| commit | 38a58371a03fe310eefbcc68234c45a2e44ea3e9 | [log] [tgz] |
|---|---|---|
| author | Tadashi G. Takaoka <takaoka@google.com> | Wed Jul 19 14:05:02 2017 +0900 |
| committer | Tadashi G. Takaoka <takaoka@google.com> | Tue Jul 25 19:17:57 2017 +0900 |
| tree | dc39c203e93e707bb58ae01873214c3e438eb5e3 | |
| parent | 7edaa60315e150f5f4833e5e2fb7507c665d5419 [diff] |
Remove SHOW_INPUT_METHOD_PICKER receiver Although there is a security check for IMM#showInputMethodPicker() [1], any background application can virtually call the method via explicit broadcast intent to Settings app. Since showing IME picker from the notification has implemented in InputMethodManagerService using protected-broadcast [2], the receiver in Settings app isn't necessary and should be removed to close the security bypass. Note that this broadcast receiver stops working from Android-O due to background check [3]. [1]: I4f0fc21268200c64d12b31ca54416acfbf62f37b [2]: Id36c8c34159bea8b72557b40bcf024d401f580b6 [3]: https://developer.android.com/preview/features/background.html#broadcasts Test: The following broadcast intent will not show IME picker. $ adb shell am broadcast \ -a android.settings.SHOW_INPUT_METHOD_PICKER \ com.android.settings Fixes: 64008672 Bug: 63644555 Change-Id: Id990c66516c9b3ed7ada6891746ec0e0eecbe545