From c3da7104879d2187aa8532abe7948dfd8f97877c Mon Sep 17 00:00:00 2001
From: Farhan Arshad <farshad@2u.com>
Date: Fri, 6 Oct 2023 23:17:42 +0500
Subject: [PATCH 1/2] fix: vulnerable to cross-app script injection via crafted
 intent

- Mitigated the vulnerability by disabling the ability to open custom-defined inner URIs through external sources. This was achieved by setting `android:exported="false"`.
- Setting `android:exported="false"` for the android component doesn't need to call out side from the app.

fixes: LEARNER-9557
---
 OpenEdXMobile/AndroidManifest.xml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/OpenEdXMobile/AndroidManifest.xml b/OpenEdXMobile/AndroidManifest.xml
index 22562e5022..e4a54ec7f9 100644
--- a/OpenEdXMobile/AndroidManifest.xml
+++ b/OpenEdXMobile/AndroidManifest.xml
@@ -232,9 +232,10 @@
 
         <activity
             android:name=".view.dialog.WebViewActivity"
+            android:exported="false"
             android:screenOrientation="portrait"
-            android:exported="true"
-            android:theme="@style/AppTheme.NoActionBar.TranslucentStatusBar">
+            android:theme="@style/AppTheme.NoActionBar.TranslucentStatusBar"
+            tools:ignore="AppLinkUrlError">
             <intent-filter>
                 <category android:name="android.intent.category.DEFAULT" />
                 <action android:name="android.intent.action.VIEW" />
@@ -255,11 +256,11 @@
         <!--Google cast expanded controls activity-->
         <activity
             android:name="org.edx.mobile.googlecast.ExpandedControlsActivity"
+            android:exported="false"
             android:launchMode="singleTask"
-            android:theme="@style/Theme.CastVideosTheme"
-            android:exported="true">
+            android:theme="@style/Theme.CastVideosTheme">
             <intent-filter>
-                <action android:name="android.intent.action.MAIN"/>
+                <action android:name="android.intent.action.MAIN" />
             </intent-filter>
         </activity>
 

From 086b84e405a0ec10827b2a62eb6cbda18d4a8000 Mon Sep 17 00:00:00 2001
From: Farhan Arshad <farshad@2u.com>
Date: Thu, 19 Oct 2023 15:27:08 +0500
Subject: [PATCH 2/2] fix: address PR comments

fixes: LEARNER-9557
---
 OpenEdXMobile/AndroidManifest.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OpenEdXMobile/AndroidManifest.xml b/OpenEdXMobile/AndroidManifest.xml
index e4a54ec7f9..fbe22cf510 100644
--- a/OpenEdXMobile/AndroidManifest.xml
+++ b/OpenEdXMobile/AndroidManifest.xml
@@ -347,7 +347,7 @@
         <service
             android:name="org.edx.mobile.notifications.services.NotificationService"
             android:enabled="${fcmEnabled}"
-            android:exported="true">
+            android:exported="false">
             <intent-filter>
                 <action android:name="com.google.firebase.MESSAGING_EVENT"/>
             </intent-filter>