="#string/title_activity_edit_diags"
android:parentActivityName=".MenuActivity">
<meta-data
android:name="android.support.PARENT_ACTIVITY"
android:value="com.example.bla.logintest.MenuActivity" />
</activity>
<activity
android:name=".EditAnswers"
android:label="#string/title_activity_edit_questions"
android:parentActivityName=".MenuActivity">
<meta-data
android:name="android.support.PARENT_ACTIVITY"
android:value="com.example.bla.logintest.MenuActivity" />
</activity>
</application>
</manifest>