In my Android app there is a security vulnerability that my app can be opened by a malicious application. I am using the following intent filter in the Launcher Activity.
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
This intent filter makes the Main Activity exposed to other apps. Is there any way to expose the Main Activity only to the Android OS and not to other applications. As far as I understand We can't use "exported=false".
Is there any way to expose the Main Activity only to the Android OS and not to other applications.
Not as you are defining the terms.
Every activity, exported or not, is "exposed" to "the Android OS". Otherwise, they would be unusable, even by the app itself. The difference between an exported activity and one that is not is whether a third-party app can start the activity.
The home screen itself is just an app. A device ships with at least one home screen pre-installed, and users can install others from the Play Store or elsewhere. Hence, from the standpoint of your app, the home screen is a third-party activity.
In my Android app there is a security vulnerability that my app can be opened by a malicious application
Having an exported activity is not a "security vulnerability" in its own right. Your argument is akin to saying "there is a security vulnerability in my Web site — how do I allow my home page to only be opened from a Google search result, but not by a bookmark or any other Web site?".
Having unnecessarily exported activities is bad from a security standpoint, but the launcher activity is exported by necessity.
Related
I have an application that has only 1 activity "MainActivity" and it must be divided in fragments, because there are 3 windows, one of them is the user details, and this activity (the main activity) has exported=true.
I want to know if this entails a security flaw in an Android APK:
I log in the application
I start the activity with drozer: run app.activity.start --component com.member com.member.MainActivity
I can see the user details, but not in the first display, I need to press another tab, which must be another fragment inside the MainActivity.
Is it the normal behavior?
It is true that exported activities can be used by apps with a different uid, but the user must be logged in, which problem does it entail?
Regards!
Is it the normal behavior?
If by "the normal behavior" you mean that exported activities can be started by third-party apps, then yes.
It is true that exported activities can be used by apps with a different uid
If by "used" you mean "started", then yes.
For example, this activity of yours probably has this <intent-filter>:
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
This says "hey, anything that is a launcher, please include me in your roster of launchable activities!". The launcher is how most Android device owners start apps. If your activity is not exported, then the launcher would not be able to start your activity, and as a result the user will not be able to use your app.
Note that having an <intent-filter> on an <activity> automatically sets android:exported to true — you do not need to declare this manually.
Before API 29, we can remove the launcher icon in the device by removing
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
in the manifest file.
As stated here
As of Android Q, at least one of the app's activities or synthesized activities appears in the returned list unless the app satisfies at least one of the following conditions:
The app is a system app.
The app doesn't request any permissions.
The app doesn't have a launcher activity that is enabled by default. A
launcher activity has an intent containing the ACTION_MAIN action and
the CATEGORY_LAUNCHER category.
Additionally, the system hides
synthesized activities for some or all apps in the following
enterprise-related cases:
If the device is a fully managed device, no synthesized activities for
any app appear in the returned list. If the current user has a work
profile, no synthesized activities for the user's work apps appear in
the returned list.
The third condition states as the same as not to have a launcher activity that is enabled.
How to achieve this in android 10?
I believe the third condition is wrong or outdated.
The behavior on Google's current emulator image of Android 10 (Google APIs Intel x86 Atom System Image 29_r09) differs from the documentation:
getActivityList() always returns at least one activity, except if the app satisfies at least one:
system app
<application> tag is completely empty i.e. no activities, services, ... declared
no permissions declared
This behavior corresponds to the release notes from Android Q Beta:
Launcher icon visibility
In Android Q Beta 2, packages that don't declare any permissions in their respective
manifest files are hidden from the All apps tray, as are the following types of apps:
System apps
Apps that don't contain any components inside their respective manifest's <application> tag
I have successfully set up an intent-filter in my Android app to open the app from the mobile browser based on one of many SO posts on this topic.
However, the problem is that the native app is opening WITHIN the browser, when I rather want it to open OUTSIDE of the browser in a separate app process.
By WITHIN, I mean that when I press the rightmost 'active apps' button to see what is running, I see that my current app is still the browser app, and there is no separate app opened called MyApp. It is as if the browser embeds my native app within itself, and so the browser is executing my app process.
And by OUTSIDE, I mean that I want to be able to see two active apps running after I press the link: (1) the browser app from which I launched (2) my MyApp app.
This is my intent-filter set up in AndroidManifest.xml:
<intent-filter>
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<action android:name="android.intent.action.VIEW" />
<data android:scheme="myapp" android:host="mypath" />
</intent-filter>
And I link to this from a web page opened in the browser using:
Open app
How can I force the app to open OUTSIDE of the browser? One note is that when the app launches I don't see an 'app chooser' which I've seen for other apps.
By WITHIN, I mean that when I press the rightmost 'active apps' button to see what is running, I see that my current app is still the browser app, and there is no separate app opened called MyApp.
Your activity was launched within the browser's task.
It is as if the browser embeds my native app within itself and itself is executing my app process.
That is not what is happening.
How can I force the app to open OUTSIDE of the browser?
If you mean that you want the activity to appear in a separate task... ideally, that would happen by default. I'm surprised that a browser would not have added FLAG_ACTIVITY_NEW_TASK when it started your activity.
That being said, android:launchMode="singleTask" on your <activity> element should give you the desired behavior.
Let me describe you what I want: I want to build a "master app" and set it so that when the phone is powered up, it immediately goes into the master app. The user can never exit this app (this will be used for something like parental control), and he can only launch other apps from within it.
Basically it will be like a "custom desktop".
I must stress out, it is important that this app never exits. As long as the phone is started, this is the only environment that the user has access to.
Now after I explained what I need, I will need your help to tell me what am I looking for. Is this some kind of "default launcher" that I keep hearing about? Or how is this called?
How can I do it?
Thanks
Add this into Manifest.
<receiver
android:name=".Bootupclass"
android:enabled="true"
android:permission="android.permission.RECEIVE_BOOT_COMPLETED" >
</receiver>
Bootupclass
public class Bootupclass extends BroadcastReceiver{
#Override
public void onReceive(Context context, Intent intent) {
//write intent here
}
}
I need someone to give me the exact code needed to make the app:
Here Goes,
If you make an app as a launcher app, and if it is the ONLY launcher app within your system, it will of course be started when you switch on your device. And also when you click on the home button, since your app is the only launcher app within the system, the same would be started.
so ,
1) start on bootup 2) be the default action when pressing the home button (the "desktop")
could both be merged into 1.
You mentioned that your phone is rooted, So easiest way to achieve what you require would be to
1.Install your app with just these lines within the manifest. i.e within your first activity. Nothing else is required. (this would make your app as a launcher app)
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.HOME"/>
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
2.Un-install the default launcher application within your device.
What is being asked in the question body is different from the question title.
Listening to BOOT_COMPLETED will do literally what is requested by title - give control to the application once when device is powered on or restarted.
It is not enough to achieve the real goal - to prevent user from exiting the application and reaching "normal" home screen - once user presses "exit" or "home", he will essentially leave your app. While you can intercept "Exit" button and prevent it from quitting your app, "home" button is not possible to block programmatically.
In order to make and app like parental control and prevent user from reaching unwanted apps you need to implement "custom home screen" or "custom launcher" (which is the same thing).
It is rather large topic, but this seems to be a good starting point: Android - creating custom launcher.
And because author insists on "exact code", to make your app to start instead of a home screen (after boot or pressing "home" button), you need the following in the manifest:
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.HOME"/>
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
After install, press "home" button - you will be given a choice of standard launcher or your app. Check "use as default" and select your app - from now on it will start instead of the normal home screen.
Beware, though, that there are few known issues with custom launchers. One is - you have to block access to settings, otherwise user can switch back to default launcher. Also, after your app is updated (i.e. you post new version) user will be asked what home screen to use and can choose default launcher.
I must stress out, it is important that this app never exits This I believe is not possible.
From your requirement it seems that you require a MDM solution. Upwards of Android 2.2 device administration APIs have been available. Check out http://developer.android.com/guide/topics/admin/device-admin.html
The user will have to install your app and allow it to be a Device Administrator. (You can see currently available administrators from Setting -> Location and Security -> Device Administrator). Now as an administrator you can control features on device eg. disallow apps to be uninstalled, prevent installation of specific apps, disallow launch of specific apps. wipe device if security is breached etc. You can also prevent your app from being uninstalled.
There are apps available with such features. I can name Maas360 off the top of my head.
Disclaimer: I haven't tried the device administration apis myself.
I have an Android AIR application (developed with Flex SDK 4.5.1) for which I need to block the Home Button, as the app is used by patients in a hospital without supervision, i.e. it is crucial that they cannot leave the app.
It seems that the only way to hijack the Home Button is to be registered as the default launcher, so that your own app gets the focus when home is pressed. This is easily achieved in the manifest, such as:
<activity android:excludeFromRecents="false">
<intent-filter>
<category android:name="android.intent.category.DEFAULT"/>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
<category android:name="android.intent.category.HOME"/>
</intent-filter>
</activity>
Now the problem is: If I do quit the application, the original launcher should be made available to the user and I think the solution would be to just start the original launcher, but how should I do that? The original Android-way of "intents" is not available in AIR and the navigatetoURL() function seems to work only for special URIs, e.g. "market://.." launches the default market app, however, I need to execute an arbitrary application...
Edit: I am referring to a mobile Android App running in this case on an Archos tablet, but it could run on any Android device with AIR installed, such as a typical mobile phone like the HTC desire. With "home button" I am referring to the respective hardware button that allows the user to switch applications (or, to be more exact, to switch to a launcher app that typically shows all the apps as icons to tap on). This "home button" functionality I need to block, as the user should not be able to easily switch to another application.
This is probably a less useful answer but disabling device buttons sounds like something that should be handled at the OS layer and not at the Application layer. Might want to have a custom build of Android for this purpose.