From edbfba85c79b9b26290a11249e425016770e01b6 Mon Sep 17 00:00:00 2001
From: dadachi <maurois@mac.com>
Date: Fri, 27 Mar 2026 17:14:48 +0900
Subject: [PATCH] Fix security vulnerabilities from audit

- Disable cleartext traffic and add network_security_config.xml (debug override allows local dev)
- Disable app backup to prevent auth token extraction via adb backup
- Encrypt DataStore tokens at rest using Tink AEAD with Android Keystore
- Add certificate pinning for api.nativeapptemplate.com (leaf + intermediate CA)
- Validate NDEF URL origin before extracting intent data
- Restrict <profileable android:shell="true"> to debug builds only
- Remove unused mailto intent filter from MainActivity

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/build.gradle.kts                          |  1 +
 app/src/debug/AndroidManifest.xml             |  7 ++++
 .../debug/res/xml/network_security_config.xml |  7 ++++
 app/src/main/AndroidManifest.xml              | 16 +++------
 .../datastore/UserPreferencesSerializer.kt    | 34 +++++++++++++-----
 .../di/modules/CryptoModule.kt                | 35 +++++++++++++++++++
 .../di/modules/NetModule.kt                   |  9 +++++
 .../nativeapptemplatefree/utils/Utility.kt    |  4 +++
 app/src/main/res/xml/backup_rules.xml         |  8 +++++
 .../main/res/xml/data_extraction_rules.xml    | 17 +++++++++
 .../main/res/xml/network_security_config.xml  |  6 ++++
 .../UserPreferencesSerializerTest.kt          | 35 +++++++++++++++++--
 .../datastoreTest/TestCryptoModule.kt         | 27 ++++++++++++++
 gradle/libs.versions.toml                     |  2 ++
 14 files changed, 185 insertions(+), 23 deletions(-)
 create mode 100644 app/src/debug/AndroidManifest.xml
 create mode 100644 app/src/debug/res/xml/network_security_config.xml
 create mode 100644 app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/CryptoModule.kt
 create mode 100644 app/src/main/res/xml/backup_rules.xml
 create mode 100644 app/src/main/res/xml/data_extraction_rules.xml
 create mode 100644 app/src/main/res/xml/network_security_config.xml
 create mode 100644 app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastoreTest/TestCryptoModule.kt

diff --git a/app/build.gradle.kts b/app/build.gradle.kts
index 5949925..e036eae 100644
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@@ -113,6 +113,7 @@ dependencies {
   implementation(libs.sandwich)
   implementation(libs.sandwich.retrofit)
   implementation(libs.sandwich.retrofit.serialization)
+  implementation(libs.tink.android)
 
   ksp(libs.hilt.compiler)
 
diff --git a/app/src/debug/AndroidManifest.xml b/app/src/debug/AndroidManifest.xml
new file mode 100644
index 0000000..2d15fee
--- /dev/null
+++ b/app/src/debug/AndroidManifest.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+        xmlns:tools="http://schemas.android.com/tools">
+    <application tools:ignore="MissingApplicationIcon">
+        <profileable android:shell="true" tools:targetApi="q" />
+    </application>
+</manifest>
diff --git a/app/src/debug/res/xml/network_security_config.xml b/app/src/debug/res/xml/network_security_config.xml
new file mode 100644
index 0000000..d3e3084
--- /dev/null
+++ b/app/src/debug/res/xml/network_security_config.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <base-config cleartextTrafficPermitted="true" />
+    <domain-config cleartextTrafficPermitted="false">
+        <domain includeSubdomains="true">api.nativeapptemplate.com</domain>
+    </domain-config>
+</network-security-config>
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index 880d741..fb13ed3 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -10,17 +10,17 @@
 
   <application
           android:name=".NativeAppTemplateApplication"
-          android:allowBackup="true"
+          android:allowBackup="false"
+          android:dataExtractionRules="@xml/data_extraction_rules"
+          android:fullBackupContent="@xml/backup_rules"
           android:enableOnBackInvokedCallback="true"
           android:icon="@mipmap/ic_launcher"
           android:label="@string/app_name"
           android:supportsRtl="true"
           android:theme="@style/Theme.Nat.Splash"
-          android:usesCleartextTraffic="true"
+          android:networkSecurityConfig="@xml/network_security_config"
           tools:ignore="GoogleAppIndexingWarning"
           tools:targetApi="tiramisu">
-    <profileable android:shell="true" tools:targetApi="q" />
-
     <!--
     `singleTask` for Background Tag Reading. Avoid running MainActivity onCreate again with Background Tag Reading.
     https://qiita.com/takagimeow/items/48b37c55ad8d73d5da88
@@ -33,14 +33,6 @@
         <action android:name="android.intent.action.MAIN" />
         <category android:name="android.intent.category.LAUNCHER" />
       </intent-filter>
-      <intent-filter>
-        <action android:name="android.intent.action.SEND" />
-        <action android:name="android.intent.action.SENDTO" />
-        <action android:name="android.intent.action.VIEW" />
-        <category android:name="android.intent.category.BROWSABLE" />
-        <data android:scheme="mailto" />
-        <category android:name="android.intent.category.DEFAULT" />
-      </intent-filter>
       <intent-filter>
         <action android:name="android.nfc.action.NDEF_DISCOVERED" />
         <category android:name="android.intent.category.DEFAULT" />
diff --git a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializer.kt b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializer.kt
index a0bd566..c2dfd09 100644
--- a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializer.kt
+++ b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializer.kt
@@ -18,28 +18,44 @@ package com.nativeapptemplate.nativeapptemplatefree.datastore
 
 import androidx.datastore.core.CorruptionException
 import androidx.datastore.core.Serializer
+import com.google.crypto.tink.Aead
 import com.google.protobuf.InvalidProtocolBufferException
 import com.nativeapptemplate.nativeapptemplatefree.UserPreferences
 import java.io.InputStream
 import java.io.OutputStream
+import java.security.GeneralSecurityException
 import javax.inject.Inject
 
 /**
  * An [androidx.datastore.core.Serializer] for the [UserPreferences] proto.
+ *
+ * Encrypts data at rest using Tink AEAD. On read, falls back to parsing
+ * unencrypted proto for migration from the previous unencrypted format.
  */
-class UserPreferencesSerializer @Inject constructor() : Serializer<UserPreferences> {
+class UserPreferencesSerializer @Inject constructor(
+  private val aead: Aead,
+) : Serializer<UserPreferences> {
   override val defaultValue: UserPreferences = UserPreferences.getDefaultInstance()
 
-  override suspend fun readFrom(input: InputStream): UserPreferences =
-    try {
-      // readFrom is already called on the data store background thread
-      UserPreferences.parseFrom(input)
-    } catch (exception: InvalidProtocolBufferException) {
-      throw CorruptionException("Cannot read proto.", exception)
+  override suspend fun readFrom(input: InputStream): UserPreferences {
+    val bytes = input.readBytes()
+    if (bytes.isEmpty()) return defaultValue
+    return try {
+      val decrypted = aead.decrypt(bytes, null)
+      UserPreferences.parseFrom(decrypted)
+    } catch (_: GeneralSecurityException) {
+      // Fallback: try parsing as unencrypted proto (migration from legacy format).
+      // The data will be re-encrypted on the next write.
+      try {
+        UserPreferences.parseFrom(bytes)
+      } catch (e: InvalidProtocolBufferException) {
+        throw CorruptionException("Cannot read proto.", e)
+      }
     }
+  }
 
   override suspend fun writeTo(t: UserPreferences, output: OutputStream) {
-    // writeTo is already called on the data store background thread
-    t.writeTo(output)
+    val encrypted = aead.encrypt(t.toByteArray(), null)
+    output.write(encrypted)
   }
 }
diff --git a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/CryptoModule.kt b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/CryptoModule.kt
new file mode 100644
index 0000000..2f25278
--- /dev/null
+++ b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/CryptoModule.kt
@@ -0,0 +1,35 @@
+package com.nativeapptemplate.nativeapptemplatefree.di.modules
+
+import android.content.Context
+import com.google.crypto.tink.Aead
+import com.google.crypto.tink.KeyTemplates
+import com.google.crypto.tink.aead.AeadConfig
+import com.google.crypto.tink.integration.android.AndroidKeysetManager
+import dagger.Module
+import dagger.Provides
+import dagger.hilt.InstallIn
+import dagger.hilt.android.qualifiers.ApplicationContext
+import dagger.hilt.components.SingletonComponent
+import javax.inject.Singleton
+
+@Module
+@InstallIn(SingletonComponent::class)
+object CryptoModule {
+
+  private const val KEYSET_NAME = "nat_datastore_keyset"
+  private const val PREFERENCE_FILE = "nat_datastore_key_preference"
+  private const val MASTER_KEY_URI = "android-keystore://nat_datastore_master_key"
+
+  @Provides
+  @Singleton
+  fun providesAead(@ApplicationContext context: Context): Aead {
+    AeadConfig.register()
+    return AndroidKeysetManager.Builder()
+      .withSharedPref(context, KEYSET_NAME, PREFERENCE_FILE)
+      .withKeyTemplate(KeyTemplates.get("AES256_GCM"))
+      .withMasterKeyUri(MASTER_KEY_URI)
+      .build()
+      .keysetHandle
+      .getPrimitive(Aead::class.java)
+  }
+}
diff --git a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/NetModule.kt b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/NetModule.kt
index 9ee5b03..d31c8b4 100644
--- a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/NetModule.kt
+++ b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/di/modules/NetModule.kt
@@ -17,6 +17,7 @@ import dagger.hilt.InstallIn
 import dagger.hilt.components.SingletonComponent
 import kotlinx.serialization.json.Json
 import okhttp3.Call
+import okhttp3.CertificatePinner
 import okhttp3.MediaType.Companion.toMediaType
 import okhttp3.OkHttpClient
 import okhttp3.logging.HttpLoggingInterceptor
@@ -61,6 +62,14 @@ class NetModule {
       .writeTimeout(30, TimeUnit.SECONDS)
       .addNetworkInterceptor(authInterceptor)
       .addInterceptor(loggingInterceptor)
+      .certificatePinner(
+        CertificatePinner.Builder()
+          // Leaf: api.nativeapptemplate.com
+          .add("api.nativeapptemplate.com", "sha256/7Thx4p19FEZF2WeuXyjc8kr2t1FtT2zA5wWSWoIhh8A=")
+          // Intermediate: Google Trust Services WE1
+          .add("api.nativeapptemplate.com", "sha256/kIdp6NNEd8wsugYyyIYFsi1ylMCED3hZbSR8ZFsa/A4=")
+          .build(),
+      )
       .build()
 
   private val json = Json {
diff --git a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/utils/Utility.kt b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/utils/Utility.kt
index 119fda9..01b3018 100644
--- a/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/utils/Utility.kt
+++ b/app/src/main/kotlin/com/nativeapptemplate/nativeapptemplatefree/utils/Utility.kt
@@ -69,6 +69,10 @@ object Utility {
     val ndefRecord = ndefRecords.first()
     val url = ndefRecord.toUri() ?: return itemTagInfo
 
+    if (url.scheme != "https" || url.host != BuildConfig.DOMAIN || url.path != "/${NatConstants.SCAN_PATH}") {
+      return itemTagInfo
+    }
+
     val itemTagId = url.getQueryParameter("item_tag_id")
     val type = url.getQueryParameter("type")
 
diff --git a/app/src/main/res/xml/backup_rules.xml b/app/src/main/res/xml/backup_rules.xml
new file mode 100644
index 0000000..1c10692
--- /dev/null
+++ b/app/src/main/res/xml/backup_rules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<full-backup-content>
+    <exclude domain="sharedpref" path="." />
+    <exclude domain="database" path="." />
+    <exclude domain="root" path="." />
+    <exclude domain="file" path="." />
+    <exclude domain="external" path="." />
+</full-backup-content>
diff --git a/app/src/main/res/xml/data_extraction_rules.xml b/app/src/main/res/xml/data_extraction_rules.xml
new file mode 100644
index 0000000..fe61eb7
--- /dev/null
+++ b/app/src/main/res/xml/data_extraction_rules.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<data-extraction-rules>
+    <cloud-backup>
+        <exclude domain="root" />
+        <exclude domain="file" />
+        <exclude domain="database" />
+        <exclude domain="sharedpref" />
+        <exclude domain="external" />
+    </cloud-backup>
+    <device-transfer>
+        <exclude domain="root" />
+        <exclude domain="file" />
+        <exclude domain="database" />
+        <exclude domain="sharedpref" />
+        <exclude domain="external" />
+    </device-transfer>
+</data-extraction-rules>
diff --git a/app/src/main/res/xml/network_security_config.xml b/app/src/main/res/xml/network_security_config.xml
new file mode 100644
index 0000000..a6bc3c7
--- /dev/null
+++ b/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <domain-config cleartextTrafficPermitted="false">
+        <domain includeSubdomains="true">api.nativeapptemplate.com</domain>
+    </domain-config>
+</network-security-config>
diff --git a/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializerTest.kt b/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializerTest.kt
index ee870c3..53d9b9f 100644
--- a/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializerTest.kt
+++ b/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastore/UserPreferencesSerializerTest.kt
@@ -1,14 +1,28 @@
 package com.nativeapptemplate.nativeapptemplatefree.datastore
 
 import androidx.datastore.core.CorruptionException
+import com.google.crypto.tink.Aead
+import com.google.crypto.tink.KeyTemplates
+import com.google.crypto.tink.KeysetHandle
+import com.google.crypto.tink.aead.AeadConfig
 import com.nativeapptemplate.nativeapptemplatefree.userPreferences
 import kotlinx.coroutines.test.runTest
+import org.junit.Before
 import org.junit.Test
 import java.io.ByteArrayInputStream
 import java.io.ByteArrayOutputStream
 
 class UserPreferencesSerializerTest {
-  private val userPreferencesSerializer = UserPreferencesSerializer()
+  private lateinit var aead: Aead
+  private lateinit var userPreferencesSerializer: UserPreferencesSerializer
+
+  @Before
+  fun setUp() {
+    AeadConfig.register()
+    val keysetHandle = KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM"))
+    aead = keysetHandle.getPrimitive(Aead::class.java)
+    userPreferencesSerializer = UserPreferencesSerializer(aead)
+  }
 
   @Test
   fun defaultUserPreferences_isEmpty() {
@@ -27,11 +41,28 @@ class UserPreferencesSerializerTest {
     }
 
     val outputStream = ByteArrayOutputStream()
+    userPreferencesSerializer.writeTo(expectedUserPreferences, outputStream)
+
+    val inputStream = ByteArrayInputStream(outputStream.toByteArray())
+    val actualUserPreferences = userPreferencesSerializer.readFrom(inputStream)
+
+    kotlin.test.assertEquals(
+      expectedUserPreferences,
+      actualUserPreferences,
+    )
+  }
 
+  @Test
+  fun readingUnencryptedProto_migratesSuccessfully() = runTest {
+    val expectedUserPreferences = userPreferences {
+      isLoggedIn = true
+    }
+
+    // Write unencrypted proto (legacy format)
+    val outputStream = ByteArrayOutputStream()
     expectedUserPreferences.writeTo(outputStream)
 
     val inputStream = ByteArrayInputStream(outputStream.toByteArray())
-
     val actualUserPreferences = userPreferencesSerializer.readFrom(inputStream)
 
     kotlin.test.assertEquals(
diff --git a/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastoreTest/TestCryptoModule.kt b/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastoreTest/TestCryptoModule.kt
new file mode 100644
index 0000000..f8a2353
--- /dev/null
+++ b/app/src/test/kotlin/com/nativeapptemplate/nativeapptemplatefree/datastoreTest/TestCryptoModule.kt
@@ -0,0 +1,27 @@
+package com.nativeapptemplate.nativeapptemplatefree.datastoreTest
+
+import com.google.crypto.tink.Aead
+import com.google.crypto.tink.KeyTemplates
+import com.google.crypto.tink.KeysetHandle
+import com.google.crypto.tink.aead.AeadConfig
+import com.nativeapptemplate.nativeapptemplatefree.di.modules.CryptoModule
+import dagger.Module
+import dagger.Provides
+import dagger.hilt.components.SingletonComponent
+import dagger.hilt.testing.TestInstallIn
+import javax.inject.Singleton
+
+@Module
+@TestInstallIn(
+  components = [SingletonComponent::class],
+  replaces = [CryptoModule::class],
+)
+internal object TestCryptoModule {
+  @Provides
+  @Singleton
+  fun providesAead(): Aead {
+    AeadConfig.register()
+    val keysetHandle = KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM"))
+    return keysetHandle.getPrimitive(Aead::class.java)
+  }
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index e41d7b4..144b4bd 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -26,6 +26,7 @@ ksp = "2.3.4"
 lottie = "6.6.6"
 okHttp = "4.12.0"
 protobuf = "4.29.2"
+tinkAndroid = "1.16.0"
 protobufPlugin = "0.9.6"
 retrofit = "2.11.0"
 retrofitKotlinxSerializationJson = "1.0.0"
@@ -75,6 +76,7 @@ retrofit = { module = "com.squareup.retrofit2:retrofit", version.ref = "retrofit
 retrofit-kotlin-serialization = { group = "com.jakewharton.retrofit", name = "retrofit2-kotlinx-serialization-converter", version.ref = "retrofitKotlinxSerializationJson" }
 robolectric = { group = "org.robolectric", name = "robolectric", version.ref = "robolectric" }
 sandwich = { module = "com.github.skydoves:sandwich", version.ref = "sandwich" }
+tink-android = { module = "com.google.crypto.tink:tink-android", version.ref = "tinkAndroid" }
 sandwich-retrofit = { module = "com.github.skydoves:sandwich-retrofit", version.ref = "sandwich" }
 sandwich-retrofit-serialization = { module = "com.github.skydoves:sandwich-retrofit-serialization", version.ref = "sandwichRetrofitSerialization" }