Fix: Vulnerable exported broadcast receiver

instacart / truetime-android

Android NTP time library. Get the true current time impervious to device clock time changes

https://tech.instacart.com/truetime/

Apache License 2.0

1.41k stars 194 forks source link

Fix: Vulnerable exported broadcast receiver #136

Closed anjalsaneen closed 2 years ago

anjalsaneen commented 3 years ago

This Receiver can use by other applications. but does not properly restrict which applications can launch the component or access the data it contains. Making it non-exportable for fixing the vulnerability

kaushikgopal commented 2 years ago

🙏 for this @anjalsaneen

cp-yfukuda commented 2 years ago

Great! @anjalsaneen, Thank you!

laurenyew-nytimes commented 2 years ago

When is this getting released?

kaushikgopal commented 2 years ago

quick request (as posted from a comment in another issue):

ah, I should have mentioned this. so this is "automatically" available through jitpack with the following url:

dependencies {
   implementation 'com.github.instacart:truetime-android:ddde9c4b66'
}

If some folks here can confirm that that works, I can then officially tag an incremental version and it should be available (probably through 3.5).

Can folks try the above include and test if that unblocks them?

pablogeek commented 2 years ago

it works!

kaushikgopal commented 2 years ago

kicked off 3.5. Should be available to download shortly under 3.5