UI Framework provides a function CEikonEnv::SetSystem +to be used by applications that should not be possible to close from another +application. Currently this mechanism does not work and changes to Symbian code +alone will not be enough to close this vulnerability.
+ + Updates to licensee code are required to prevent that applications having called CEikonEnv::SetSystem (e.g. Telephony) to be possible to close from another application.+ +
+ +
To close the security vulnerability all implementations of +the virtual CCoeAppUi::HandleSystemEventL needs +to:
+ +· Change so that an application marked as “system” does not +close itself when it receives an EApaSystemEventShutdown event
+ +· Add functionality so that an application is closed when it +receives an +EApaSystemEventSecureShutdown event
+ ++ +
In code this can be expressed like this.
+ ++ +
EXPORT_C void CXxxAppUi::HandleSystemEventL(const +TWsEvent& aEvent)
+ +{
+ +<skip>
+ +case EApaSystemEventShutdown:
+ ++ // This event +must no longer be allowed to close system-applications
+ ++ if((static_cast<CEikonEnv*>(iCoeEnv)->IsSystem()))
+ ++ break;
+ ++ case EApaSystemEventSecureShutdown:
+ ++ // If +shutter is already running we don’t need to launch another one
+ ++ if(iAppUiExtra +&& iAppUiExtra->IsSet(CEikAppUiExtra::EShutterPending))
+ ++ break;
+ ++ // Launch a shutter to +gracefully close the application
+ +CEikShutter::DeferredExecuteL(*iEikonEnv);
+ ++ if(iAppUiExtra)
+ ++ iAppUiExtra->Set(CEikAppUiExtra::EShutterPending);
+ +break;
+ +<skip>
+ +}
+ ++ +