Fix: exported component access should be restricted with appropriate permissions #73
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
AsimRibo
approved these changes
Jul 16, 2024
KCeh
deleted the
fix/Exported-component-access-should-be-restricted-with-appropriate-permissions
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📄 Context
Sonar reported issue
This PR fixes that issue.
Feel free to add an additional review(s)
📝 Changes
Since Sentinel activity is marked as
android:exported="true"other apps can start that activity. And that is good, this is one of the ideas for Sentinel. Sonar finds this potential security issue because we don't define a mechanism by which apps that can open Sentinel should be "restricted".To improve upon this I added custom permission that has
protectionLevelsignature. Meaning: only apps that are signed with the same certificate as Sentinel will be able to start Sentinel. This is perfect for our use case because Sentinel comes with apps.Also, I ran into some compilation issues due to all modules/tools using the same package so I renamed one constant object in the Timber tool. Since this PR is not big I squeezed those changes here.
🛠️ How to test
There's not much here, just try opening Sentinel in one app that uses lib.