Log creation of mutable implicit PendingIntent
Starting from target SDK U, we want to block creation of mutable
PendingIntents with implicit Intents because attackers can mutate the
Intent object within and launch altered behavior on behalf of victim
apps. For more details on the vulnerability, see go/pendingintent-rca.
This change is planned to be part of the Safer Intents and Components
feature b/229362273.
Since the change is small, we're seeking buy-in and
code review, let me know if there are concerns with the feature.
Details:
- Apps can still retrieve existing mutable implicit PendingIntents if
they pass FLAG_NO_CREATE.
- The check happens on the client side with Log.wtfStack() to aid with
migrating to safer PendingIntents across the platform/apps. We plan to
move the block to ActivityManagerService for future Westworld logging
b/262253127.
- We also Log.w() in the client if the app doesn't target U to prepare
for it.
Bug: 236704164
Bug: 229362273
Test: atest PendingIntentTest
Change-Id: Ib235e7ee9709e7b6577c1d2a0e06a136670b4870
1 file changed