medic/cht-android

Fix Implicit Intent Vulnerability

Closed this issue · 4 comments

latin-panda commented

Describe the bug
We got the following error in Google Play Store:

Screen Shot 2022-06-09 at 2 07 55 pm

These links give more info about the error and fixes:

Applications that send broadcasts without specifying the broadcast target may have
these broadcasts intercepted by malicious apps on the same device.

(source: Android_app_vulnerability_classes.pdf)

Additional context
Possibly introduced in this PR.

latin-panda commented

When testing this issue, make sure these features are working fine:

latin-panda commented

This is ready for AT in this PR, please consider to test these issues mentioned here.

latin-panda commented

We can't replicate, in our local, the same "Implicit Intent Vulnerability" error from Play Store. The lint and the static check tools aren't detecting it, it's a check from Play Store. Once we ensure this fix didn't affect badly the existing functionality, then we're going to release and deploy to Play Store, wait until it finishes the Play Store's checks and finally see if the error appears again.

  • 👍1
tatilepizs commented

Config: Covid-19
Environment: Local with Docker helper script
cht-core version: master
Platform: Mobile App. APK generated with branch 282-Fix_Implicit_Intent_Vulnerability

Test - Ticket #163

Test scenario:
Tested with four different phones. Removed internet connection to see the page indicating the error, after it was connected again to the internet, click on Retry, and the login page was displayed successfully.

Android 5.1

Phone: Alcatel OneTouch 50560
Android System WebView Version: 95.0.4638.74

image image image
Android 9

Phone: Huawei P20 lite
Android System WebView Version: 74.0.3729.136

image image image
Android 10

Phone: Samsung Galaxy A01
Android System WebView Version: 101.0.4951.61

image image image
Android 11

Phone: Ulefone Note 6
Android System WebView Version: 101.0.4951.41

image image image

Test - Ticket #148

Test scenario:
Tested with four different phones. Using the RDT Covid-19 - Provision form, the location and storage disclosures were displayed successfully.

Android 5.1

Phone: Alcatel OneTouch 50560
Android System WebView Version: 95.0.4638.74

No disclosure was displayed for Android 5, everything was accepted during the installation.

image
Android 9

Phone: Huawei P20 lite
Android System WebView Version: 74.0.3729.136

image image image image image
Android 10

Phone: Samsung Galaxy A01
Android System WebView Version: 101.0.4951.61

image image image image image
Android 11

Phone: Ulefone Note 6
Android System WebView Version: 101.0.4951.41

image image image image image
  • 🎉1