docs/bugpattern/android/FragmentInjection.md
Fragment Injection refers to a security vulnerability in classes extending
android.preference.PreferenceActivity wherein malicious intents can place
fragments in places they were never meant to be. In Android SDK 19 and higher,
this was patched by adding the method isValidFragment to verify that fragments
placed in preference activities are meant to be there before instantiating them.
The vulnerability exists for any exported preference activity targeting API
level < 19 unless you override isValidFragment in your activity to check that
fragments are the type that you expect. You'll probably want to do something
like this:
protected boolean isValidFragment(String fragmentName) {
return MyFragment.class.getName().equals(fragmentName);
}
This check emits a warning if isValidFragment is not implemented on classes extending PreferenceActivity, or if the implementation of isValidFragment returns true on all code paths1.
If you are targeting API level >= 19, or if exported is set to false in your
Manifest.xml, you are probably safe2, but it is even better to implement
isValidFragment anyway in case of future changes to your manifest, or other
eventualities.
For more info:
Your method implementation may be safe if you throw a runtime exception instead of returning false for a fragment, but you will still get a warning. You may want to change your implementation to return false instead. This way your app will still be safe, and won't crash. ↩
For API levels >= 19, the default implementation throws a runtime exception, so it is "safe", but probably not the behavior you want. If your activity is not exported, intents outside your app should not be able to attempt to show any fragments, and therefore isValidFragment should not be called. ↩