FRP bypass defense in the settings app

Over the last few years, there have been a number of Factory Reset Protection bypass bugs in the SUW flow. It's unlikely to defense all points from individual apps. Therefore, we decide to block some critical pages when user doesn't complete the SUW flow. Test: Can't open the certain pages in the suw flow. Fix: 200746457 Bug: 202975040 Fix: 213091525 Fix: 213090835 Fix: 201561699 Fix: 213090827 Fix: 213090875 Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
2022-01-03 18:25:04 +08:00
parent 1ee60270df
commit 07dd833a6a
10 changed files with 170 additions and 1 deletions
--- a/src/com/android/settings/SettingsPreferenceFragment.java
+++ b/src/com/android/settings/SettingsPreferenceFragment.java
@@ -54,6 +54,7 @@ import com.android.settingslib.search.Indexable;
 import com.android.settingslib.widget.LayoutPreference;

 import com.google.android.material.appbar.AppBarLayout;
+import com.google.android.setupcompat.util.WizardManagerHelper;

 import java.util.UUID;

@@ -63,7 +64,7 @@ import java.util.UUID;
 public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceFragment
        implements DialogCreatable, HelpResourceProvider, Indexable {

-    private static final String TAG = "SettingsPreference";
+    private static final String TAG = "SettingsPreferenceFragment";

    private static final String SAVE_HIGHLIGHTED_KEY = "android:preference_highlighted";

@@ -121,6 +122,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
    public HighlightablePreferenceGroupAdapter mAdapter;
    private boolean mPreferenceHighlighted = false;

+    @Override
+    public void onAttach(Context context) {
+        if (shouldSkipForInitialSUW() && !WizardManagerHelper.isDeviceProvisioned(getContext())) {
+            Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed.");
+            finish();
+        }
+        super.onAttach(context);
+    }
+
    @Override
    public void onCreate(Bundle icicle) {
        super.onCreate(icicle);
@@ -267,6 +277,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
                || (mAdapter.getPreferenceAdapterPosition(preference) != RecyclerView.NO_POSITION));
    }

+    /**
+     * Whether UI should be skipped in the initial SUW flow.
+     *
+     * @return {@code true} when UI should be skipped in the initial SUW flow.
+     * {@code false} when UI should not be skipped in the initial SUW flow.
+     */
+    protected boolean shouldSkipForInitialSUW() {
+        return false;
+    }
+
    protected void onDataSetChanged() {
        highlightPreferenceIfNeeded();
        updateEmptyView();
--- a/src/com/android/settings/accounts/AccountDashboardFragment.java
+++ b/src/com/android/settings/accounts/AccountDashboardFragment.java
@@ -84,6 +84,11 @@ public class AccountDashboardFragment extends DashboardFragment {
        return controllers;
    }

+    @Override
+    protected boolean shouldSkipForInitialSUW() {
+        return true;
+    }
+
    static void buildAutofillPreferenceControllers(
            Context context, List<AbstractPreferenceController> controllers) {
        controllers.add(new DefaultAutofillPreferenceController(context));
--- a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
+++ b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
@@ -507,6 +507,11 @@ public class AppInfoDashboardFragment extends DashboardFragment
        return true;
    }

+    @Override
+    protected boolean shouldSkipForInitialSUW() {
+        return true;
+    }
+
    private void uninstallPkg(String packageName, boolean allUsers, boolean andDisable) {
        stopListeningToPackageRemove();
        // Create new intent to launch Uninstaller activity
--- a/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java
+++ b/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java
@@ -215,6 +215,11 @@ public class DevelopmentSettingsDashboardFragment extends RestrictedDashboardFra
        }
    }

+    @Override
+    protected boolean shouldSkipForInitialSUW() {
+        return true;
+    }
+
    /**
     * Long-pressing a developer options quick settings tile will by default (see
     * QS_TILE_PREFERENCES in the manifest) take you to the developer options page.
--- a/src/com/android/settings/system/ResetDashboardFragment.java
+++ b/src/com/android/settings/system/ResetDashboardFragment.java
@@ -64,6 +64,11 @@ public class ResetDashboardFragment extends DashboardFragment {
        use(EraseEuiccDataController.class).setFragment(this);
    }

+    @Override
+    protected boolean shouldSkipForInitialSUW() {
+        return true;
+    }
+
    private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
            Lifecycle lifecycle) {
        final List<AbstractPreferenceController> controllers = new ArrayList<>();
--- a/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java
@@ -23,11 +23,13 @@ import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

 import android.content.Context;
 import android.os.Bundle;
+import android.provider.Settings;
 import android.view.View;
 import android.widget.FrameLayout;

@@ -41,6 +43,7 @@ import com.android.settings.testutils.FakeFeatureFactory;
 import com.android.settings.testutils.shadow.ShadowFragment;
 import com.android.settings.widget.WorkOnlyCategory;

+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -64,7 +67,9 @@ public class SettingsPreferenceFragmentTest {
    private PreferenceScreen mPreferenceScreen;
    private Context mContext;
    private TestFragment mFragment;
+    private TestFragment2 mFragment2;
    private View mEmptyView;
+    private int mInitDeviceProvisionedValue;

    @Before
    public void setUp() {
@@ -72,13 +77,24 @@ public class SettingsPreferenceFragmentTest {
        FakeFeatureFactory.setupForTest();
        mContext = RuntimeEnvironment.application;
        mFragment = spy(new TestFragment());
+        mFragment2 = spy(new TestFragment2());
        doReturn(mActivity).when(mFragment).getActivity();
        when(mFragment.getContext()).thenReturn(mContext);
+        when(mFragment2.getContext()).thenReturn(mContext);

        mEmptyView = new View(mContext);
        ReflectionHelpers.setField(mFragment, "mEmptyView", mEmptyView);

        doReturn(ITEM_COUNT).when(mPreferenceScreen).getPreferenceCount();
+
+        mInitDeviceProvisionedValue = Settings.Global.getInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, 0);
+    }
+
+    @After
+    public void tearDown() {
+        Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, mInitDeviceProvisionedValue);
    }

    @Test
@@ -210,8 +226,66 @@ public class SettingsPreferenceFragmentTest {
        assertThat(mFragment.mPinnedHeaderFrameLayout.getVisibility()).isEqualTo(View.INVISIBLE);
    }

+    @Test
+    public void onAttach_shouldNotSkipForSUWAndDeviceIsProvisioned_notCallFinish() {
+        Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, 1);
+
+        mFragment.onAttach(mContext);
+
+        verify(mFragment, never()).finish();
+    }
+
+    @Test
+    public void onAttach_shouldNotSkipForSUWAndDeviceIsNotProvisioned_notCallFinish() {
+        Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, 0);
+
+        mFragment.onAttach(mContext);
+
+        verify(mFragment, never()).finish();
+    }
+
+    @Test
+    public void onAttach_shouldSkipForSUWAndDeviceIsDeviceProvisioned_notCallFinish() {
+        Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, 1);
+
+        mFragment2.onAttach(mContext);
+
+        verify(mFragment2, never()).finish();
+    }
+
+    @Test
+    public void onAttach_shouldSkipForSUWAndDeviceProvisioned_notCallFinish() {
+        Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.DEVICE_PROVISIONED, 0);
+
+        mFragment2.onAttach(mContext);
+
+        verify(mFragment2, times(1)).finish();
+    }
+
    public static class TestFragment extends SettingsPreferenceFragment {

+        @Override
+        protected boolean shouldSkipForInitialSUW() {
+            return false;
+        }
+
+        @Override
+        public int getMetricsCategory() {
+            return 0;
+        }
+    }
+
+    public static class TestFragment2 extends SettingsPreferenceFragment {
+
+        @Override
+        protected boolean shouldSkipForInitialSUW() {
+            return true;
+        }
+
        @Override
        public int getMetricsCategory() {
            return 0;
--- a/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java
@@ -114,4 +114,9 @@ public class AccountDashboardFragmentTest {

        assertThat(indexRaws).isNotEmpty();
    }
+
+    @Test
+    public void shouldSkipForInitialSUW_returnTrue() {
+        assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+    }
 }
--- a/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java
@@ -384,6 +384,11 @@ public final class AppInfoDashboardFragmentTest {
                .isTrue();
    }

+    @Test
+    public void shouldSkipForInitialSUW_returnTrue() {
+        assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+    }
+
    @Implements(AppUtils.class)
    public static class ShadowAppUtils {

--- a/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java
@@ -278,6 +278,11 @@ public class DevelopmentSettingsDashboardFragmentTest {
        verify(controller).onDisableLogPersistDialogRejected();
    }

+    @Test
+    public void shouldSkipForInitialSUW_returnTrue() {
+        assertThat(mDashboard.shouldSkipForInitialSUW()).isTrue();
+    }
+
    @Implements(EnableDevelopmentSettingWarningDialog.class)
    public static class ShadowEnableDevelopmentSettingWarningDialog {

--- a/tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.system;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.robolectric.RobolectricTestRunner;
+
+@RunWith(RobolectricTestRunner.class)
+public class ResetDashboardFragmentTest {
+
+    private ResetDashboardFragment mFragment;
+
+    @Before
+    public void setup() {
+        mFragment = new ResetDashboardFragment();
+    }
+
+    @Test
+    public void shouldSkipForInitialSUW_returnTrue() {
+        assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+    }
+}