I have a question with regards to how to remedy intent redirection. I am not extremely well versed in Android, as the solutions offered on the Google Support page doesn't seem to address for flutter applications. I have noted that the question was asked before but wasn't explanatory
I have spent the last couple of days looking for a solution but each attempted solution on the support page fails when I reupload it to the play store. I've also contacted Google Support and they have validated that the vulnerability is still present.
Any help would be greatly appreciated thanks.
Some of the solution I have tried are:
1.
import io.flutter.embedding.android.FlutterActivity
import io.flutter.embedding.engine.FlutterEngine
import android.content.Intent
import android.os.Bundle
import androidx.annotation.RequiresApi
class MainActivity: FlutterActivity() {
#RequiresApi(Build.VERSION_CODES.O)
override fun configureFlutterEngine(#NonNull flutterEngine: FlutterEngine) {
super.configureFlutterEngine(flutterEngine)
if (callingActivity?.packageName.equals("known")) {
// val _intent = intent;
// // extract the nested Intent
// val forward:Intent = _intent.getParcelableExtra("key")
// // redirect the nested Intent
val _intent = intent;
// remove the grant URI permissions in the untrusted Intent
_intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
_intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
// extract the nested Intent
var forward :Intent = _intent.getParcelableExtra("Key")!!
startActivity(forward);
}
// startActivity(_intent)
}
}
Setting android:export = false, crashes the app
<activity
android:name=".MainActivity"
android:exported="false"
android:launchMode="singleTop"
android:theme="#style/LaunchTheme"
android:configChanges="orientation|keyboardHidden|keyboard|screenSize|smallestScreenSize|locale|layoutDirection|fontScale|screenLayout|density|uiMode"
android:hardwareAccelerated="true"
android:windowSoftInputMode="adjustResize">
<!-- Specifies an Android theme to apply to this Activity as soon as
the Android process has started. This theme is visible to the user
while the Flutter UI initializes. After that, this theme continues
to determine the Window background behind the Flutter UI. -->
<meta-data
android:name="io.flutter.embedding.android.NormalTheme"
android:resource="#style/NormalTheme"
/>
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
<intent-filter>
<action android:name="RECEIVE_DEFAULT" />
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
Edit:
I found the solution.
So [after reading carefully about intent vulnerability][1] I understood where my error was. The link above explains clearly on how untrusted intents can be used to exploit your application and access protected files. Google play tests your app bundle for this vulnerability by "intent injection". So removing the read and write flags from the intent helps prevent unauthorised access.
override fun onCreate(savedInstanceState: Bundle?) {
intent?.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
intent?.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION)
super.onCreate(savedInstanceState)
}
This thus makes the intent "safe". I hope this helps everyone who encounters this issue. Happy coding
[1]: What is an Android PendingIntent?
Related
Does anyone have links to sample code that shows how to set up heart sensor data retrieval directly from CanvasWatchFaceService or CanvasWatchFaceService.Engine ?
(Most of the code I've seen thus far perform sensor data retrieval from a wearable's Activity class, but not from a watch face environment.)
I've tried setting things up this way:
private class Engine extends CanvasWatchFaceService.Engine implements SensorEventListener {
...
... // implement interface methods
}
But I keep getting a null object for my sensor.
My manifest contains:
<uses-feature android:name="android.hardware.type.watch" />
<uses-permission android:name="android.permission.BODY_SENSORS" />
Check if you requested android.permission.BODY_SENSORS permission in your both mobile and wearable AndroidManifest.
Also, look into the logcat of your wearable device and grep for android.permission.BODY_SENSORS.
Please tell me how to implement google play service leader board in andengine ?
Is there any tutorial ?
I searches all the questions on google regarding my question but did not find anything useful.
There’s a few things you need to do here.
1) Import BaseGameUtils into your project. You can download it from here
2) Update your build.gradle file dependencies to include it
dependencies {
....
compile project(':BaseGameUtils’)
....
3) Make sure you’ve updated your manifest correctly
<manifest xmlns:android="http://schemas.android.com/apk/res/android”
………
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<application …….
<meta-data
android:name="com.google.android.gms.version"
android:value="#integer/google_play_services_version" />
<meta-data
android:name="com.google.android.gms.games.APP_ID"
android:value="#string/app_id" />
……
4) Modify the name of BaseGameActivity in BaseGameUtils to e.g. GMSBaseGameActivity and make it extend SimpleBaseGameActivity or BaseGameActivity (whichever you’re using). Then update your main activity to extend GMSBaseGameActivity (overriding onSignInFailed and onSignInSucceeded).
Now you’re app should automatically connect when it starts.
Use getGameHelper().isSignedIn() to query if the user is signed in.
Use startActivityForResult(Games.Leaderboards.getLeaderboardIntent(getGameHelper().getApiClient(), getResources().getString(R.string.your_leaderboard_id)), 0); to display the leaderboard
Use Games.Leaderboards.submitScore(getGameHelper().getApiClient(), getResources().getString(R.string.your_leaderboard_id), this_is_the_score_submitted); to submit a score.
Background
I am developing a Cordova app that must run as a service, i.e. continue in the background and restart when the device does. As far as I can tell, on iOS it is just a case of setting the UIBackgroundModes correctly but on Android requires a little more effort and the service needs to be explicitly started.
I have developed a plugin for Android based on Mark Taylor's example here.
At present I have some JS called on deviceready to start the Android code but don't need to do anything for iOS.
Question
How should I package my plugin so that it will work on all platforms with zero config. It seems clunky to write if (Device.type == 'android') statements in my main JS but I don't really want to write native null implementations.
Is there a suggested approach for this?
Figured it out using the <js-module> tag described here.
Added this to my plugin.xml:
<platform name='android'>
...
<js-module src="androidSpecificStuff.js" name="SomeModule">
<clobbers target="SomeModule" />
</js-module>
...
</platform>
Then in androidSpecificStuff.js had code like:
document.addEventListener('deviceready', function () {
// do android-specific initialisation here
})
I would like to know if it is possible to identify whether a device is capable of Touch/Gesture Events or not in GWT?
Devices like iPhone supports Multi-Touch Events to a huge extent. Similarly Google Chrome in Desktop also supports TouchEvents. And at present, Windows 8 has been designed with an IE that is responding to TouchEvents.
I am working on an Application where i want to restrict certain features to only Touch/Gesture Capable Devices! Any Solution, please help?
I don't think there's any other way than UA sniffing.
GWT currently does not provide such utility.
Also, till gwt provides us a direct utlity api, it would make sense to write jsni over existing javascript techniques like these stackoverflow.com/questions/4817029/whats-the-best-way-to-detect-a-touch-screen-device-using-javascript .
For windows 8 the msdn document to refer is http://blogs.msdn.com/b/ie/archive/2011/09/20/touch-input-for-ie10-and-metro-style-apps.aspx
I did this with User Agent Check in Deferred Binding. I created a white list so that more devices can be added later.
Here is the Code,
<!-- Definitions for mobile -->
<define-property name="mobile.user.agent" values="android, ios, not_mobile" />
<property-provider name="mobile.user.agent"><![CDATA[
{
var ua = window.navigator.userAgent.toLowerCase();
if (ua.indexOf("android") != -1) { return "android"; }
if (ua.indexOf("iphone") != -1) { return "ios"; }
if (ua.indexOf("ipad") != -1) { return "ios"; }
return 'not_mobile';
}
]]></property-provider>
<!-- Constrain the value for non-webkit browsers -->
<set-property name="mobile.user.agent" value="not_mobile" >
<none> <!-- Actually means NOR, in this case "not safari" -->
<when-property-is name="user.agent" value="safari" />
</none>
</set-property>
Then i defined my classes using the replace-with property in my Module file. Here for example, i have replaced flash player with HTML5 videos for devices like iPad.
<replace-with class="com.example.HTML5Player">
<when-type-is class="com.example.FlashPlayer" />
<any>
<when-property-is name="mobile.user.agent" value="android" />
<when-property-is name="mobile.user.agent" value="ios" />
</any>
</replace-with>
Connecting to http://www.manage-us.com on an iPad under 3G [used to] result in a JavaScript error which can be seen if the developer console has been enabled. If the same page is accessed using the same iPad under a WiFi connection no error is displayed. [The error has now gone because I applied the fix below!].
Why is this?
I've tried simulating low bandwidth (using dummynet) on Safari on Mac and on the iPad simulator on Mac. This does not reproduce the problem.
I am currently suspecting this is a problem being introduced by my mobile operator in the UK (O2) which is known to modify some content through a proxy cache such as downgrading image files. If you can confirm that you don't experience this problem when connecting by 3G on iPad or iPhone through another mobile operator that would be helpful.
I've investigated this further and discovered that the problem is that the UK mobile operator O2 (the original exclusive iPhone operator for Apple), modifies web content before sending it to iPhones and iPads. Probably before sending it to any device running a mobile browser.
They non-deterministically inline some of the CSS and JavaScript into the main source files of the web pages. This can create errors either because of mistakes in their algorithm or the consequence of stripping white space from source files with syntactic mistakes in the source files which were otherwise benign.
These modifications also strip copyright messages from copyrighted javascript libraries and css libraries and play havoc with delivery optimisations.
For example, imagine if a user is visiting a sequence of pages on your site which all link to jQuery libraries. Instead of letting your mobile browser locally cache the library, O2 inline the library on every page, forcing your phone to load the entire library over and over again for every page.
I've written a blog about the issue here in the hope if drawing a bit more attention to this: http://stuartroebuck.blogspot.com/2010/07/mobile-proxy-cache-content-modification.html
My workaround is to use document.write() to insert the JavaScript library dependencies at load time and prevent O2 from inlining them. This seems to work quite well. e.g.:
<script type="text/javascript">
// <![CDATA[
// Using document.write to load JavaScript dependencies to bypass O2 network inlining of JavaScript.
function loadJS(file){document.write("<" + "script type='text/javascript' src='" + file + "'></" + "script>")}
loadJS("/js/jquery-1.4.2.min.js");
loadJS("/js/myJSLibrary.js");
// ]]>
</script>
Note that, as ever, document.write will not work if the page is served as XHTML.
For anyone needing a solution to this in ASP.NET, this sets the Cache-Control header as per http://stuartroebuck.blogspot.com/2010/08/official-way-to-bypassing-data.html for javascript files using URL Rewrite Module 2.0 http://learn.iis.net/page.aspx/665/url-rewrite-module-20-configuration-reference.
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Compression header" preCondition="Match JS Files">
<match serverVariable="RESPONSE_Cache-Control" pattern="(.*)" />
<action type="Rewrite" value="no-transform" />
</rule>
<preConditions>
<preCondition name="Match JS Files">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="(javascript)$" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
Alternatively can be done using a HttpModule
public class AddHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.EndRequest += OnEndRequest;
}
void OnEndRequest(object sender, System.EventArgs e)
{
if(HttpContext.Current.Response.ContentType.Contains("javascript"))
HttpContext.Current.Response.Headers.AddHeader("Cache-Control", "no-transform");
}
}
and
<configuration>
<system.web>
<httpModules>
<add name="AddHeaderModule" type="your.namespace.AddHeaderModule" />
</httpModules>
</system.web>
</configuration>