Android 12 is here, did your App crash?

Hi everyone, I am DHL. ByteCode, focus on the latest technology to share original articles, involving Kotlin, Jetpack, algorithm animation, data structure, system source code, LeetCode/point Offer/multithreading/domestic and foreign large factory algorithm problems and so on.

Android 12 is here, did your App crash? We are already working on Android 12 adaptation, which includes many features and some behavioral changes. Let’s take a look at how these behavioral changes affect our application.

In this article you will learn the following:

• Why do I need to display declarations on Android 12android:exportedAttribute?
• Why do you need to display the variability of the specified PendingIntent on Android 12?
• Why restrict the default behavior of ADB backups on Android 12?
• How to check App security vulnerabilities?

Android: exported attribute

An activity, service, or receiver that contains

in Android 12 must display an Android: Exported attribute for those application components, as shown below.

<activity
    android:name=".TestActivity"
    android:exported="false">
    <intent-filter>
        ......
    </intent-filter>
</activity>
Copy the code

If an Android :exported value is not displayed in an activity, service, or receiver containing

, your application will not be installed.

Installation did not succeed. The application could not be installed: INSTALL_FAILED_VERIFICATION_FAILURE List of apks: [0] '... /build/outputs/apk/debug/app-debug.apk' Installation failed due to: 'null'Copy the code

If your application does not declare android: Exported values when it needs to do so, the error log is shown below.

Targeting S+ (version 10000 and above) requires that an explicit value for \
android:exported be defined when intent filters are present
Copy the code

If you don’t understand the conditions of the above exception, you can click the link below to check. There are already a number of open source projects that have adapted this behavior, such as LeakCanary, for more details, go to the following address:

• Update launcher activity attribute to Android 12
• Declared android:exported explicitly for components with intent-filter. Android 12 requirement

This change in behavior is significant for both library developers and application developers.

Why display the Android: Exported attribute on Android 12

The default value of the Android: Exported attribute depends on whether

is included. The default value is true if

is included, and false otherwise.

• whenandroid:exported="true"If no processing is done, access from other apps can be accepted
• whenandroid:exported="false"Is restricted to accepting only from the same App or one with the sameuser IDApp access

Because of the default value of the Android: Exported property, Twicca App had a security issue because another App did not have access to an SD card or network, Pictures or movies stored on an SD card can be uploaded to the social network on a Twicca user’s Twitter account via the Twicca App.

The code that causes the problem looks like this:

<activity android:configChanges="keyboard|keyboardHidden|orientation" android:name=".media.yfrog.YfrogUploadDialog" android:theme="@style/Vulnerable.Dialog" android:windowSoftInputMode="stateAlwaysHidden"> <intent-filter android:icon="@drawable/yfrog_icon" android:label="@string/YFROG"> <action android:name="jp.co.vulnerable.ACTION_UPLOAD"  /> <category android:name="android.intent.category.DEFAULT" /> <data android:mimeType="image/*" /> <data android:mimeType="video/*" /> </intent-filter> </activity>Copy the code

The Android :exported attribute is set to true by default because of intent-filter. This causes the above problem (uploading pictures or movies stored on the SD card to the Twicca user’s Twitter account via the Twicca App), and there are two solutions:

• Solution 1: Addandroid:exported="false"attribute

<activity android:exported="false" android:configChanges="keyboard|keyboardHidden|orientation" android:name=".media.yfrog.YfrogUploadDialog" android:theme="@style/ VulnerableTheme.Dialog" android:windowSoftInputMode="stateAlwaysHidden" >    
</activity>
Copy the code

• Scheme 2: Twicca App does not use Method 1, but checks whether the package name of the caller is the same as its own package name

public void onCreate(Bundle arg5) { super.onCreate(arg5); . ComponentName v0 = this.getCallingActivity(); if(v0 == null) { this.finish(); } else if(! jp.r246.twicca.equals(v0.getPackageName())) { this.finish(); } else { this.a = this.getIntent().getData(); if(this.a == null) { this.finish(); }... }}}Copy the code

This is also possible because it is impossible to have two applications with the same package name on a single device. For more information, visit Restrict Access to Sensitive Activities.

This is just one of the security holes in activity that can be exploited to do different things in different scenarios. Of course, service and receiver components are also the same, there are security problems.

Specify the variability of the PendingIntent

PendingIntent.FLAG_IMMUTABLE PendingIntent.FLAG_IMMUTABLE PendingIntent.FLAG_IMMUTABLE PendingIntent. If your application tries to create a PendingIntent object without setting any mutable flags, the system throws IllegalArgumentException, as shown in the error log below.

PACKAGE_NAME: Targeting S+ (version 10000 and above) requires that one of \
FLAG_IMMUTABLE or FLAG_MUTABLE be specified when creating a PendingIntent.

Strongly consider using FLAG_IMMUTABLE, only use FLAG_MUTABLE if \
some functionality depends on the PendingIntent being mutable, e.g. if \
it needs to be used with inline replies or bubbles.
Copy the code

Why do you need to display PendingIntent variability on Android 12

Before Adnroid 12, a PendingIntent is created by default. It is mutable, so other malicious applications may intercept, redirect, or modify the Intent. (But conditionally)

A PendingIntent is an Intent that can be used by another application. The application that receives the Intent can perform the action specified in the Intent with the same permissions and identity as the application that generated the Intent.

Therefore, you must be careful when creating pending intents. For security purposes, Google requires developers to specify the variability of pendingIntents themselves in Android 12.

For more information about PendingIntent security, check out Always Pass Explicit Intents to a PendingIntent.

Adb Backup Restrictions

Android developers should be aware of the adb backup command, which can backup application data. In Android 12, in order to protect private application data, any other system data exported from the device when the user runs adb backup does not contain the application data.

If you need adb backup to backup application data during testing and development, you can export application data by setting the android:debuggable to true in the AndroidManifest.

<application android:name=".App" android:debuggable="true" ...... />Copy the code

Note: Set the Android :debuggable to false before publishing the app.

Why is it limited on Android 12adb backupThe default behavior of the command

Because of this serious security problem, Google can add android:allowBackup attribute in the AndroidManifest to provide App data backup and recovery function, the default value is true, when you create an App, This property is added by default, as shown below.

<application android:name=".App" android:allowBackup="true" ...... />Copy the code

When android:allowBackup=”true”, users can use adb backup and adb restore commands to backup and restore the application data, i.e. install the same application on other android phones. Run the preceding command to restore user data.

To be on the safe side, make sure that the Android :allowBackup property is set to false in the distributed Apk to disable the backup and restore functionality of the application. National level application letter of XX, at once the version allowBackup attribute value is true, by other reverse after developers use, the current version of this value has been modified to false, can be decompiled boys are interested in and have a look.

How to check App security vulnerabilities

Linkedin/QARK is an open source project developed by linkedin. This tool is designed to find security-related vulnerabilities in Android applications, both source code and packaged APK. The usage documentation is very clear. I won’t go into details here.

Check the result of this open source project as a reference. Of course, many companies spend a lot of money on third-party services to check for security holes in their apps.

These behavioral changes in Android 12 have one thing in common: security. Google has done a lot of work on security over the years, but there are also some other behavioral changes that you can check out: Behavioral Changes for Android 12 targeted apps.

Refer to the article

• Behavior change: Android 12 targeted apps
• Update launcher activity attribute to Android 12
• Declared android:exported explicitly for components with intent-filter. Android 12 requirement
• confluence

A “like” would be the biggest encouragement if it helps

More code, more articles

Welcome to the public account: ByteCode, continue to share the latest technology

---

Finally, recommend long-term update and maintenance projects:

• Personal blog, will all articles classification, welcome to check hi-dhl.com

• KtKit compact and practical, written in Kotlin language tool library, welcome to check KtKit

• Androidx-jetpack-practice androidX-Jetpack-practice androidX-Jetpack-practice androidX-Jetpack-Practice androidX-Jetpack-Practice

• LeetCode/multiple thread solution, language Java and Kotlin, including a variety of solutions, problem solving ideas, time complexity, spatial complexity analysis

  

  • Job interview with major companies at home and abroad
  • LeetCode: Read online

Must-read articles these days

• Android has evolved from 1.0 to 12. Remember when you first used it?
• Is the LinkedList down?
• Oracle recommends the details of using ReentrantLock
• Kotlin announced a blockbuster feature
• Google has announced the abandonment of the LiveData.observe method
• One detail to note when using Kotlin
• Kotlin code affecting Performance (1)
• Jetpack Splashscreen parsing | power generation IT migrant workers get twice the result with half the effort
• Kotlin’s Technique and Analysis (3)
• Kotlin’s Technique and Principle Analysis that few people know (II)
• Kotlin’s Technique and Principle Analysis that few people know (1)
• Uncover the == and === in Kotlin
• The Kotlin hermetic class evolved
• The sealed class in Kotlin is superior to the tagged class
• What is Kotlin Sealed? Why does Google use it all
• Android 12 behavior changes that affect applications
• AndroidStudio