Menu
I just created a PreferenceActivity using AndroidStudio wizard, running it threw a weird exception :
java.lang.RuntimeException: Subclasses of PreferenceActivity must override isValidFragment(String) to verify that the Fragment class is valid!
i saw suggested solutions here but i was wondering why would i have to check if my fragment classes are valid, as i dont even fully understand whats the definition of "valid", so i decided to ask the community:
a PreferenceActivity has isValidFragment(String fragmentName) method that for some reason must be overriden, why? how could a fragment class not be valid? and what could go wrong with such an override :
@Override
protected boolean isValidFragment(String fragmentName)
{
return true;
}
930
PreferenceActivity had its security compromised and isValidFragment(String name) was provided as a response.
More specifically, from the vulnerability disclosure:
Any app which implements and exports an activity that extends a PreferenceActivity class can be subverted to load an arbitrary class by exploiting the dynamic fragment loading process.
The security issue meant that a rogue application could instantiate your PreferenceFragments and they would get their extras from the actual parent, leaking data.
As a patch, isValidFragment(String name) was created so you are forced to either provide a whitelist of "safe" fragments or if you return always true, acknowledge the risk of your application being compromised.
It is only needed starting KitKat because is when the patch was introduced.
Having a name alien to your app.
Somebody could attack your app through the method described in this pdf linked by @Sree in the comments.
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
