Why does Kit Kat require the use of the isValidFragment?

Ever since KitKat was released, I’ve noticed a whole bunch of my apps updating with “Fixing a crash in Kit Kat”. Recently when I released my own app, I figured out the likely source of that is the new “isValidFragment” requirement for using preference activities. I haven’t been able to get anyone, however, to explain why this new class is suddenly needed to validate fragments. Can anyone offer me an explanation of why this is required?

  • Hide soft input keyboard when dialog closes
  • Focusable EditText inside ListView
  • Calling TextView.setText() redraws entire screen in spite of view hierarchy
  • Ringing myself using android emulator
  • Trying to catch a click on android ListView item: android:descendantFocusability=“blocksDescendants” not working
  • Use microphone in multiple app simultaneously in Android
  • Related posts:

    Google Play In-App Purchase returns error code -1008: null puchaseData or dataSignature
    Are there any http proxies like fiddler or wireshark on android?
    adding android project to git
    How to increase consistency of Android geofence enter/exit notifications?
    Opening facebook app on specified profile page
    Problem with 9 patch image as background
  • Why VideoView in android is taking too much time to load and play the video from http link?
  • How can I add my spinner to the ActionBar?
  • Uncaught exception in Firebase runloop (3.0.0)
  • Keep map centered regardless of where you pinch zoom on android
  • About RenderScript
  • Does Android Support JDBC
  • 4 Solutions collect form web for “Why does Kit Kat require the use of the isValidFragment?”

    Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.

    A New Vulnerability in the Android Framework: Fragment Injection
    We have recently disclosed a new vulnerability to the Android Security
    Team. The vulnerability affected many apps, including Settings (the
    one that is found on every Android device), Gmail, Google Now, DropBox
    and Evernote. To be more accurate, any App which extended the
    PreferenceActivity class using an exported activity was automatically
    vulnerable. A patch has been provided in Android KitKat. If you
    wondered why your code is now broken, it is due to the Android KitKat
    patch which requires applications to override the new method,
    PreferenceActivity.isValidFragment, which has been added to the
    Android Framework.

    http://securityintelligence.com/new-vulnerability-android-framework-fragment-injection/
    http://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf

    Here: http://commonsware.com/blog/2013/12/13/sanitize-all-the-extras.html it is suggested that this was introduced as a security fix:

    PreferenceActivity supports extras to load specific
    PreferenceFragments into the activity. This is used heavily by the
    Settings app, to allow apps to drive straight into particular screens
    (actually fragments). Unfortunately, there was no logic in
    PreferenceActivity to ensure that only those fragments that were
    supposed to be externally reachable were loaded via these extras —
    hence, the addition of isValidFragment()
    . So, a properly-crafted
    Intent can open any exported PreferenceActivity and launch any
    PreferenceFragment from it, in the absence of such defenses.

    (bold text added by me)

    You got this documented:

    Subclasses should override this method and verify that the given
    fragment is a valid type to be attached to this activity. The default
    implementation returns true for apps built for
    android:targetSdkVersion older than KITKAT. For later versions, it
    will throw an exception.

    so as long as your targetSdk is below 19, you do not need to care. If it is 19 then your app will crash due to the exception, unless you implement isValidFragment()..

    Taken from a blog of commonsware.

    Once you target API Level 19 or higher, you will need to override isValidFragment() in your PreferenceActivity, to validate that the supplied fragment class name is indeed something that should be displayed. Off the cuff, this feels like some hack to deal with a security flaw.

    Documentation says

    protected boolean isValidFragment (String fragmentName)

    Subclasses should override this method and verify that the given fragment is a valid type to be attached to this activity. The default implementation returns true for apps built for android:targetSdkVersion older than KITKAT. For later versions, it will throw an exception.

    Android Babe is a Google Android Fan, All about Android Phones, Android Wear, Android Dev and Android Games Apps and so on.