From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Philip Nagler-Frank Date: Mon, 22 Mar 2021 21:03:57 -0400 Subject: [PATCH] Add permission to allow an APK to fake a signature. Change-Id: I770c2c8b2ab6857d4ea0a4142fb814302685a64e --- api/current.txt | 2 ++ core/res/AndroidManifest.xml | 15 ++++++++++++ core/res/res/values/config.xml | 2 ++ core/res/res/values/strings.xml | 12 ++++++++++ non-updatable-api/current.txt | 2 ++ .../server/pm/PackageManagerService.java | 23 +++++++++++++++++-- 6 files changed, 54 insertions(+), 2 deletions(-) diff --git a/api/current.txt b/api/current.txt index 952ccdad992c..6bd7ffe6dcb8 100644 --- a/api/current.txt +++ b/api/current.txt @@ -77,6 +77,7 @@ package android { field public static final String DIAGNOSTIC = "android.permission.DIAGNOSTIC"; field public static final String DISABLE_KEYGUARD = "android.permission.DISABLE_KEYGUARD"; field public static final String DUMP = "android.permission.DUMP"; + field public static final String FAKE_PACKAGE_SIGNATURE = "android.permission.FAKE_PACKAGE_SIGNATURE"; field public static final String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR"; field public static final String FACTORY_TEST = "android.permission.FACTORY_TEST"; field public static final String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE"; @@ -182,6 +183,7 @@ package android { field public static final String CALL_LOG = "android.permission-group.CALL_LOG"; field public static final String CAMERA = "android.permission-group.CAMERA"; field public static final String CONTACTS = "android.permission-group.CONTACTS"; + field public static final String FAKE_PACKAGE = "android.permission-group.FAKE_PACKAGE"; field public static final String LOCATION = "android.permission-group.LOCATION"; field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; field public static final String PHONE = "android.permission-group.PHONE"; diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml index ee428371a016..ad6cfd6ae501 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -2852,6 +2852,21 @@ android:description="@string/permdesc_getPackageSize" android:protectionLevel="normal" /> + + + + + + diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml index f4efcc7e4eec..51b461e79492 100644 --- a/core/res/res/values/config.xml +++ b/core/res/res/values/config.xml @@ -1654,6 +1654,8 @@ com.android.location.fused + + com.google.android.gms diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml index 5c659123b027..4ea996c492c7 100644 --- a/core/res/res/values/strings.xml +++ b/core/res/res/values/strings.xml @@ -847,6 +847,18 @@ + + Spoof package signature + + Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only! + + Spoof package signature + + allow to spoof package signature + + Allow + <b>%1$s</b> to spoof package signature? + disable or modify status bar diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt index 5f15216e8400..57748a8090a2 100644 --- a/non-updatable-api/current.txt +++ b/non-updatable-api/current.txt @@ -79,6 +79,7 @@ package android { field public static final String DUMP = "android.permission.DUMP"; field public static final String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR"; field public static final String FACTORY_TEST = "android.permission.FACTORY_TEST"; + field public static final String FAKE_PACKAGE_SIGNATURE = "android.permission.FAKE_PACKAGE_SIGNATURE"; field public static final String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE"; field public static final String GET_ACCOUNTS = "android.permission.GET_ACCOUNTS"; field public static final String GET_ACCOUNTS_PRIVILEGED = "android.permission.GET_ACCOUNTS_PRIVILEGED"; @@ -182,6 +183,7 @@ package android { field public static final String CALL_LOG = "android.permission-group.CALL_LOG"; field public static final String CAMERA = "android.permission-group.CAMERA"; field public static final String CONTACTS = "android.permission-group.CONTACTS"; + field public static final String FAKE_PACKAGE = "android.permission-group.FAKE_PACKAGE"; field public static final String LOCATION = "android.permission-group.LOCATION"; field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; field public static final String PHONE = "android.permission-group.PHONE"; diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index ea9378e98b1a..c2a677613c6d 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -4454,8 +4454,9 @@ public class PackageManagerService extends IPackageManager.Stub }); } - PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags, - ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps); + PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags, + ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps), + permissions); if (packageInfo == null) { return null; @@ -4491,6 +4492,24 @@ public class PackageManagerService extends IPackageManager.Stub } } + private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi, + Set permissions) { + try { + if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") + && p.getTargetSdkVersion() > Build.VERSION_CODES.LOLLIPOP_MR1 + && p.getMetaData() != null) { + String sig = p.getMetaData().getString("fake-signature"); + if (sig != null) { + pi.signatures = new Signature[] {new Signature(sig)}; + } + } + } catch (Throwable t) { + // We should never die because of any failures, this is system code! + Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); + } + return pi; + } + @Override public void checkPackageStartable(String packageName, int userId) { final int callingUid = Binder.getCallingUid();