commit 263592e3dd2cba5769bdede8cc11244de94f4fd9
author Arc Wang <arcwang@google.com> Thu Jan 06 10:58:58 2022 +0800
committer Arc Wang <arcwang@google.com> Tue Apr 26 18:15:17 2022 +0800
tree 439b32a47f418aa254ed41ed7b5b0b93b66ed28b
parent fd7153ed39362bd0f1d1da71492e151c0e5cf36f

Prevent side channel package installation enumeration

From Android 11, apps need the permission QUERY_ALL_PACKAGES
to probe existence of arbitrary installed packages.

However, an Activity which declares android:scheme="package
in intent-filter may be vulnerable and attacker app can
use it to probe installed packages.

This change add permission QUERY_ALL_PACKAGES to protect
vulnerable Activity.

Bug: 185477439
Test: Install POC and check if it can probe installed packages
      by each vulnerable Activity.
Change-Id: I521545436102f72f2e0c5053e30fd03bd6bc756f

AndroidManifest.xml

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 4d3b6d0..1f9c908 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1451,7 +1451,8 @@
         <activity
             android:name=".datausage.AppDataUsageActivity"
             android:exported="true"
-            android:noHistory="true">
+            android:noHistory="true"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.IGNORE_BACKGROUND_DATA_RESTRICTIONS_SETTINGS" />
                 <category android:name="android.intent.category.DEFAULT" />
@@ -1521,6 +1522,7 @@
         <activity-alias android:name=".applications.InstalledAppDetails"
                 android:label="@string/application_info_label"
                 android:exported="true"
+                android:permission="android.permission.QUERY_ALL_PACKAGES"
                 android:targetActivity=".applications.InstalledAppDetailsTop">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.APPLICATION_DETAILS_SETTINGS" />
@@ -1534,7 +1536,8 @@
 
         <activity android:name=".applications.InstalledAppOpenByDefaultActivity"
                   android:label="@string/application_info_label"
-                  android:exported="true">
+                  android:exported="true"
+                  android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter android:priority="1">
                 <action android:name="android.settings.APP_OPEN_BY_DEFAULT_SETTINGS" />
                 <!-- Also catch legacy "com." prefixed action. -->
@@ -1893,7 +1896,8 @@
         <activity
             android:name="Settings$AppUsageAccessSettingsActivity"
             android:exported="true"
-            android:label="@string/usage_access_title">
+            android:label="@string/usage_access_title"
+            android:permission="android.permission.QUERY_ALL_PACKAGES">
             <intent-filter>
                 <action android:name="android.settings.USAGE_ACCESS_SETTINGS"/>
                 <category android:name="android.intent.category.DEFAULT"/>