Why does Kit Kat require the use of the isValidFragment?

Question

Ever since KitKat was released, I've noticed a whole bunch of my apps updating with "Fixing a crash in Kit Kat". Recently when I released my own app, I figured out the likely source of that is the new "isValidFragment" requirement for using preference activities. I haven't been able to get anyone, however, to explain why this new class is suddenly needed to validate fragments. Can anyone offer me an explanation of why this is required?

Answer 1

Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.

A New Vulnerability in the Android Framework: Fragment Injection
We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework.

http://securityintelligence.com/new-vulnerability-android-framework-fragment-injection/ http://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf

Answer 2

Here: http://commonsware.com/blog/2013/12/13/sanitize-all-the-extras.html it is suggested that this was introduced as a security fix:

PreferenceActivity supports extras to load specific PreferenceFragments into the activity. This is used heavily by the Settings app, to allow apps to drive straight into particular screens (actually fragments). Unfortunately, there was no logic in PreferenceActivity to ensure that only those fragments that were supposed to be externally reachable were loaded via these extras — hence, the addition of isValidFragment(). So, a properly-crafted Intent can open any exported PreferenceActivity and launch any PreferenceFragment from it, in the absence of such defenses.

(bold text added by me)