Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement permissions on exported component. #48

Open
ernestoA92 opened this issue May 31, 2023 · 4 comments
Open

Implement permissions on exported component. #48

ernestoA92 opened this issue May 31, 2023 · 4 comments
Assignees
@ThexXTURBOXx
Labels
documentation Improvements or additions to documentation question Further information is requested

Comments

@ernestoA92
Copy link

Is your feature request related to a problem? Please describe.

In our application we started using SonarCloud for monitoring and checking our code quality. The first run we got the next security alert/issue:

Title: Implement permissions on this exported component.

Where:

<activity android:name="com.linusu.flutter_web_auth_2.CallbackActivity" android:exported="true">
   <!-- Implement permissions on this exported component. -->
    <intent-filter android:label="app-name">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="scheme" />
    </intent-filter>
</activity>

Description:
Once an Android component has been exported, it can be used by attackers to launch malicious actions and might also give access to other components that are not exported.

As a result, sensitive user data can be stolen, and components can be launched unexpectedly.

For this reason, the following components should be protected:

  • Providers
  • Activities
  • Activity-aliases
  • Services

To do so, it is recommended to either set exported to false, add android:readPermission and android:writePermission attributes, or add a <permission> tag.

References:

Describe the solution you'd like

We did a research on our side and we found that:

We are using oauth2_client | Flutter Package, which uses flutter_web_auth_2 | Flutter Package. The docs says it’s necessary to add the following to the AndroidManifest.xml:

<activity android:name="com.linusu.flutter_web_auth_2.CallbackActivity" android:exported="true">
    <intent-filter android:label="app-name">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="scheme" />
    </intent-filter>
</activity>

This is the cause of the issue, because of android:exported="true". If android:exported="true" is removed the app does not build. Adding android:permission, as suggested by SonarCloud, makes the callback not work without updating the callers of the CallbackActivity.

I dug deep into this but could not find a solution. I think the solution is still to add a tag and then update the callers to start the intent with the permission (according to here under “Securing Activities”). The problem is updating the callers - I was not able to find them. The oauth2_client library uses flutter_web_auth_2, which uses method channels that on Android does intent.launchUrl(context!!, url). I don’t know where the callback activity is called.

This is a Medium severity issue for our app, and it might compromise the data of our customers and the security of our organisation.

Additional context

More info can be found here:
@ernestoA92 ernestoA92 added the enhancement New feature or request label May 31, 2023
@ThexXTURBOXx
Copy link
Owner

Thanks for the detailed report. I will take a look at this during the next few days. I am not quite sure what the best way of handling this is or if it is even a false warning.

@thundering-herd
Copy link

Any updates on this @ThexXTURBOXx ?

@ThexXTURBOXx
Copy link
Owner

Right now I am still unsure about this since I believe it is a false warning. At least I was not able to abuse it in a malicious way.
I believe it is because of the way this has been implemented internally in this package.
"Malicious" data can only be injected if the authenticate function has been called, since otherwise no data will be returned to the app.
If you believe that I am mistaken, please provide me with a MWE that somehow abuses this behavior and I will make sure that it is not possible to abuse this anymore

@ThexXTURBOXx
Copy link
Owner

Another small thing: This should not affect this package itself and would only be an issue about documentation since the package does not need changing.
If you think this issue affects your app, you only need to change your entry in the manifest. In that case, just let me know how you were able to solve it at your end and I will adjust the Readme.

@ThexXTURBOXx ThexXTURBOXx added documentation Improvements or additions to documentation question Further information is requested and removed enhancement New feature or request labels Aug 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ThexXTURBOXx ThexXTURBOXx

Labels
documentation Improvements or additions to documentation question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ThexXTURBOXx @thundering-herd @ernestoA92