Harden FlutterFragment and FlutterActivity by restricting how flags are set (especially in release mode)

[reidbaker]

When auditing the flutter android embedder we discovered that we have design pattern that makes it easy to accidentally introduce vulnerabilities. Specifically in

flutter/engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/FlutterShellArgs.java

Line 70 in 404fb3f

public static FlutterShellArgs fromIntent(@NonNull Intent intent) {

the pattern of trusting flags that can be set by a malicious app in release mode should be modified.

Non public docs: go/flutter-android-intent-based-flag-analysis go/flutter-fragment-flag-security-analysis

This issue tracks both the design review process and implementation of a better system for enabling engine flags in release mode.

Ideally there would be no way to set flags with intent values, possibly by using android manifest flags to set values in release builds. If that proves non feasible then creating an allow list of flags that can be set in release mode should be the next option.

[flutter-triage-bot]

This issue is assigned to @camsim99 but has had no recent status updates. Please consider unassigning this issue if it is not going to be addressed in the near future. This allows people to have a clearer picture of what work is actually planned. Thanks!

[camsim99]

I've been working on #177127 to address this issue, an I want to provide an update.

This PR I've been working on will add the mechanism to specify Flutter shell arguments via the manifest, which a secure mechanism for specifying these arguments. I initially also attempted to have this PR remove the ability to see these arguments via Intent extras. However, doing this without any additional Flutter tool changes broke the ability to set shell arguments via the command line because internally, the Flutter tool launches the shell with an adb call to launch an intent with the specified command line arguments included as extras:

flutter/packages/flutter_tools/lib/src/android/android_device.dart

Line 617 in acdb284

final cmd = <String>[

So, that PR (as aforementioned) will only include that addition of the manifest mechanism. I will then follow up this PR with an integration test and a PR to add Flutter tool changes to change the mechanism by which the tool passes shell arguments to the shell for the embedding to read so that we can remove the Intent mechanism completely. Ideally, instead of passing the arguments via Intent, we will write to the manifest for the embedding to read from.