Fix Security Bypass (#935)

* Hide timeout when it isn't being used. * Fix #925 * ktlint
2024-09-19 16:11:37 +00:00 · 2020-09-14 16:20:09 -04:00 · 2020-09-14 16:20:09 -04:00 · 3a6291c38a
parent 71d764cf40
commit 3a6291c38a
3 changed files with 31 additions and 13 deletions
--- a/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt
+++ b/app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt
@ -65,11 +65,12 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
            isValid
        }

-        val onChangeBiometricValidator = Preference.OnPreferenceChangeListener { _, newValue ->
+        findPreference<SwitchPreference>("app_lock")?.setOnPreferenceChangeListener { _, newValue ->
            var isValid: Boolean
-            if (newValue == false)
+            if (newValue == false) {
                isValid = true
-            else {
+                findPreference<EditTextPreference>("session_timeout")?.isVisible = false
+            } else {
                isValid = true
                if (BiometricManager.from(requireActivity()).canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS) {
                    setLock = true
@ -87,6 +88,13 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
            isValid
        }

+        findPreference<EditTextPreference>("session_timeout")?.let { pref ->
+            pref.setOnBindEditTextListener {
+                it.inputType = InputType.TYPE_CLASS_NUMBER
+            }
+            pref.isVisible = findPreference<SwitchPreference>("app_lock")?.isChecked == true
+        }
+
        findPreference<Preference>("nfc_tags")?.let {
            it.isVisible = presenter.nfcEnabled()
            it.onPreferenceClickListener = Preference.OnPreferenceClickListener {
@ -95,10 +103,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
            }
        }

-        findPreference<EditTextPreference>("session_timeout")?.setOnBindEditTextListener {
-            it.inputType = InputType.TYPE_CLASS_NUMBER
-        }
-
        removeSystemFromThemesIfNeeded()

        findPreference<EditTextPreference>("connection_internal")?.onPreferenceChangeListener =
@ -107,9 +111,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
        findPreference<EditTextPreference>("connection_external")?.onPreferenceChangeListener =
            onChangeUrlValidator

-        findPreference<SwitchPreference>("app_lock")?.onPreferenceChangeListener =
-            onChangeBiometricValidator
-
        findPreference<Preference>("sensors")?.setOnPreferenceClickListener {
            parentFragmentManager
                .beginTransaction()
@ -171,8 +172,10 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
    }

    private fun authenticationResult(result: Int) {
+        val success = result == Authenticator.SUCCESS
        val switchLock = findPreference<SwitchPreference>("app_lock")
-        switchLock?.isChecked = result == Authenticator.SUCCESS
+        switchLock?.isChecked = success
+        findPreference<EditTextPreference>("session_timeout")?.isVisible = success
    }

    private fun removeSystemFromThemesIfNeeded() {
--- a/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt
+++ b/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt
@ -155,8 +155,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
                exoToggleMute()
            }
        })
-        if (!presenter.isLockEnabled())
+        if (!presenter.isLockEnabled()) {
            blurView.setBlurEnabled(false)
+            unlocked = true
+        }

        authenticator = Authenticator(this, this, ::authenticationResult)

@ -164,6 +166,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.

        webView = findViewById(R.id.webview)
        webView.apply {
+            setOnTouchListener { _, _ ->
+                return@setOnTouchListener !unlocked
+            }
+
            settings.javaScriptEnabled = true
            settings.domStorageEnabled = true
            webViewClient = object : WebViewClient() {
@ -400,6 +406,12 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
        }
    }

+    override fun onResume() {
+        super.onResume()
+        if (!unlocked && !presenter.isLockEnabled())
+            unlocked = true
+    }
+
    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
        super.onActivityResult(requestCode, resultCode, data)
        if (requestCode == NFC_COMPLETE && resultCode != -1) {
@ -547,7 +559,9 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
                if ((System.currentTimeMillis() > presenter.getSessionExpireMillis())) {
                    blurView.setBlurEnabled(true)
                    authenticator.authenticate()
-                } else blurView.setBlurEnabled(false)
+                } else {
+                    blurView.setBlurEnabled(false)
+                }

            presenter.onViewReady(intent.getStringExtra(EXTRA_PATH))
            intent.removeExtra(EXTRA_PATH)
--- a/app/src/main/res/xml/preferences.xml
+++ b/app/src/main/res/xml/preferences.xml
@ -49,6 +49,7 @@
            android:key="session_timeout"
            android:icon="@drawable/ic_timeout"
            android:title="@string/session_timeout_title"
+            app:isPreferenceVisible="false"
            app:useSimpleSummaryProvider="true"/>
    </PreferenceCategory>
    <PreferenceCategory