ANDROID.LIFECYCLE.SV.FRAGMENTINJ

Unvalidated fragment class name

For security reasons, an application cannot normally access another application's sensitive data. In some cases, to facilitate feature reuse, an application can invoke another application's components (such as activities). Since activities access the input Intent’s data, a bad application can invoke the exported activity and provide it with malicious data This may trigger vulnerabilities if the data is not properly sanitized or validated in the target application.

This vulnerability was discovered in Android 4.3 Jelly Bean and earlier.

Vulnerability and risk

Any app which extended the PreferenceActivity class using an exported activity is automatically vulnerable. The malicious application can make the PreferenceActivity load an arbitrary Fragment of the vulnerable application; which is normally loaded inside a user Activity. The malicious application can then control it.

All applications that use PreferenceActivity are vulnerable.

Mitigation and prevention

Google patched Android 4.4 KitKat by adding a new protected API, PreferenceActivity.isValidFragment, which is called before the Fragment is dynamically instantiated. The isValidFragment method must be overridden.

Klocwork reports an error if the method isValidFragment is not called for verification.

Example 1

11
12
13
14
15
16
17
18
19
20
  public class MyActivity extends PreferenceActivity {
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        final String initialFragment = getIntent().getStringExtra("EXTRA_SHOW_FRAGMENT");
        final Fragment f = Fragment.instantiate(this, initialFragment, null);
        final FragmentTransaction transaction = getFragmentManager().beginTransaction();
        transaction.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
        transaction.replace(11, f);
        transaction.commitAllowingStateLoss();
 }

ANDROID.LIFECYCLE.SV.FRAGMENTINJ is reported for line 19: intent is coming from outside the application. Extra information is used to instantiate the fragment. No verification of the information is done in between.

Example 2

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
  public class MyActivity extends PreferenceActivity {
      protected void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          final String initialFragment = getIntent().getStringExtra("EXTRA_SHOW_FRAGMENT");
          if (!isValidFragment(initialFragment)) {
              throw new IllegalArgumentException("Invalid fragment for this activity");
          }
          final Fragment f = Fragment.instantiate(this, initialFragment, null);
          final FragmentTransaction transaction = getFragmentManager().beginTransaction();
          transaction.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
          transaction.replace(11, f);
          transaction.commitAllowingStateLoss();
      }
  
      public boolean isValidFragment(final String name) {
          //validate here …
      }

The defect is not reported here as validation is performed on the line 15.

Related checkers

• ANDROID.LIFECYCLE.SV.GETEXTRA
• A New Vulnerability in the Android Framework: Fragment Injection