/*
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.tools.lint.checks;
import com.android.annotations.NonNull;
import com.android.annotations.Nullable;
import com.android.tools.lint.client.api.JavaParser;
import com.android.tools.lint.client.api.JavaParser.ResolvedField;
import com.android.tools.lint.client.api.JavaParser.ResolvedMethod;
import com.android.tools.lint.client.api.JavaParser.ResolvedNode;
import com.android.tools.lint.client.api.JavaParser.TypeDescriptor;
import com.android.tools.lint.detector.api.Category;
import com.android.tools.lint.detector.api.Detector;
import com.android.tools.lint.detector.api.Implementation;
import com.android.tools.lint.detector.api.Issue;
import com.android.tools.lint.detector.api.JavaContext;
import com.android.tools.lint.detector.api.Scope;
import com.android.tools.lint.detector.api.Severity;
import java.util.Collections;
import java.util.List;
import lombok.ast.AstVisitor;
import lombok.ast.BinaryExpression;
import lombok.ast.BinaryOperator;
import lombok.ast.Expression;
import lombok.ast.IntegralLiteral;
import lombok.ast.MethodInvocation;
import lombok.ast.StrictListAccessor;
import lombok.ast.StringLiteral;
public class GetSignaturesDetector extends Detector implements Detector.JavaScanner {
public static final Issue ISSUE = Issue.create(
"PackageManagerGetSignatures", //$NON-NLS-1$
"Potential Multiple Certificate Exploit",
"Improper validation of app signatures could lead to issues where a malicious app " +
"submits itself to the Play Store with both its real certificate and a fake " +
"certificate and gains access to functionality or information it shouldn't " +
"have due to another application only checking for the fake certificate and " +
"ignoring the rest. Please make sure to validate all signatures returned " +
"by this method.",
Category.SECURITY,
8,
Severity.INFORMATIONAL,
new Implementation(
GetSignaturesDetector.class,
Scope.JAVA_FILE_SCOPE))
.addMoreInfo("https://bluebox.com/technical/android-fake-id-vulnerability/");
private static final String PACKAGE_MANAGER_CLASS = "android.content.pm.PackageManager"; //$NON-NLS-1$
private static final String GET_PACKAGE_INFO = "getPackageInfo"; //$NON-NLS-1$
private static final int GET_SIGNATURES_FLAG = 0x00000040; //$NON-NLS-1$
// ---- Implements JavaScanner ----
@Override
@Nullable
public List<String> getApplicableMethodNames() {
return Collections.singletonList(GET_PACKAGE_INFO);
}
@Override
public void visitMethod(@NonNull JavaContext context, @Nullable AstVisitor visitor,
@NonNull MethodInvocation node) {
ResolvedNode resolved = context.resolve(node);
if (!(resolved instanceof ResolvedMethod) ||
!((ResolvedMethod) resolved).getContainingClass()
.isSubclassOf(PACKAGE_MANAGER_CLASS, false)) {
return;
}
StrictListAccessor<Expression, MethodInvocation> argumentList = node.astArguments();
// Ignore if the method doesn't fit our description.
if (argumentList != null && argumentList.size() == 2) {
TypeDescriptor firstParameterType = context.getType(argumentList.first());
if (firstParameterType != null
&& firstParameterType.matchesSignature(JavaParser.TYPE_STRING)) {
maybeReportIssue(calculateValue(context, argumentList.last()), context, node);
}
}
}
private static void maybeReportIssue(
int flagValue, JavaContext context, MethodInvocation node) {
if ((flagValue & GET_SIGNATURES_FLAG) != 0) {
context.report(ISSUE, node, context.getLocation(node.astArguments().last()),
"Reading app signatures from getPackageInfo: The app signatures "
+ "could be exploited if not validated properly; "
+ "see issue explanation for details.");
}
}
private static int calculateValue(JavaContext context, Expression expression) {
// This function assumes that the only inputs to the expression are static integer
// flags that combined via bitwise operands.
if (expression instanceof IntegralLiteral) {
return ((IntegralLiteral) expression).astIntValue();
}
ResolvedNode resolvedNode = context.resolve(expression);
if (resolvedNode instanceof ResolvedField) {
Object value = ((ResolvedField) resolvedNode).getValue();
if (value instanceof Integer) {
return (Integer) value;
}
}
if (expression instanceof BinaryExpression) {
BinaryExpression binaryExpression = (BinaryExpression) expression;
BinaryOperator operator = binaryExpression.astOperator();
int leftValue = calculateValue(context, binaryExpression.astLeft());
int rightValue = calculateValue(context, binaryExpression.astRight());
if (operator == BinaryOperator.BITWISE_OR) {
return leftValue | rightValue;
}
if (operator == BinaryOperator.BITWISE_AND) {
return leftValue & rightValue;
}
if (operator == BinaryOperator.BITWISE_XOR) {
return leftValue ^ rightValue;
}
}
return 0;
}
private static boolean isStringParameter(
@NonNull Expression expression, @NonNull JavaContext context) {
if (expression instanceof StringLiteral) {
return true;
} else {
ResolvedNode resolvedNode = context.resolve(expression);
if (resolvedNode instanceof ResolvedField) {
if (((ResolvedField) resolvedNode).getValue() instanceof String) {
return true;
}
}
}
return false;
}
}