From 263592e3dd2cba5769bdede8cc11244de94f4fd9 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Thu, 6 Jan 2022 10:58:58 +0800
Subject: [PATCH] Prevent side channel package installation enumeration

From Android 11, apps need the permission QUERY_ALL_PACKAGES
to probe existence of arbitrary installed packages.

However, an Activity which declares android:scheme="package
in intent-filter may be vulnerable and attacker app can
use it to probe installed packages.

This change add permission QUERY_ALL_PACKAGES to protect
vulnerable Activity.

Bug: 185477439
Test: Install POC and check if it can probe installed packages
      by each vulnerable Activity.
Change-Id: I521545436102f72f2e0c5053e30fd03bd6bc756f
---
 AndroidManifest.xml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 4d3b6d0e3f9..1f9c9086c48 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1451,7 +1451,8 @@
         <activity
             android:name=".datausage.AppDataUsageActivity"
             android:exported="true"
-            android:noHistory="true">
+            android:noHistory="true"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.IGNORE_BACKGROUND_DATA_RESTRICTIONS_SETTINGS" />
                 <category android:name="android.intent.category.DEFAULT" />
@@ -1521,6 +1522,7 @@
         <activity-alias android:name=".applications.InstalledAppDetails"
                 android:label="@string/application_info_label"
                 android:exported="true"
+                android:permission="android.permission.QUERY_ALL_PACKAGES"
                 android:targetActivity=".applications.InstalledAppDetailsTop">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.APPLICATION_DETAILS_SETTINGS" />
@@ -1534,7 +1536,8 @@
 
         <activity android:name=".applications.InstalledAppOpenByDefaultActivity"
                   android:label="@string/application_info_label"
-                  android:exported="true">
+                  android:exported="true"
+                  android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.APP_OPEN_BY_DEFAULT_SETTINGS" />
                 <!-- Also catch legacy "com." prefixed action. -->
@@ -1893,7 +1896,8 @@
         <activity
             android:name="Settings$AppUsageAccessSettingsActivity"
             android:exported="true"
-            android:label="@string/usage_access_title">
+            android:label="@string/usage_access_title"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter>
                 <action android:name="android.settings.USAGE_ACCESS_SETTINGS"/>
                 <category android:name="android.intent.category.DEFAULT"/>