Why does Kit Kat require the use of the isValidFragment?

Question

Ever since KitKat was released, I've noticed a whole bunch of my apps updating with "Fixing a crash in Kit Kat". Recently when I released my own app, I figured out the likely source of that is the new "isValidFragment" requirement for using preference activities. I haven't been able to get anyone, however, to explain why this new class is suddenly needed to validate fragments. Can anyone offer me an explanation of why this is required?

Answer 1

Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.

A New Vulnerability in the Android Framework: Fragment Injection
We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework.

http://securityintelligence.com/new-vulnerability-android-framework-fragment-injection/ http://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf

Answer 2

Here: http://commonsware.com/blog/2013/12/13/sanitize-all-the-extras.html it is suggested that this was introduced as a security fix:

PreferenceActivity supports extras to load specific PreferenceFragments into the activity. This is used heavily by the Settings app, to allow apps to drive straight into particular screens (actually fragments). Unfortunately, there was no logic in PreferenceActivity to ensure that only those fragments that were supposed to be externally reachable were loaded via these extras — hence, the addition of isValidFragment(). So, a properly-crafted Intent can open any exported PreferenceActivity and launch any PreferenceFragment from it, in the absence of such defenses.

(bold text added by me)

Answer 3

You got this documented:

Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.

so as long as your targetSdk is below 19, you do not need to care. If it is 19 then your app will crash due to the exception, unless you implement isValidFragment()..

Answer 4

Taken from a blog of commonsware.

Once you target API Level 19 or higher, you will need to override isValidFragment() in your PreferenceActivity, to validate that the supplied fragment class name is indeed something that should be displayed. Off the cuff, this feels like some hack to deal with a security flaw.

Documentation says

protected boolean isValidFragment (String fragmentName)

Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.