Download

Oculus StrandHogg Vulnerability fix - SOLVED

Hi guys,

I am in the process of submitting my game to App Lab and am getting a vulnerability warning regarding the Strandhogg exploit on Android. Apparently this affects pretty much every android app so it is something we are all going to have to deal with eventually.

Oculus have included these details on how to fix the issue suggesting developers add this code in to their manifest file…

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.datatheorem.android.tjservice">
    ...
    <application
        android:allowBackup="false"
        ...
        android:theme="@style/AppTheme">
        <activity
            ...
            android:taskAffinity="">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        ...

However, being as we are unable to directly edit the manifest file and have to make changes through the project settings window, it seems impossible to add this!
Can anybody explain how this, or at least the relevant sections of it, can be aded to the manifest via the project settings window?

Edit: I’m guessing that the intent filter section would go into the activity-extra settings section like this…

<intent-filter>\n<action android:name="android.intent.action.MAIN" />\n<category android:name="android.intent.category.LAUNCHER" />\n</intent-filter>

Though can anybody confirm this and verify that the syntax i’ve used is correct?

Thanks,

Dave

Okay, after some playing around it seems I was right in how this should be applied in UE4.

The extra settings are correct as defined in my post so the Advanced APK Packaging window should look more or less like this.

Note: The Cleartexttraffic tag seen here in the application node solves another of the vulnerabilities flagged by Oculus so probably worth including as well.

Hope this helps sombody.

Dave