Android 12: Security and privacy - Safer component exporting

[ashiagr]

Closes #16064

This PR explicitly declares the android:exported attribute in the manifest for activities, services, and receivers including an intent filter as part of (behavior changes: safer component exporting for Android 12 - Target SDK Version 31.

Note: These changes were simple to be addressed, can exist with the existing targetSdkVersion=30 and so the PR targets trunk.

Review Instructions

1. Review from only one reviewer is sufficient.
2. Targets a future milestone, so there's no rush to review it.

Details

---

Activities & Activity Alias 86f3307 & 86f3307

A. android:exported is set to true for

1. Launchable activities/ activity-alias
   (error shown if exported set to false: A launchable activity must be exported as of Android 12, which also makes it available to other apps.)

   WPLaunchActivity
PostsActivity (alias)

2. Activities supporting ACTION_VIEW
   (error shown if exported set to false: Activity supporting ACTION_VIEW is not exported)

   LoginMagicLinkInterceptActivity
NotificationsSettingsActivity
EditPostActivity
JetpackConnectionResultActivity
DeepLinkingIntentReceiverActivity
WPComPostReaderActivity (alias)

3. AddQuickPressShortcutActivity (accessed using widgets)
   (if exported set to false, app crashes with logs)

    E/StartActivityParams: Unable to send back result
    android.app.PendingIntent$CanceledException
    at android.app.PendingIntent.send(PendingIntent.java:959)
    at android.app.PendingIntent.send(PendingIntent.java:806)
    at com.android.launcher3.proxy.StartActivityParams.deliverResult(SourceFile:2)
    at com.android.launcher3.proxy.ProxyActivityStarter.onActivityResult(SourceFile:2)
    at android.app.Activity.dispatchActivityResult(Activity.java:8381)
    at android.app.ActivityThread.deliverResults(ActivityThread.java:5294)
   

B. android:exported is set to false for

1. Stats widgets configure activities

   StatsViewsWidgetConfigureActivity
StatsAllTimeWidgetConfigureActivity
StatsTodayWidgetConfigureActivity
StatsMinifiedWidgetConfigureActivity

2. ShareIntentReceiverActivity

   Testing Instructions (for activities withandroid:exported=false)

   TestB.1: Stats widgets configure activities

   1. Long press app icon
   2. Select widgets
   3. Choose a widget corresponding to activities listed in B.1 and place it on the device screen
   4. Tap on the widget
   5. Make sure that the activity is created properly
   

   TestB.2: Share intent receiver activity

   1. Publish a post (optionally include an image) and put the app to the background so that post published notification is shown
   2. Click the Share action button from the notification
   3. Complete the action
   4. Make sure there are no crashes
   

---

Services 89f8b6f

android:exported for below services is set based on their respective documentation:

GCMMessageService: https://firebase.google.com/docs/cloud-messaging/android/client#manifest
InstanceIDService: https://firebase.google.com/docs/reference/android/com/google/firebase/iid/FirebaseInstanceIdService

---

Receivers 534eb3b

1. android:exported is set to false for Stats widget providers based on the below guideline:

   The component should not be exported unless a separate process needs to broadcast to your AppWidgetProvider, which is usually not the case.

   StatsViewsWidget
StatsAllTimeWidget
StatsTodayWidget
StatsMinifiedWidget

2. NotificationsPendingDraftsReceiver - this receiver is triggered when a draft is scheduled from the app and notification is enabled for it. It doesn't look like we need to export it considering no external process need to broadcast to it.
   Note that currently these notifications are not shown due to an existing bug: Pending drafts local notifications #14240

---

Regression Notes

1. Potential unintended areas of impact
   Push notifications (needs to be tested well)

2. What I did to test those areas of impact (or what existing automated tests I relied on)
   See notes and testing instructions

3. What automated tests I added (or what prevented me from doing so) - N/A

PR submission checklist:

• I have completed the Regression Notes.
• I have considered adding accessibility improvements for my changes.
• I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

[peril-wordpress-mobile]

You can trigger optional UI/connected tests for these changes by visiting CircleCI here.

[peril-wordpress-mobile]

You can test the changes on this Pull Request by downloading the APKs:

• Jetpack-pr-16076-build-119454.apk

• WordPress-pr-16076-build-119454.apk

[antonis]

Great work @ashiagr 👍
I tested on a Pixel 5 with Android 12 and everything works as expected. Specifically:

• Activities & Activity Alias
  • A. android:exported is set to true
    • Validated that the documented errors are solved with the exported set to true ✅
  • B. android:exported is set to false for
    • TestB.1: Stats widgets configure activities ✅
    • TestB.2: Share intent receiver activity ✅
• Services ✅
• Receivers
  • 1. Stats widget providers ✅
  • 2. NotificationsPendingDraftsReceiver ✅

The code changes also look consistent to me and I didn't find anything missing according to the documentation 🎉

ps. Thank you for documenting the changes in detail. This helped a lot the review process 🙇

[ashiagr]

Thank you @antonis, for taking out time to test it. 🙏
I'll merge it now.