PM-PM-4327 Changed LaunchMode to SingleInstance to avoid security issues only on WebAuthCallbackActivity given that it's exported and go back to previous value on the other ones. This is being done in the manifest so we can set the appropriate value depending on the API level.

2024-11-24 11:55:38 +01:00 · 2024-05-14 16:18:30 -03:00 · 2024-05-14 16:18:30 -03:00 · 22f0c93b47
commit 22f0c93b47
parent 5aeb3cef0a
6 changed files with 16 additions and 10 deletions
--- a/src/App/Platforms/Android/AndroidManifest.xml
+++ b/src/App/Platforms/Android/AndroidManifest.xml
@ -24,7 +24,7 @@
 		<meta-data android:name="com.samsung.android.sdk.multiwindow.penwindow.enable" android:value="true" />
 		<!-- Support for LG "Dual Window" mode (for Android < 7.0 users) -->
 		<meta-data android:name="com.lge.support.SPLIT_WINDOW" android:value="true" />
-		<!-- Declare MainActivity manually so we can set LaunchMode using API dependant resource -->
+		<!-- Declare exported activities manually so we can set LaunchMode/TaskAffinity using API dependant resource -->
 		<activity android:name="com.x8bit.bitwarden.MainActivity" android:configChanges="keyboard|keyboardHidden|navigation|orientation|screenSize|uiMode" android:exported="true" android:icon="@mipmap/ic_launcher" android:label="Bitwarden" android:launchMode="@integer/launchModeAPIlevel" android:theme="@style/LaunchTheme">
 			<intent-filter>
 				<action android:name="android.intent.action.MAIN" />
@ -39,6 +39,15 @@
 				<data android:mimeType="text/*" />
 			</intent-filter>
 		</activity>
+		<!-- Declare activities manually so we can set taskAffinity using API dependant resource -->
+		<activity android:name="com.x8bit.bitwarden.WebAuthCallbackActivity" android:launchMode="@integer/webAuthCallbackLaunchMode" android:noHistory="true" android:exported="true">
+			<intent-filter>
+				<action android:name="android.intent.action.VIEW" />
+				<category android:name="android.intent.category.DEFAULT" />
+				<category android:name="android.intent.category.BROWSABLE" />
+				<data android:scheme="bitwarden" />
+			</intent-filter>
+		</activity>
 	</application>
 	<!-- Support for Xamarin.Essentials.Browser.OpenAsync  (for Android > 11) -->
 	<!-- Related docs: https://learn.microsoft.com/en-us/xamarin/essentials/open-browser?tabs=android -->
--- a/src/App/Platforms/Android/Autofill/AutofillExternalSelectionActivity.cs
+++ b/src/App/Platforms/Android/Autofill/AutofillExternalSelectionActivity.cs
@ -10,7 +10,7 @@ namespace Bit.Droid.Autofill
 {
    [Activity(
        NoHistory = true,
-        LaunchMode = LaunchMode.SingleInstance,
+        LaunchMode = LaunchMode.SingleTop,
        Exported = false)]
    public class AutofillExternalSelectionActivity : MauiAppCompatActivity
    {
--- a/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs
+++ b/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs
@ -20,7 +20,7 @@ namespace Bit.Droid.Autofill
 {
    [Activity(
        NoHistory = true,
-        LaunchMode = LaunchMode.SingleInstance)]
+        LaunchMode = LaunchMode.SingleTop)]
    public class CredentialProviderSelectionActivity : MauiAppCompatActivity
    {
        private LazyResolve<IFido2MediatorService> _fido2MediatorService = new LazyResolve<IFido2MediatorService>();
--- a/src/App/Platforms/Android/Resources/values-v30/manifest.xml
+++ b/src/App/Platforms/Android/Resources/values-v30/manifest.xml
@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <resources>
  <integer name="launchModeAPIlevel">0</integer>
+  <integer name="webAuthCallbackLaunchMode">1</integer>
 </resources>
--- a/src/App/Platforms/Android/Resources/values/manifest.xml
+++ b/src/App/Platforms/Android/Resources/values/manifest.xml
@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <resources>
  <integer name="launchModeAPIlevel">2</integer>
+  <integer name="webAuthCallbackLaunchMode">3</integer>
 </resources>
--- a/src/App/Platforms/Android/WebAuthCallbackActivity.cs
+++ b/src/App/Platforms/Android/WebAuthCallbackActivity.cs
@ -1,17 +1,12 @@
 using Android.App;
 using Android.Content.PM;
 using Android.OS;
+using Android.Runtime;
 using Bit.App.Droid.Utilities;

 namespace Bit.Droid
 {
-    [Activity(
-        NoHistory = true, 
-        LaunchMode = LaunchMode.SingleInstance,
-        Exported = true)]
-    [IntentFilter(new[] { Android.Content.Intent.ActionView },
-        Categories = new[] { Android.Content.Intent.CategoryDefault, Android.Content.Intent.CategoryBrowsable },
-        DataScheme = "bitwarden")]
+    [Register("com.x8bit.bitwarden.WebAuthCallbackActivity")]
    public class WebAuthCallbackActivity : WebAuthenticatorCallbackActivity
    {
        protected override void OnCreate(Bundle savedInstanceState)