feat(android): config import/export — clipboard, QR, deep link, share

[yyoyoian-pixel]

Summary

One-tap config sharing between devices. Export your config as a QR code or compressed link, import by pasting, scanning, or tapping a deep link.

Features

Import:

• Clipboard paste — banner appears at the top when mhrv://... or raw JSON is detected in clipboard. One tap to import, clipboard cleared after.
• QR scanner — opens camera in portrait, scans and imports.
• Deep link — tapping mhrv://... in any app/chat auto-opens mhrv-rs and imports.

Export:

• Unified dialog — QR code + compressed hash + copy button in one view.
• Share sheet — sends QR image + text hash together via Android share (Telegram, WhatsApp, email, etc.).
• Compact encoding — only non-default fields, DEFLATE compressed before base64. Typical config is ~200 chars vs ~800 raw.

Security:

• Warning: "This includes your auth_key. Only share with people you trust."

What's shared vs not

Included	Not included (device-specific)
mode, script_ids, auth_key	listen_host, listen_port, socks5_port
google_ip (if changed), front_domain (if changed)	connectionMode (VPN/proxy)
sni_hosts, verify_ssl, log_level, parallel_relay	splitMode, splitApps
upstream_socks5, passthrough_hosts	uiLang

Changes

File	What
ui/ConfigSharing.kt (new)	Import/export composables, QR generation, scanner launcher
ConfigStore.kt	encode(), decode(), looksLikeConfig(), loadFromJson() (deduplicated from load())
MainActivity.kt	Deep link intent handling (mhrv:// scheme)
AndroidManifest.xml	Deep link intent filter, FileProvider for QR sharing, ZXing portrait lock
build.gradle.kts	ZXing core + zxing-android-embedded dependencies
HomeScreen.kt	ConfigSharingBar wired in above Mode dropdown
strings.xml	14 new string resources
xml/file_paths.xml (new)	FileProvider paths for cache dir

Test plan

• Export → copy → paste on another device → import works
• Export → share via Telegram → recipient pastes → import works
• QR code scans successfully from another phone's screen
• Deep link mhrv://... opens app and imports
• Clipboard banner disappears after import (clipboard cleared)
• Raw JSON in clipboard also detected and importable
• QR scanner opens in portrait

🤖 Generated with Claude Code

[therealaleph]

Hi @yyoyoian-pixel — feature is well-built (clipboard banner + QR + DEFLATE compression + careful field-by-field include/exclude list is exactly right). One blocker on security grounds before this can merge:

🚨 Blocker — handleDeepLink auto-imports without confirmation. The QR scanner path is safe; the deep link path is the inconsistency:

MainActivity.kt:

private fun handleDeepLink(intent: Intent?) {
    val data = intent?.data ?: return
    if (data.scheme != "mhrv") return
    val encoded = data.toString()
    val cfg = ConfigStore.decode(encoded) ?: return
    ConfigStore.save(this, cfg)                    // ← overwrites existing config
    android.widget.Toast.makeText(this, "Config imported", ...).show()
}

vs. ConfigSharing.kt scanner path (correct):

val scanLauncher = rememberLauncherForActivityResult(ScanContract()) { result ->
    val decoded = ConfigStore.decode(scanned)
    if (decoded != null) {
        pendingImport = decoded
        showImportConfirm = true   // ← user has to confirm
    }
}

Why this matters for our threat model:

This project's user base is exactly the population an attacker would want to MITM — Iranian users who can't use a regular VPN, who often discover tools via Telegram/forum links, who tap things without scrutiny. The attack flow:

1. Attacker crafts mhrv://<base64-of-attacker-config> — their own script_ids + auth_key
2. Posts the link in a Telegram channel claiming "free fast deployment"
3. User taps → mhrv-rs opens → config silently overwrites → traffic now flows through attacker's Apps Script
4. Attacker has full visibility into URLs visited and can MITM HTTPS (mhrv-rs's MITM CA is already trusted by the device, and the CA private key is in the attacker-controlled deployment indirectly via the relay path — wait, actually the CA key stays local; but the attacker doesn't need to break TLS, they just see all the destination URLs and can return arbitrary responses)

The Toast only appears AFTER the config has already been overwritten. By the time the user reads it, they're already routing traffic through the attacker.

The fix is small — make handleDeepLink use the same showImportConfirm modal the scanner path does:

private fun handleDeepLink(intent: Intent?) {
    val data = intent?.data ?: return
    if (data.scheme != "mhrv") return
    val encoded = data.toString()
    val cfg = ConfigStore.decode(encoded) ?: return
    // Don't auto-save. Stash for the UI to confirm.
    pendingDeepLinkImport = cfg
}

And then in AppRoot() / HomeScreen, surface a pendingDeepLinkImport-driven dialog using the same showImportConfirm UX — show the new script_ids[0..3], the mode, and the tunnel_node_url (if Full mode), with "Import (replaces current config)" and "Cancel" buttons. The dialog should explicitly note that imported deployment IDs and auth_key will route the user's traffic.

The clipboard banner path is fine because the user has to tap "Import" — that's already explicit consent.

Other points (non-blocking, suggestions):

• The export warning is good ("This includes your auth_key. Only share with people you trust.") — same warning text on the import side would be appropriate, with the inverse phrasing: "Importing routes your traffic through the deployment IDs in this config. Only import from trusted sources."
• Consider adding a fingerprint display on the import-confirm dialog: hash of (script_ids[0], auth_key[..8]) shown as 4-byte hex, so users can verify with the sender out-of-band that they got the right config (not a swapped one).
• The mhrv:// scheme is fairly generic — collision risk with any future app using the same scheme. mhrv-rs:// would be slightly more specific. Not blocking but worth thinking about.

The clipboard / QR / share / compact-encoding parts are excellent. Once the deep-link auto-import becomes confirm-first, this is mergeable. Happy to re-review on push.

---

_{[reply via Anthropic Claude | reviewed by @therealaleph]}

[yyoyoian-pixel]

@therealaleph fixed, please check if all is fine.