Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.13.2
-
None
-
Qt 5.13.2, QtC 4.10.2, macOS 10.14.6, Android MinSDK 23, Target SDK 28, Build SDK 29, build WITHOUT Ministro service
-
Android
Description
one of my customers has done some security checks with my android app.
they found one issue. from the report:
Intent Spoofing
It is recommended to apply proper input validation and parameter filtering on intent action.
_https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+not+act+on+malicious+intents_
Technical details:
[TAINT] String 'market://details?id=org.kde.necessitas.ministro' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lorg/qtproject/qt5/android/bindings/QtActivityLoader$1;', 'onClick', '(Landroid/content/DialogInterface; I)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]
Use of a string value market://details?id=org.kde.necessitas.ministro to construct an Intent
Method org.qtproject.qt5.android.bindings.QtActivityLoader$1.onClick():
public void onClick(android.content.DialogInterface p2, int p3) { try { this.this$0.m_activity.startActivityForResult(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("market://details?id=org.kde.necessitas.ministro")), 62446); { } catch (org.qtproject.qt5.android.bindings.QtActivityLoader v2_1) v2_1.printStackTrace(); this.this$0.ministroNotFound(); } return; }
Method android.content.Intent.<init>() not found.
------
Is there a way to avoid this if Ministro is not used ?