mirror of
https://github.com/beemdevelopment/Aegis.git
synced 2025-05-19 08:20:20 +00:00
3927ddec3e
Aegis can display a notification to the user as a reminder that the vault is unlocked. If the user taps the notification, the vault is locked. CodeQL reported that Aegis may be vulnerable to CWE-927, because of the use of an implicit intent wrapped by a PendingIntent in that notification. This does not appear to be exploitable in our case, because we use ``PendingIntent.getBroadcast`` and explicitly set the action of the wrapped intent. Aegis also does not read or act on any information from the received intent. This means that a malicious app cannot launch activities or send a broadcast with a different action, as is common with these type of weakness. The worst an app with notification access can do, is lock the vault. Either way, it's good to make the intent explicit, so this patch addresses that. Additionally, for API level 23 and up, we've made the wrapped intent immutable a while back. We'd like to thank John Rune, who ran a CodeQL scan on the Aegis codebase and privately disclosed this finding to us. |
||
|---|---|---|
| .. | ||
| aegis | ||