Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.13.2
-
None
-
Qt 5.13.2, QtC 4.10.2, macOS 10.14.6, Android MinSDK 23, Target SDK 28, Build SDK 29, build WITHOUT Ministro service
Description
one of my customers has done some security checks with my android app.
they found one issue. from the report:
Intent Spoofing
It is recommended to apply proper input validation and parameter filtering on intent action.
_https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+not+act+on+malicious+intents_
Technical details:
[TAINT] String 'market://details?id=org.kde.necessitas.ministro' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lorg/qtproject/qt5/android/bindings/QtActivityLoader$1;', 'onClick', '(Landroid/content/DialogInterface; I)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]
Use of a string value market://details?id=org.kde.necessitas.ministro to construct an Intent
Method org.qtproject.qt5.android.bindings.QtActivityLoader$1.onClick():
public void onClick(android.content.DialogInterface p2, int p3) { try { this.this$0.m_activity.startActivityForResult(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("market://details?id=org.kde.necessitas.ministro")), 62446); { } catch (org.qtproject.qt5.android.bindings.QtActivityLoader v2_1) v2_1.printStackTrace(); this.this$0.ministroNotFound(); } return; }
Method android.content.Intent.<init>() not found.
------
Is there a way to avoid this if Ministro is not used ?