Fix Talkback Shortcut Vulnerability

The way the talkback component was selected was vulnerable. Now the system verifies that the talkback component is provided by the system. Bug: 339609745 Change-Id: Iabadb129807b0ac02aa2e9ac1580ac0f212930ef Test: manual - tested that the talkback service is still available Flag: No Flags: Security High/Critical Severity CVEs
MinatiScape · Jun 3, 2024 · 1d1cef1 · 1d1cef1
1 parent 9ec62d0
commit 1d1cef1
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/services/core/java/com/android/server/policy/TalkbackShortcutController.java b/services/core/java/com/android/server/policy/TalkbackShortcutController.java
@@ -117,6 +117,7 @@ private void logStemTriplePressAccessibilityTelemetry(ComponentName componentNam
     }
 
     private boolean isTalkback(ServiceInfo info) {
-        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString());
+        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString())
+            && (info.applicationInfo.isSystemApp() || info.applicationInfo.isUpdatedSystemApp());
     }
 }