- Add SafetyNet log if the calling package is no the permission for
result
Test: checked eventlog in the bugreport
Bug: 185126813
Merged-In: I1535f6f2ded2445702df0d723518b773cd094164
Change-Id: I1535f6f2ded2445702df0d723518b773cd094164
(cherry picked from commit 199528d460)
- Use getCallingPackage() to get calling package.
- Check if the calling package has ACCESS_COARSE_LOCATION or
ACCESS_COARSE_LOCATION permission.
- Only set result data to permission granted callers
Bug: 185126813
Test: manual test
make RunSettingsRoboTests ROBOTEST_FILTER=WifiDialogActivityTest
Merged-In: If7ca069c842ed2bd1aed23f9d4041473c68a4dad
Change-Id: If7ca069c842ed2bd1aed23f9d4041473c68a4dad
(cherry picked from commit 71e728e934)
Bluetooth app will indicate BluetoothOppReceiver to receive
device picker intent. But for fix the security issue we
removed the setClassName() method in ag/14111132 to avoid attack.
It causes BluetoothOppReceiver cannot receive the intent.
This CL will compare to calling package name with launch package name.
If they are not equal, the setClassName() will not invoke.
Bug: 186490534
Bug: 179386960
Bug: 179386068
Test: make RunSettingsRoboTests -j56
Change-Id: Ia51528f2a44ab73edbc86899ca0846d3262fe1f0
(cherry picked from commit bb5be240c0)
- Show restricted text in guest mode
- Screenshot:
https://screenshot.googleplex.com/6nYcmazMM46TxaB
Bug: 177573895
Test: manual test
make RunSettingsRoboTests \
ROBOTEST_FILTER=WifiNetworkDetailsFragmentTest
Change-Id: I5f857b2079e0f550e4be601d27dd54dac56b2f57
Merged-In: I5f857b2079e0f550e4be601d27dd54dac56b2f57
BluetoothPermissionActivity and DevicePickerFragment will send
broadcast to return the result to calling apps. As this broadcast
intent is from Settings with uid 1000, it will be sent to any
protected BroadcastReceivers in the device. It can make an attacker
send broadcast to protected BroadcastReceivers like factory reset intent
(android/com.android.server.MasterClearReceiver) via
BluetoothPermissionActivity or DevicePickerFragment.
This CL will not allow to set package name and class name to avoid
the attacker.
Bug: 179386960
Bug: 179386068
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify factory reset not started and no system UI notification.
Change-Id: Id27a78091ab578077853b8fbb97a4422cff0a158
(cherry picked from commit 8adedc6249)
The root issue is that CharSequence is an interface.
String implements that interface, however, Spanned class
too which is a rich text format that can store HTML code.
The solution is enforce to use String type which won't include
any HTML function.
Test: Rebuilt apk and see the string without HTML style.
Bug: 179042963
Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0
Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0
(cherry picked from commit 0bf3c98b2f)
This reverts commit 32d5d3a3a3.
Bug: 174047492
Reason for revert:
Look like the WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS system flag is not supported in the pi-dev branch.
Change-Id: Iec3c28e8c148f83fc171d696b2fc67f359d03eb8
To improve security.
Bug: 181962311
Test: manual
Show an AlertDialog and observe if it will hide after below command.
adb shell am start -a android.intent.action.PICK_ACTIVITY -n com.android.settings/.ActivityPicker
Change-Id: I6e2845cc19dc012cba2933318a067bbb8db90a23
(cherry picked from commit 3b4853e109)
- Disallowed non system overlay windows
- Screenshot
https://screenshot.googleplex.com/77fJ9QN6pV4zFYc
Bug: 174047492
Test: manual test
Merged-In: Ia7acad6d456ce5ebea2d982d4cb063d4f28cbfff
Change-Id: Ia7acad6d456ce5ebea2d982d4cb063d4f28cbfff
(cherry picked from commit d47d8e4fc5)
- Disallowed non system overlay windows
- Screenshot
https://screenshot.googleplex.com/77fJ9QN6pV4zFYc
Bug: 174047492
Test: manual test
Merged-In: Ia7acad6d456ce5ebea2d982d4cb063d4f28cbfff
Change-Id: Ia7acad6d456ce5ebea2d982d4cb063d4f28cbfff
(cherry picked from commit d47d8e4fc5)
Before this CL, there is a possible phishing attack allowing a malicious
BT device to acquire permissions based on insufficient information
presented to the user in the consent dialog. This could lead to local
escalation of privilege with no additional execution privileges needed.
User interaction is needed for exploitation.
This CL add more prompts presented for users to avoid phishing attacks.
Merge Conflict Notes:
There were a number of entries in strings.xml that did not exist on this
branch. However, as the CL only adds new entries rather than modifying
old ones this should not cause a problem. There were no merge conflicts
in the java files.
Bug: 167403112
Test: send intent to test right prompts message is pop up. make -j42 RunSettingsRoboTests
Change-Id: Idc6ef558b692115bb82ea58cf223f5919b618633
Before this CL, there is a possible phishing attack allowing a malicious
BT device to acquire permissions based on insufficient information
presented to the user in the consent dialog. This could lead to local
escalation of privilege with no additional execution privileges needed.
User interaction is needed for exploitation.
This CL add more prompts presented for users to avoid phishing attacks.
Merge Conflict Notes:
There were a number of entries in strings.xml that did not exist on this
branch. However, as the CL only adds new entries rather than modifying
old ones this should not cause a problem. There were no merge conflicts
in the java files.
Bug: 167403112
Test: send intent to test right prompts message is pop up. make -j42 RunSettingsRoboTests
Change-Id: Idc6ef558b692115bb82ea58cf223f5919b618633
Limit the component that may resolve this intent to the
bluetooth package.
Bug: 158219161
Test: Security Fix
Tag: #security
Change-Id: If732f940a7aa256f5975349118e8eb6cf5584676
Prevent non-system overlays from showing over notification listener consent dialog
Bug: 170731783
Test: use a visible overlay, ensure it's gone when notification consent is open
Change-Id: I58e017982f385ffc0d0ba2174512490b1d83dd36
Prevent non-system overlays from showing over notification listener consent dialog
Bug: 170731783
Test: use a visible overlay, ensure it's gone when notification consent is open
Change-Id: I58e017982f385ffc0d0ba2174512490b1d83dd36
Prevent non-system overlays from showing over notification listener consent dialog
Bug: 170731783
Test: use a visible overlay, ensure it's gone when notification consent is open
Change-Id: I58e017982f385ffc0d0ba2174512490b1d83dd36
- Enable the filterTouchesWhenObscured attribute on all toggle
switches in all pages of the special app access
Bug: 155288585
Test: make RunSettingsRoboTests
Merged-In: I011cfe4b7e4e624a8338332ac47a353f7f3ab661
Change-Id: I85842db3faa558ea61bc878ca76ff6d8ce1a4b03
- Enable the filterTouchesWhenObscured attribute on all toggle
switches in all pages of the special app access
Bug: 155288585
Test: make RunSettingsRoboTests
Merged-In: I011cfe4b7e4e624a8338332ac47a353f7f3ab661
Merged-In: I0731057ec6e77c6a0867784c729c3f5812ef6170
Change-Id: I02c372423287366d0706bcdf7cdecff48db2e22a
- Enable the filterTouchesWhenObscured attribute on all toggle
switches in all pages of the special app access
Bug: 155288585
Test: make RunSettingsRoboTests
Merged-In: I011cfe4b7e4e624a8338332ac47a353f7f3ab661
Merged-In: I0731057ec6e77c6a0867784c729c3f5812ef6170
Change-Id: I0731057ec6e77c6a0867784c729c3f5812ef6170
- 3rd party developers can define himself-authenticator
and use the accountPreferences attribute to load the
predefined preference UI.
- If a developer defines an action intent to launch the
other activity in xml and it would return true due
to the true exported attribute and no permission.
- To avoid launching arbitrary activity. Here allows
to launch only authenticator owned activities.
Bug: 150946634
Test: make RunSettingsRoboTests -j ROBOTEST_FILTER=com.android.settings.accounts
Test: PoC app
Change-Id: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
Merged-In: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
(cherry picked from commit d6d8f98844)
- 3rd party developers can define himself-authenticator
and use the accountPreferences attribute to load the
predefined preference UI.
- If a developer defines an action intent to launch the
other activity in xml and it would return true due
to the true exported attribute and no permission.
- To avoid launching arbitrary activity. Here allows
to launch only authenticator owned activities.
Bug: 150946634
Test: make RunSettingsRoboTests -j ROBOTEST_FILTER=com.android.settings.accounts
Test: PoC app
Change-Id: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
Merged-In: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
(cherry picked from commit d6d8f98844)
