Verify package name before initializing ACRA and ErrorActivity #2649
Conversation
Fixes #2641. Implementation is a bit primitive, and given the source code is publicly available, we can only slow down, but not prohibiting others from pirating without a decent code signing mechanism that will work across github, f-droid and derivatives, and google play.
TranceLove
added
Issue-Bug
Protection via obfuscation would be ideal here. |
| @@ -109,7 +109,9 @@ public void onCreate() { | |||
| @Override | |||
| protected void attachBaseContext(Context base) { | |||
| super.attachBaseContext(base); | |||
| initACRA(); | |||
| if (base.getPackageName().equals(BuildConfig.APPLICATION_ID)) { | |||
There was a problem hiding this comment.
Isn't build config generated on compile?
| @@ -149,6 +151,7 @@ public static void reportError( | |||
| final String[] el = new String[] {report.getString(ReportField.STACK_TRACE)}; | |||
|
|
|||
| final Intent intent = new Intent(context, ErrorActivity.class); | |||
| intent.setPackage("context.getPackageName()"); | |||
There was a problem hiding this comment.
did you forget to delete the quotes?
| if (errorInfo.message != 0) { | ||
| errorMessageView.setText(errorInfo.message); | ||
| if (ErrorInfo.comparePackageInfo(intent.getPackage()) != 0) { | ||
| finish(); | ||
| } else { |
There was a problem hiding this comment.
At least a return to get out of there would make me feel more safe ;)
|
@EmmanuelMess Surely do. I found this for encrypting strings, but it also noted degrading performance if too many strings are encrypted. Possibly some code reviews required before proceeding. |
|
@TranceLove But also, since other peiple can have full access to source code, it seems code signing shall be the more appropriate method. |
| @@ -496,5 +502,9 @@ public void writeToParcel(final Parcel dest, final int flags) { | |||
| dest.writeString(this.request); | |||
| dest.writeInt(this.message); | |||
| } | |||
|
|
|||
| public static int comparePackageInfo(String packageName) { | |||
| return packageName.indexOf("com.amaze.filemanager"); | |||
There was a problem hiding this comment.
How is this going to work on debug package?
There was a problem hiding this comment.
"com.amaze.filemanager.debug".indexOf("com.amaze.filemanager") == 0
- Rewrote the validation routine with Umbrella ;)
Implementation is a bit primitive, and given the source code is publicly available, we can only slow down, but not prohibiting others from pirating without a decent code signing mechanism that will work across github, f-droid and derivatives, and google play.
Description
Issue tracker
Fixes #2641
Manual tests
Done
Device: Pixel 2 emulator
OS: Android 11
that ErrorActivity will immediately finish() if app package name doesn't start with our designated bundle ID.
Build tasks success
Successfully running following tasks on local:
./gradlew assembledebug./gradlew spotlessCheck