hi Maciej and Giancarlo, I try to test this kind of leak and build two app, app A is the target app, has the First/Second Activity and pass a value in the intent. app B is the monitor, declare to use the GET_TASKS, try getRecentTask every 20 seconds. and print to System.out. but I can only get the Intent to start First activity, and I can't get the Intent to start Second activity. Is there anything wrong in my code ?
<https://lh4.googleusercontent.com/-N-GbOF83oUQ/Uaw-Ag7RzmI/AAAAAAAAC5I/us220jkAAMU/s1600/ss.png> my test environment is android 2.3 emulator. here is the source app A public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); Intent intent = new Intent(this, Second.class); intent.putExtra("a", "b"); startActivity(intent); } app B public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); final ActivityManager am = (ActivityManager) getSystemService(ACTIVITY_SERVICE); Timer timer = new Timer(); timer.schedule(new TimerTask() { @Override public void run() { for (RecentTaskInfo ti : am.getRecentTasks(999, 0)) { System.out.println(ti.origActivity + " -> " + ti.baseIntent); } } }, 20000, 20000); } BR, b0b On Tuesday, May 14, 2013 5:24:21 AM UTC+8, Giancarlo Capone wrote: > > Hello* *Maciej Górski, > I know this is a common problem. This issue has been resolved by Google > since Android 4.1.1: in fact from this version on, they have introduced a > new class that allows you to retrieve data (ActivityManager.RecentTaskInfo) > that doesn't allow you to get "extras" from other applications. > In my opinion if you want to pass data in such a secure way between two > activity, you can pass crypted data or you can only pass a kind a simple > variable (for example an Integer or a String) and in the second activity > you can retrieve data from a Db or from the shared preferences. > > Let's consider that you want to send the number of a credit card from > FirstActivity to SecondActivity. > Now in FirstActivity you can save the number of the credit card in a Db > or using a SharedPreference, then you can pass to SecondActivity a number > or a string that has no real meaning (for example you can pass the name > used to save the sharedPreferences). In the SecondActivity, you receive > that String and you can retrieve the number of the credit card from the > sharedPreferences you have saved or from the Db. In this way no data > passing from one activity to another can be read by other applications . > I hope this is useful for you. > * > * > Il giorno sabato 11 maggio 2013 21:29:53 UTC+2, Maciej Górski ha scritto: >> >> Hello everybody, >> >> I've noticed that when an application has GET_TASKS permission it can >> retrieve the data sent between two Activities in other application, where >> second Activity is not exported like in this example: >> >> <activity android:name=".FirstActivity" > >> <intent-filter> >> <action android:name="android.intent.action.MAIN" /> >> >> <category android:name="android.intent.category.LAUNCHER" >> /> >> </intent-filter> >> </activity> >> <activity android:name=".SecondActivity" /> >> >> somwhere in FirstActivity: >> >> Intent intent = new Intent(this, SecondActivity.class); >> intent.putExtra("any_key", "any_value"); >> startActivity(intent); >> >> any_key + any_value pair can be read from application that has GET_TASKS >> permission. >> >> Does that mean we should not send sensitive data between exported and >> private Activity? >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
