From 14b3d2a4af95cd0f491803b9e080c464f34574e4 Mon Sep 17 00:00:00 2001
From: LeanBitLab <245915690+LeanBitLab@users.noreply.github.com>
Date: Mon, 20 Apr 2026 19:21:25 +0000
Subject: [PATCH 1/4] fix(security): implement whitelist for Intent actions

Addresses "Intent Action Injection via Unvalidated Input" by
introducing a whitelist of allowed actions in MainActivity.
The launchActivityFromAction method now validates the action
against this list before starting the activity.

- Added ALLOWED_ACTIONS whitelist
- Validated action input against the whitelist
- Handled null actions to prevent NPE
- Ensured backward compatibility using Arrays.asList and Collections.unmodifiableList
- Applied changes to both MainActivity.java locations in the project
---
 .../src/main/java/com/leanbitlab/ltvL/MainActivity.java  | 9 +++++++++
 .../src/main/java/me/efesser/flauncher/MainActivity.java | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java b/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
index 186d4dd..7bea29d 100644
--- a/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
+++ b/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
@@ -35,6 +35,8 @@
 import androidx.annotation.NonNull;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -64,6 +66,10 @@
 import java.util.concurrent.Future;
 
 public class MainActivity extends FlutterActivity {
+    private static final List<String> ALLOWED_ACTIONS = Collections.unmodifiableList(Arrays.asList(
+            Settings.ACTION_SETTINGS
+    ));
+
     private final String METHOD_CHANNEL = "me.efesser.flauncher/method";
     private final String APPS_EVENT_CHANNEL = "me.efesser.flauncher/event_apps";
     private final String NETWORK_EVENT_CHANNEL = "me.efesser.flauncher/event_network";
@@ -340,6 +346,9 @@ private Map<String, Serializable> buildAppMap(ActivityInfo activityInfo, boolean
     }
 
     private boolean launchActivityFromAction(String action) {
+        if (action == null || !ALLOWED_ACTIONS.contains(action)) {
+            return false;
+        }
         return tryStartActivity(new Intent(action));
     }
 
diff --git a/android/app/src/main/java/me/efesser/flauncher/MainActivity.java b/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
index cca0a53..423b659 100644
--- a/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
+++ b/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
@@ -35,6 +35,8 @@
 import androidx.annotation.NonNull;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -64,6 +66,10 @@
 import java.util.concurrent.Future;
 
 public class MainActivity extends FlutterActivity {
+    private static final List<String> ALLOWED_ACTIONS = Collections.unmodifiableList(Arrays.asList(
+            Settings.ACTION_SETTINGS
+    ));
+
     private final String METHOD_CHANNEL = "me.efesser.flauncher/method";
     private final String APPS_EVENT_CHANNEL = "me.efesser.flauncher/event_apps";
     private final String NETWORK_EVENT_CHANNEL = "me.efesser.flauncher/event_network";
@@ -331,6 +337,9 @@ private Map<String, Serializable> buildAppMap(ActivityInfo activityInfo, boolean
     }
 
     private boolean launchActivityFromAction(String action) {
+        if (action == null || !ALLOWED_ACTIONS.contains(action)) {
+            return false;
+        }
         return tryStartActivity(new Intent(action));
     }
 

From 0a686b59544e0fc3667f68c1ab6b394e647603c7 Mon Sep 17 00:00:00 2001
From: LeanBitLab <245915690+LeanBitLab@users.noreply.github.com>
Date: Tue, 21 Apr 2026 01:59:14 +0000
Subject: [PATCH 2/4] fix(security): implement whitelist for Intent actions

Addresses "Intent Action Injection via Unvalidated Input" by
introducing a whitelist of allowed actions in MainActivity.
The launchActivityFromAction method now validates the action
against this list before starting the activity.

- Added ALLOWED_ACTIONS whitelist
- Validated action input against the whitelist
- Handled null actions to prevent NPE
- Ensured backward compatibility using Arrays.asList and Collections.unmodifiableList
- Applied changes to both MainActivity.java locations in the project

From ce392ba753092d4c79f614aa39ba216e6957810c Mon Sep 17 00:00:00 2001
From: LeanBitLab <245915690+LeanBitLab@users.noreply.github.com>
Date: Tue, 21 Apr 2026 02:28:56 +0000
Subject: [PATCH 3/4] fix(security): implement whitelist for Intent actions

Addresses "Intent Action Injection via Unvalidated Input" by
introducing a whitelist of allowed actions in MainActivity.
The launchActivityFromAction method now validates the action
against this list before starting the activity.

- Added ALLOWED_ACTIONS whitelist
- Validated action input against the whitelist
- Handled null actions to prevent NPE
- Ensured backward compatibility using Arrays.asList and Collections.unmodifiableList
- Applied changes to both MainActivity.java locations in the project

From 56f72f8a7e45a65063eab10192fb6effde6b860a Mon Sep 17 00:00:00 2001
From: LeanBitLab <245915690+LeanBitLab@users.noreply.github.com>
Date: Tue, 21 Apr 2026 02:52:24 +0000
Subject: [PATCH 4/4] fix(security): prevent Intent Action Injection in
 MainActivity

Addresses "Intent Action Injection via Unvalidated Input" by
strictly validating the action string in launchActivityFromAction.
The method now only permits Settings.ACTION_SETTINGS.

- Implemented strict validation for Intent actions
- Safely handled null input using .equals()
- Applied the fix to both MainActivity.java locations in the project
---
 .../main/java/com/leanbitlab/ltvL/MainActivity.java | 13 ++++---------
 .../java/me/efesser/flauncher/MainActivity.java     | 13 ++++---------
 2 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java b/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
index 7bea29d..2bee9da 100644
--- a/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
+++ b/android/app/src/main/java/com/leanbitlab/ltvL/MainActivity.java
@@ -35,8 +35,6 @@
 import androidx.annotation.NonNull;
 
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -66,10 +64,6 @@
 import java.util.concurrent.Future;
 
 public class MainActivity extends FlutterActivity {
-    private static final List<String> ALLOWED_ACTIONS = Collections.unmodifiableList(Arrays.asList(
-            Settings.ACTION_SETTINGS
-    ));
-
     private final String METHOD_CHANNEL = "me.efesser.flauncher/method";
     private final String APPS_EVENT_CHANNEL = "me.efesser.flauncher/event_apps";
     private final String NETWORK_EVENT_CHANNEL = "me.efesser.flauncher/event_network";
@@ -346,10 +340,11 @@ private Map<String, Serializable> buildAppMap(ActivityInfo activityInfo, boolean
     }
 
     private boolean launchActivityFromAction(String action) {
-        if (action == null || !ALLOWED_ACTIONS.contains(action)) {
-            return false;
+        // Prevent Intent Action Injection by only allowing known actions
+        if (Settings.ACTION_SETTINGS.equals(action)) {
+            return tryStartActivity(new Intent(action));
         }
-        return tryStartActivity(new Intent(action));
+        return false;
     }
 
     private boolean launchApp(String packageName) {
diff --git a/android/app/src/main/java/me/efesser/flauncher/MainActivity.java b/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
index 423b659..5a53288 100644
--- a/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
+++ b/android/app/src/main/java/me/efesser/flauncher/MainActivity.java
@@ -35,8 +35,6 @@
 import androidx.annotation.NonNull;
 
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -66,10 +64,6 @@
 import java.util.concurrent.Future;
 
 public class MainActivity extends FlutterActivity {
-    private static final List<String> ALLOWED_ACTIONS = Collections.unmodifiableList(Arrays.asList(
-            Settings.ACTION_SETTINGS
-    ));
-
     private final String METHOD_CHANNEL = "me.efesser.flauncher/method";
     private final String APPS_EVENT_CHANNEL = "me.efesser.flauncher/event_apps";
     private final String NETWORK_EVENT_CHANNEL = "me.efesser.flauncher/event_network";
@@ -337,10 +331,11 @@ private Map<String, Serializable> buildAppMap(ActivityInfo activityInfo, boolean
     }
 
     private boolean launchActivityFromAction(String action) {
-        if (action == null || !ALLOWED_ACTIONS.contains(action)) {
-            return false;
+        // Prevent Intent Action Injection by only allowing known actions
+        if (Settings.ACTION_SETTINGS.equals(action)) {
+            return tryStartActivity(new Intent(action));
         }
-        return tryStartActivity(new Intent(action));
+        return false;
     }
 
     private boolean launchApp(String packageName) {