Assigned

Bug

Status Update

No update yet.

Description

xa...@gtempaccount.com

created issue #1

Apr 6, 2023 11:53AM

Component used: androidx.browser:browser

Version used: 1.5.0

Devices/Android versions reproduced on: Samsung A10 - Android 11. Although I suspect this is not a device-specific issue.

Description of the problem:

The androidx Browser package doesn't do a lot of error handling when launching Intents. We're seeing some SecurityExceptions in our app that occur when the Firebase in-app messaging library launches a web URL Intent. That library uses the androidx Browser package (Source). After some research, I've found that the problem can be observed when the following conditions are met:

A device has 2 apps installed.
- App Consumer. This is the 'victim', this app is the one that uses the androidx Browser package to open a website.
- App Buggy. This is the troublemaker. This app declares at least 2 Activities that can handle web URL intents. See below.
The device has no other Activities that can handle web URL Intents (this can be done by uninstalling all browser apps and disabling any system browser app).

If all the above happens, then when the Consumer app tries to navigate to any website using Custom Tabs, a SecurityException will be thrown. There may be other ways of reproducing, but I was only able to reproduce it with the above set up.

Code

The relevant code snippet of the Buggy app is this:

<activity
    android:name=".NonExportedActivity"
    android:exported="false" <----- *Not* exported
    android:label="@string/app_name">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="http" />
        <data android:scheme="https" />
    </intent-filter>
</activity>
<activity
    android:name=".ExportedActivity"
    android:exported="true" <----- Exported
    android:label="@string/app_name">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="http" />
        <data android:scheme="https" />
    </intent-filter>
</activity>

As I mentioned earlier this crash was first observed in the Firebase in-app messaging library, but I was able to reproduce it using 2 sample apps (see attached), that's why I'm reporting the issue here.

Stacktrace

FATAL EXCEPTION: main
Process: com.example.bugreportconsumerapp, PID: 2217
java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=https://google.com/... cmp=com.example.bugreportunexportedwebbrowseractivity/.NonExportedActivity (has extras) } from ProcessRecord{f1b73b7 2217:com.example.bugreportconsumerapp/u0a1027} (pid=2217, uid=11027) not exported from uid 11026
	at android.os.Parcel.createExceptionOrNull(Parcel.java:2385)
	at android.os.Parcel.createException(Parcel.java:2369)
	at android.os.Parcel.readException(Parcel.java:2352)
	at android.os.Parcel.readException(Parcel.java:2294)
	at android.app.IActivityTaskManager$Stub$Proxy.startActivity(IActivityTaskManager.java:4276)
	at android.app.Instrumentation.execStartActivity(Instrumentation.java:1723)
	at android.app.Activity.startActivityForResult(Activity.java:5377)
	at android.app.Activity.startActivityForResult(Activity.java:5335)
	at android.app.Activity.startActivity(Activity.java:5721)
	at androidx.core.content.ContextCompat.startActivity(ContextCompat.java:251)
	at androidx.browser.customtabs.CustomTabsIntent.launchUrl(CustomTabsIntent.java:483)
	at com.example.bugreportconsumerapp.DemoActivity.onCreate$lambda$0(DemoActivity.kt:17)
	at com.example.bugreportconsumerapp.DemoActivity.$r8$lambda$P8-hzZy7zrZ2U62dZ34rQQE7apk(Unknown Source:0)
	at com.example.bugreportconsumerapp.DemoActivity$$ExternalSyntheticLambda0.onClick(Unknown Source:2)
	at android.view.View.performClick(View.java:8160)
	at android.widget.TextView.performClick(TextView.java:16222)
	at android.view.View.performClickInternal(View.java:8137)
	at android.view.View.access$3700(View.java:888)
	at android.view.View$PerformClick.run(View.java:30236)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:246)
	at android.app.ActivityThread.main(ActivityThread.java:8625)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:602)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1130)
Caused by: android.os.RemoteException: Remote stack trace:
	at com.android.server.wm.ActivityStackSupervisor.checkStartAnyActivityPermission(ActivityStackSupervisor.java:1338)
	at com.android.server.wm.ActivityStarter.executeRequest(ActivityStarter.java:1263)
	at com.android.server.wm.ActivityStarter.execute(ActivityStarter.java:897)
	at com.android.server.wm.ActivityTaskManagerService.startActivityAsUser(ActivityTaskManagerService.java:1721)
	at com.android.server.wm.ActivityTaskManagerService.startActivityAsUser(ActivityTaskManagerService.java:1571)

Thanks in advance!

BugReportConsumerApp.zip

73 KB

Download

BugReportUnexportedWebBrowserActivity.zip

74 KB

Download

Comments

xa...@gtempaccount.com <xa...@gtempaccount.com> #2Apr 6, 2023 12:05PM

Issue with notification access code in core. Unclear where, but probably safe to assume NotificationCompat.

pe...@google.com <pe...@google.com> #3Apr 24, 2023 10:36AM

Note that this is a lint error and can be suppressed or lowered to warning-level on the client side. Lowering back to P2.

xa...@gtempaccount.com <xa...@gtempaccount.com> #4Apr 24, 2023 12:05PM

To find cause of issue, update
androidx/platform/frameworks/support/+/androidx-main:buildSrc/public/src/main/kotlin/androidx/build/SupportConfig.kt;l=50 to 33 and then run ./gradlew :core:core:lintDebug

pe...@google.com <pe...@google.com> #5Jul 12, 2024 12:57PM

It's at

frameworks/support/core/core/src/main/java/androidx/core/app/NotificationManagerCompat.java:223: Error: When targeting Android 13 or higher, posting a permission requires holding the POST_NOTIFICATIONS permission [NotificationPermission]
            mNotificationManager.notify(tag, id, notification);
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Explanation for issues of type "NotificationPermission":
   When targeting Android 13 and higher, posting permissions requires holding
   the runtime permission android.permission.POST_NOTIFICATIONS.

IssueTracker

SecurityException not handled when starting intents (when exported and non exported Activities exist)

Status Update

Description

Description of the problem:

Code

Stacktrace

Comments

xa...@gtempaccount.com <xa...@gtempaccount.com> #2Apr 6, 2023 12:05PM

pe...@google.com <pe...@google.com> #3Apr 24, 2023 10:36AM

xa...@gtempaccount.com <xa...@gtempaccount.com> #4Apr 24, 2023 12:05PM

pe...@google.com <pe...@google.com> #5Jul 12, 2024 12:57PM

Issue 277060963

Description

Description of the problem:

Code

Stacktrace

Issue summary

Comments

xa...@gtempaccount.com <xa...@gtempaccount.com> #2Apr 6, 2023 12:05PM

pe...@google.com <pe...@google.com> #3Apr 24, 2023 10:36AM

xa...@gtempaccount.com <xa...@gtempaccount.com> #4Apr 24, 2023 12:05PM

pe...@google.com <pe...@google.com> #5Jul 12, 2024 12:57PM

Add comment

Issue metadata