From 3a6291c38a1cffb94e3e826af463b8b8600a9992 Mon Sep 17 00:00:00 2001 From: Justin Bassett Date: Mon, 14 Sep 2020 16:20:09 -0400 Subject: [PATCH] Fix Security Bypass (#935) * Hide timeout when it isn't being used. * Fix #925 * ktlint --- .../android/settings/SettingsFragment.kt | 25 +++++++++++-------- .../android/webview/WebViewActivity.kt | 18 +++++++++++-- app/src/main/res/xml/preferences.xml | 1 + 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt b/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt index 2c6b1a9f1..eb4adc679 100644 --- a/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt +++ b/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt @@ -65,11 +65,12 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView { isValid } - val onChangeBiometricValidator = Preference.OnPreferenceChangeListener { _, newValue -> + findPreference("app_lock")?.setOnPreferenceChangeListener { _, newValue -> var isValid: Boolean - if (newValue == false) + if (newValue == false) { isValid = true - else { + findPreference("session_timeout")?.isVisible = false + } else { isValid = true if (BiometricManager.from(requireActivity()).canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS) { setLock = true @@ -87,6 +88,13 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView { isValid } + findPreference("session_timeout")?.let { pref -> + pref.setOnBindEditTextListener { + it.inputType = InputType.TYPE_CLASS_NUMBER + } + pref.isVisible = findPreference("app_lock")?.isChecked == true + } + findPreference("nfc_tags")?.let { it.isVisible = presenter.nfcEnabled() it.onPreferenceClickListener = Preference.OnPreferenceClickListener { @@ -95,10 +103,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView { } } - findPreference("session_timeout")?.setOnBindEditTextListener { - it.inputType = InputType.TYPE_CLASS_NUMBER - } - removeSystemFromThemesIfNeeded() findPreference("connection_internal")?.onPreferenceChangeListener = @@ -107,9 +111,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView { findPreference("connection_external")?.onPreferenceChangeListener = onChangeUrlValidator - findPreference("app_lock")?.onPreferenceChangeListener = - onChangeBiometricValidator - findPreference("sensors")?.setOnPreferenceClickListener { parentFragmentManager .beginTransaction() @@ -171,8 +172,10 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView { } private fun authenticationResult(result: Int) { + val success = result == Authenticator.SUCCESS val switchLock = findPreference("app_lock") - switchLock?.isChecked = result == Authenticator.SUCCESS + switchLock?.isChecked = success + findPreference("session_timeout")?.isVisible = success } private fun removeSystemFromThemesIfNeeded() { diff --git a/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt b/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt index 3f40c8674..700d522ec 100644 --- a/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt +++ b/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt @@ -155,8 +155,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android. exoToggleMute() } }) - if (!presenter.isLockEnabled()) + if (!presenter.isLockEnabled()) { blurView.setBlurEnabled(false) + unlocked = true + } authenticator = Authenticator(this, this, ::authenticationResult) @@ -164,6 +166,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android. webView = findViewById(R.id.webview) webView.apply { + setOnTouchListener { _, _ -> + return@setOnTouchListener !unlocked + } + settings.javaScriptEnabled = true settings.domStorageEnabled = true webViewClient = object : WebViewClient() { @@ -400,6 +406,12 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android. } } + override fun onResume() { + super.onResume() + if (!unlocked && !presenter.isLockEnabled()) + unlocked = true + } + override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) { super.onActivityResult(requestCode, resultCode, data) if (requestCode == NFC_COMPLETE && resultCode != -1) { @@ -547,7 +559,9 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android. if ((System.currentTimeMillis() > presenter.getSessionExpireMillis())) { blurView.setBlurEnabled(true) authenticator.authenticate() - } else blurView.setBlurEnabled(false) + } else { + blurView.setBlurEnabled(false) + } presenter.onViewReady(intent.getStringExtra(EXTRA_PATH)) intent.removeExtra(EXTRA_PATH) diff --git a/app/src/main/res/xml/preferences.xml b/app/src/main/res/xml/preferences.xml index cc70f300f..ff74e20f2 100644 --- a/app/src/main/res/xml/preferences.xml +++ b/app/src/main/res/xml/preferences.xml @@ -49,6 +49,7 @@ android:key="session_timeout" android:icon="@drawable/ic_timeout" android:title="@string/session_timeout_title" + app:isPreferenceVisible="false" app:useSimpleSummaryProvider="true"/>