Hello once again, Thank you Giancarlo for pointing out it was already changed in 4.1.1 and you can't get bundle from baseIntent. I somehow missed this information.
Xiaobo and Dominic: my questions wasn't to show how you can do that, so consider this thread to be closed. Best regards, Maciej Górski W dniu poniedziałek, 3 czerwca 2013 16:18:30 UTC+2 użytkownik Dominik Schürmann napisał: > > Hi, > > have you tried it with an implicit Intent? > ( > http://stackoverflow.com/questions/10272699/what-is-the-different-between-explicit-and-implicit-activity-call-in-android). > > > I have not tested it, but eventually getRecentTasks works only with > implicit ones. > > I also wrote a small test app some days ago: > > https://github.com/dschuermann/recent-intents/blob/master/src/org/sufficientlysecure/recentintents/RecentIntent.java > > > Regards > Dominik > > On 03.06.2013 08:59, Xiaobo Pan wrote: > > hi Maciej and Giancarlo, > > > > I try to test this kind of leak and build two app, > > app A is the target app, has the First/Second Activity and pass a value > in > > the intent. > > app B is the monitor, declare to use the GET_TASKS, try getRecentTask > > every 20 seconds. and print to System.out. > > but I can only get the Intent to start First activity, and I can't get > the > > Intent to start Second activity. > > Is there anything wrong in my code ? > > > > < > https://lh4.googleusercontent.com/-N-GbOF83oUQ/Uaw-Ag7RzmI/AAAAAAAAC5I/us220jkAAMU/s1600/ss.png> > > > > my test environment is android 2.3 emulator. here is the source > > app A > > public void onCreate(Bundle savedInstanceState) { > > super.onCreate(savedInstanceState); > > setContentView(R.layout.main); > > Intent intent = new Intent(this, Second.class); > > intent.putExtra("a", "b"); > > startActivity(intent); > > } > > > > app B > > public void onCreate(Bundle savedInstanceState) { > > super.onCreate(savedInstanceState); > > setContentView(R.layout.main); > > final ActivityManager am = (ActivityManager) > > getSystemService(ACTIVITY_SERVICE); > > Timer timer = new Timer(); > > timer.schedule(new TimerTask() { > > > > @Override > > public void run() { > > for (RecentTaskInfo ti : am.getRecentTasks(999, 0)) { > > System.out.println(ti.origActivity + " -> " + > > ti.baseIntent); > > } > > } > > }, 20000, 20000); > > } > > > > BR, > > b0b > > > > On Tuesday, May 14, 2013 5:24:21 AM UTC+8, Giancarlo Capone wrote: > >> > >> Hello* *Maciej Górski, > >> I know this is a common problem. This issue has been resolved by Google > >> since Android 4.1.1: in fact from this version on, they have introduced > a > >> new class that allows you to retrieve data > (ActivityManager.RecentTaskInfo) > >> that doesn't allow you to get "extras" from other applications. > >> In my opinion if you want to pass data in such a secure way between two > >> activity, you can pass crypted data or you can only pass a kind a > simple > >> variable (for example an Integer or a String) and in the second > activity > >> you can retrieve data from a Db or from the shared preferences. > >> > >> Let's consider that you want to send the number of a credit card from > >> FirstActivity to SecondActivity. > >> Now in FirstActivity you can save the number of the credit card in a Db > >> or using a SharedPreference, then you can pass to SecondActivity a > number > >> or a string that has no real meaning (for example you can pass the name > >> used to save the sharedPreferences). In the SecondActivity, you receive > >> that String and you can retrieve the number of the credit card from the > >> sharedPreferences you have saved or from the Db. In this way no data > >> passing from one activity to another can be read by other applications > . > >> I hope this is useful for you. > >> * > >> * > >> Il giorno sabato 11 maggio 2013 21:29:53 UTC+2, Maciej Górski ha > scritto: > >>> > >>> Hello everybody, > >>> > >>> I've noticed that when an application has GET_TASKS permission it can > >>> retrieve the data sent between two Activities in other application, > where > >>> second Activity is not exported like in this example: > >>> > >>> <activity android:name=".FirstActivity" > > >>> <intent-filter> > >>> <action android:name="android.intent.action.MAIN" /> > >>> > >>> <category > android:name="android.intent.category.LAUNCHER" > >>> /> > >>> </intent-filter> > >>> </activity> > >>> <activity android:name=".SecondActivity" /> > >>> > >>> somwhere in FirstActivity: > >>> > >>> Intent intent = new Intent(this, SecondActivity.class); > >>> intent.putExtra("any_key", "any_value"); > >>> startActivity(intent); > >>> > >>> any_key + any_value pair can be read from application that has > GET_TASKS > >>> permission. > >>> > >>> Does that mean we should not send sensitive data between exported and > >>> private Activity? > >>> > >> > > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
