Prevent side channel package installation enumeration

From Android 11, apps need the permission QUERY_ALL_PACKAGES to probe existence of arbitrary installed packages. However, an Activity which declares android:scheme="package in intent-filter may be vulnerable and attacker app can use it to probe installed packages. This change add permission QUERY_ALL_PACKAGES to protect vulnerable Activity. Bug: 185477439 Test: Install POC and check if it can probe installed packages by each vulnerable Activity. Change-Id: I521545436102f72f2e0c5053e30fd03bd6bc756f
2022-01-06 10:58:58 +08:00
parent fd7153ed39
commit 263592e3dd
1 changed files with 7 additions and 3 deletions
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1451,7 +1451,8 @@
        <activity
            android:name=".datausage.AppDataUsageActivity"
            android:exported="true"
-            android:noHistory="true">
+            android:noHistory="true"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter android:priority="1">
                <action android:name="android.settings.IGNORE_BACKGROUND_DATA_RESTRICTIONS_SETTINGS" />
                <category android:name="android.intent.category.DEFAULT" />
@@ -1521,6 +1522,7 @@
        <activity-alias android:name=".applications.InstalledAppDetails"
                android:label="@string/application_info_label"
                android:exported="true"
+                android:permission="android.permission.QUERY_ALL_PACKAGES"
                android:targetActivity=".applications.InstalledAppDetailsTop">
            <intent-filter android:priority="1">
                <action android:name="android.settings.APPLICATION_DETAILS_SETTINGS" />
@@ -1534,7 +1536,8 @@

        <activity android:name=".applications.InstalledAppOpenByDefaultActivity"
                  android:label="@string/application_info_label"
-                  android:exported="true">
+                  android:exported="true"
+                  android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter android:priority="1">
                <action android:name="android.settings.APP_OPEN_BY_DEFAULT_SETTINGS" />
                <!-- Also catch legacy "com." prefixed action. -->
@@ -1893,7 +1896,8 @@
        <activity
            android:name="Settings$AppUsageAccessSettingsActivity"
            android:exported="true"
-            android:label="@string/usage_access_title">
+            android:label="@string/usage_access_title"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
            <intent-filter>
                <action android:name="android.settings.USAGE_ACCESS_SETTINGS"/>
                <category android:name="android.intent.category.DEFAULT"/>