75 lines
2.9 KiB
Java
75 lines
2.9 KiB
Java
/*
|
|
* Copyright (C) 2021 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package android.os.strictmode;
|
|
|
|
import android.annotation.NonNull;
|
|
import android.annotation.Nullable;
|
|
import android.app.PendingIntent;
|
|
import android.content.Intent;
|
|
import android.net.Uri;
|
|
|
|
import java.util.Objects;
|
|
|
|
/**
|
|
* Violation raised when your app launches an {@link Intent} which originated
|
|
* from outside your app.
|
|
* <p>
|
|
* Violations may indicate security vulnerabilities in the design of your app,
|
|
* where a malicious app could trick you into granting {@link Uri} permissions
|
|
* or launching unexported components. Here are some typical design patterns
|
|
* that can be used to safely resolve these violations:
|
|
* <ul>
|
|
* <li>The ideal approach is to migrate to using a {@link PendingIntent}, which
|
|
* ensures that your launch is performed using the identity of the original
|
|
* creator, completely avoiding the security issues described above.
|
|
* <li>If using a {@link PendingIntent} isn't feasible, an alternative approach
|
|
* is to create a brand new {@link Intent} and carefully copy only specific
|
|
* values from the original {@link Intent} after careful validation.
|
|
* </ul>
|
|
* <p>
|
|
* Note that this <em>may</em> detect false-positives if your app sends itself
|
|
* an {@link Intent} which is first routed through the OS, such as using
|
|
* {@link Intent#createChooser}. In these cases, careful inspection is required
|
|
* to determine if the return point into your app is appropriately protected
|
|
* with a signature permission or marked as unexported. If the return point is
|
|
* not protected, your app is likely vulnerable to malicious apps.
|
|
*/
|
|
public final class UnsafeIntentLaunchViolation extends Violation {
|
|
private transient Intent mIntent;
|
|
|
|
public UnsafeIntentLaunchViolation(@NonNull Intent intent) {
|
|
super("Launch of unsafe intent: " + intent);
|
|
mIntent = Objects.requireNonNull(intent);
|
|
}
|
|
|
|
/** @hide */
|
|
public UnsafeIntentLaunchViolation(@NonNull Intent intent, @NonNull String message) {
|
|
super(message);
|
|
mIntent = Objects.requireNonNull(intent);
|
|
}
|
|
|
|
/**
|
|
* Return the {@link Intent} which caused this violation to be raised. Note
|
|
* that this value is not available if this violation has been serialized
|
|
* since intents cannot be serialized.
|
|
*/
|
|
@SuppressWarnings("IntentBuilderName")
|
|
public @Nullable Intent getIntent() {
|
|
return mIntent;
|
|
}
|
|
}
|