RFC: Check whether user granted signature spoofing permission #34
Conversation
Dropped support for Android < 7.0
Restored support for Android >=4.1 <7.0 (builds successfully but untested on device/emulator)
|
hi @teowoz, thank you so much for this PR, i really appreciate it. i'll take a minute for a quick response:
as i said, i don't have time to research the underlying issue you present right now, so this will have to wait, but i wanted to give you some kind of response in the meantime. btw, i'd gladly merge PRs more in line with the comments here... when i have time to research. thanks again! |
|
Thanks for your reply.
I saw it. However the file Would it be OK to add preprocessor comments in
They are needed in all Android versions where
No.
It implies that in Android 6, unlike Android 10,
I don't think it's necessary. I suppose (but AOSP code review would be needed to confirm it) that the OS uses
see PackageManagerService.generatePackageInfo
I don't think it's necessary, too. Installing a pre-6 app will make the package installer show the permissions list for the user to confirm.
I'm used to GitLab which allows hiding whitespace changes in single click. You can do the same in the command line after checking out my branch:
Speaking of Android, I'm not app or system developer (but I have experience with programming on other platforms), just a power user not wanting to have closed source GApps running as system apps. Hence my interest in microG and signature spoofing. I don't know what to do next to (efficiently) test my modifications against other Android versions. Preferably without the need of manual patching and testing on every single version. |
|
thanks! i still don't have time research this properly but i'll answer. i suppose all files are preprocessed, i don't see a reason why i might have chosen not to do that.
interesting. this contradicts my expectations:
how do i know? when the permission (if runtime) was not granted to a checker app, the app could not spoof. see these issues on the checker app:
it doesn't mean anything, but it strongly looks like only grated permissions are returned by PackageInfo.requestedPermissions.
so it looks like your assertion about android 10 is wrong. whatever the security issue might be if any, it looks like using requestedPermissionsFlags is redundant. however... i now see a possible unrelated problem. unless android knows the permission explicitly as dangerous, it might assume it is not (on android 6+ where the runtime permissions exist) and grant it to all apps that request it in the manifest without showing the install warning and without dynamically requesting it. this is a problem. right of the bat, maybe the requesting app can declare its own permission as dangerous (and then we should require that it does), and then the patch should never grant access if the permission is found to be runtime on android 6+. but... this would break compatibility with all apps that sigspoof right now. and it might make it entirely impossible for a new sigspoof app designed to target android <6 to work in android 6+. so it's not a solution. i know you mention some stuff regarding this in your OP, but i don't have time to research now. |
|
ok and now i see this issue: the video seems to contradict my position and favor yours. but if you are right, how is it that people complained about sigspoof checker giving wrong results before it actually requested the permission? i've one possible explanation: the video might have been taken on a rom haystack-patched over a rom that already had sigspoof of some sort? anyway, this would be easy to fix in the patch if necessary. the difficult part is making the patch safe on android 6+ roms that don't declare the permission as dangerous. |
It's simpler I think. From what I see in #2, the sigspoof checker reported disabled spoofing before the permission was granted. In the issues you linked, I don't see people stating explicitly that they use haystack. They probably used some ROM patched with microG patches.
After revoking permission for your signature spoofing checker app, I'm able to make my patch output this in log: https://github.com/teowoz/haystack/blob/e845eb3e72bae2d20ac9c9907f566289cf53b5ef/patches-src-gen/sigspoof-core/services.jar/GeneratePackageInfoHook.java#L57 which proves that
Yes, that's how it looks like from my experiments. When protectionLevel is Possible workarounds I see:
I will do experiments once I find time to install emulator and older Android versions on it. But I have other projects to do so it may be matter of a month or half a year ;) |
lol you're absolutely right! thanks, i'm convinced. to sum up... haystack has an issue: the permission is an install permission for all androids. on android 6+ install permissions are granted automatically for apps targeting android 6+, which is very bad. some people tried to sidestep this issue by making additional changes to the system that result in the permission being runtime. they thought that was it, but haystack does not check for the permission being granted because it was written to handle an install permission. problem understood, now actions:
i know 1) is probably handled by your PR, but i'll look for options before merging when the time comes to deal with this. for 2), yes, my version of haystack will never patch resources. but yes, it can patch the framework to add a permission group and a permission. pros: the org.spoofing hack does not seem to be able to properly create a permission group (or super group, however it is called), so you don't get a nice UI, while a patch could provide all that is needed. the hack probably pollutes the app space and is shown as a system app. what happens if this app is disabled? can it be? cons: same as current UI, it will probably be an english-only solution without i18n support. thanks for putting me up to speed on these issues. i will took into fixing this if/when i got the time. in the meantime people can enjoy a working system thanks to your fork. |
Welcome! First of all, thanks @Lanchon for this awesome piece of software and your devotion to free/libre software. Also the patching test suite (
bulk-patch-builder/build-all) with many Android versions impressed me.I've spotted and fixed security issue with signature spoofing patch:
Currently the signature spoofing patch merely checks whether the application has the permission specified in manifest. While it could make sense in older versions of Android, when permissions were granted at the moment of installation, in Android 10 package installer doesn't even show them to the user, instead the apps need to ask for them when they need it or on the first run. (That's how I understand, correct me if I'm wrong.)
It may lead to situation when some app fakes signatures without the user ever noticing.
These commits, inspired by microG patches for recent versions of Android, should close this loophole and make the signature spoofing permission work like all other permissions. To make Android ask the user for this permission, also protectionLevel must be set to dangerous. See my comment here for instructions how to achieve this: #24 (comment)
Video: https://www.youtube.com/watch?v=QvkdxvJlpOU
This pull request drops support for Android<4.1, because these versions don't have the
PackageInfo.requestedPermissionsFlagsfield.bulk-patch-builder/build-allreported success. Tested on Android 10 patched using NanoDroid patcher.Maybe there's a better way of doing this. Maybe if we patched
PackageParser.generatePackageInfoinstead ofPackageManagerService.generatePackageInfowe would have thepermissionsargument exposed, wouldn't need to fiddle with theGET_PERMISSIONSflag and iterate over therequestedPermissionsarray, and would be even closer to the microG source patch. It may not work with Android<6.0, though.