Best IT Recipes

Why might a fragment class be invalid?

I just created a PreferenceActivity using the AndroidStudio wizard, running it, there was a strange exception:

java.lang.RuntimeException: Subclasses of PreferenceActivity must override isValidFragment(String) to verify that the Fragment class is valid!

I saw the suggested solutions here , but I was wondering why I should check if my fragment classes are really valid, because I don’t even fully understand what the definition of "valid" means, so I decided to ask the community:

a The preference method has the isValidFragment(String fragmentName) method, which for some reason needs to be reevaluated, why? how is the fragment class invalid? and what could go wrong with such an override:

  @Override protected boolean isValidFragment(String fragmentName) { return true; }
+8
android android-fragments
Sep 25 '15 at 10:46
source share
3 answers

Why?

PreferenceActivity was safe, and isValidFragment(String name) was provided as a response.

In particular, from the disclosure of the vulnerability:

Any application that implements and exports an event that extends the PreferenceActivity class can be undermined to load an arbitrary class using the dynamic fragment loading process.

The security issue meant that the rogue application could instantiate your PreferenceFragments and they would get their extra data from the actual parent, the data leak.

As a patch, isValidFragment(String name) was created, so you are forced to either provide a whitelist of "safe" fragments, or if you always return true, confirm the risk of infection of your application.

This is only necessary to run KitKat, because when the patch was introduced.

How is the fragment class invalid?

The presence of a name foreign to your application.

What could go wrong?

Someone can attack your application using the method described in this pdf related to @Sree in the comments.

+2
Sep 25 '15 at 11:18
source share

I think this is a completely new class that may not be supported by the old version of sdk.

As the Google doc says:

The default implementation returns true for applications built for android: targetSdkVersion older than KITKAT. For later versions, this throws an exception.

But I'm not quite sure if there are other cases causing the throw.

0
Sep 25 '15 at 10:56
source share

From developer.android.com:

Subclasses must override this method and ensure that the given fragment is a valid type that must be attached to this action. The default implementation returns true for applications built for android: targetSdkVersion older than KITKAT. For later versions, it throws an exception.

Basically on TargetSDK <= KITKAT you have to make sure the isValidFragment fragment isValidFragment is correct.

0
Sep 25 '15 at 10:58
source share


More articles:


All Articles