From 90ab04e81d6ff26656488d3ab4dc3eca4976c5a9 Mon Sep 17 00:00:00 2001 From: Ivan Iskandar <12537387+ivaniskandar@users.noreply.github.com> Date: Fri, 20 Aug 2021 05:10:07 +0700 Subject: [PATCH] Require authentication-confirmation to change biometric lock settings (#5695) * Requires authentication-confirmation to change biometric lock settings * Prevent double authentications on older APIs when confirming settings changes * Use new AuthPrompt API for app lock With this commit, the app lock will only explicitly require Class 2 biometrics or screen lock credential. Class 3 biometrics are guaranteed to meet Class 2 requirements thus will also be used when available. * Use extension toast --- app/src/main/java/eu/kanade/tachiyomi/App.kt | 3 +- .../ui/security/SecureActivityDelegate.kt | 4 +- .../tachiyomi/ui/security/UnlockActivity.kt | 40 +++--- .../ui/setting/SettingsSecurityController.kt | 60 ++++++++- .../util/system/AuthenticatorUtil.kt | 117 ++++++++++++++---- app/src/main/res/values/strings.xml | 1 + 6 files changed, 172 insertions(+), 53 deletions(-) diff --git a/app/src/main/java/eu/kanade/tachiyomi/App.kt b/app/src/main/java/eu/kanade/tachiyomi/App.kt index fdc67bbd07..0cd7734aa2 100644 --- a/app/src/main/java/eu/kanade/tachiyomi/App.kt +++ b/app/src/main/java/eu/kanade/tachiyomi/App.kt @@ -30,6 +30,7 @@ import eu.kanade.tachiyomi.data.preference.PreferencesHelper import eu.kanade.tachiyomi.data.preference.asImmediateFlow import eu.kanade.tachiyomi.network.NetworkHelper import eu.kanade.tachiyomi.ui.security.SecureActivityDelegate +import eu.kanade.tachiyomi.util.system.AuthenticatorUtil import eu.kanade.tachiyomi.util.system.notification import kotlinx.coroutines.flow.launchIn import kotlinx.coroutines.flow.onEach @@ -132,7 +133,7 @@ open class App : Application(), LifecycleObserver, ImageLoaderFactory { @OnLifecycleEvent(Lifecycle.Event.ON_STOP) @Suppress("unused") fun onAppBackgrounded() { - if (preferences.lockAppAfter().get() >= 0) { + if (!AuthenticatorUtil.isAuthenticating && preferences.lockAppAfter().get() >= 0) { SecureActivityDelegate.locked = true } } diff --git a/app/src/main/java/eu/kanade/tachiyomi/ui/security/SecureActivityDelegate.kt b/app/src/main/java/eu/kanade/tachiyomi/ui/security/SecureActivityDelegate.kt index 3c2595e805..69f8d50046 100644 --- a/app/src/main/java/eu/kanade/tachiyomi/ui/security/SecureActivityDelegate.kt +++ b/app/src/main/java/eu/kanade/tachiyomi/ui/security/SecureActivityDelegate.kt @@ -4,7 +4,7 @@ import android.content.Intent import androidx.fragment.app.FragmentActivity import androidx.lifecycle.lifecycleScope import eu.kanade.tachiyomi.data.preference.PreferencesHelper -import eu.kanade.tachiyomi.util.system.AuthenticatorUtil +import eu.kanade.tachiyomi.util.system.AuthenticatorUtil.isAuthenticationSupported import eu.kanade.tachiyomi.util.view.setSecureScreen import kotlinx.coroutines.flow.combine import kotlinx.coroutines.flow.launchIn @@ -28,7 +28,7 @@ class SecureActivityDelegate(private val activity: FragmentActivity) { fun onResume() { if (preferences.useAuthenticator().get()) { - if (AuthenticatorUtil.isSupported(activity)) { + if (activity.isAuthenticationSupported()) { if (isAppLocked()) { activity.startActivity(Intent(activity, UnlockActivity::class.java)) activity.overridePendingTransition(0, 0) diff --git a/app/src/main/java/eu/kanade/tachiyomi/ui/security/UnlockActivity.kt b/app/src/main/java/eu/kanade/tachiyomi/ui/security/UnlockActivity.kt index d7e07fef34..0808b89d6e 100644 --- a/app/src/main/java/eu/kanade/tachiyomi/ui/security/UnlockActivity.kt +++ b/app/src/main/java/eu/kanade/tachiyomi/ui/security/UnlockActivity.kt @@ -2,51 +2,45 @@ package eu.kanade.tachiyomi.ui.security import android.os.Bundle import androidx.biometric.BiometricPrompt +import androidx.fragment.app.FragmentActivity import eu.kanade.tachiyomi.R import eu.kanade.tachiyomi.ui.base.activity.BaseThemedActivity import eu.kanade.tachiyomi.util.system.AuthenticatorUtil +import eu.kanade.tachiyomi.util.system.AuthenticatorUtil.startAuthentication import timber.log.Timber import java.util.Date -import java.util.concurrent.Executors /** * Blank activity with a BiometricPrompt. */ class UnlockActivity : BaseThemedActivity() { - private val executor = Executors.newSingleThreadExecutor() - override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) - - val biometricPrompt = BiometricPrompt( - this, - executor, - object : BiometricPrompt.AuthenticationCallback() { - override fun onAuthenticationError(errorCode: Int, errString: CharSequence) { - super.onAuthenticationError(errorCode, errString) + startAuthentication( + getString(R.string.unlock_app), + confirmationRequired = false, + callback = object : AuthenticatorUtil.AuthenticationCallback() { + override fun onAuthenticationError( + activity: FragmentActivity?, + errorCode: Int, + errString: CharSequence + ) { + super.onAuthenticationError(activity, errorCode, errString) Timber.e(errString.toString()) finishAffinity() } - override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) { - super.onAuthenticationSucceeded(result) + override fun onAuthenticationSucceeded( + activity: FragmentActivity?, + result: BiometricPrompt.AuthenticationResult + ) { + super.onAuthenticationSucceeded(activity, result) SecureActivityDelegate.locked = false preferences.lastAppUnlock().set(Date().time) finish() } } ) - - var promptInfo = BiometricPrompt.PromptInfo.Builder() - .setTitle(getString(R.string.unlock_app)) - .setAllowedAuthenticators(AuthenticatorUtil.getSupportedAuthenticators(this)) - .setConfirmationRequired(false) - - if (!AuthenticatorUtil.isDeviceCredentialAllowed(this)) { - promptInfo = promptInfo.setNegativeButtonText(getString(R.string.action_cancel)) - } - - biometricPrompt.authenticate(promptInfo.build()) } } diff --git a/app/src/main/java/eu/kanade/tachiyomi/ui/setting/SettingsSecurityController.kt b/app/src/main/java/eu/kanade/tachiyomi/ui/setting/SettingsSecurityController.kt index 23979ecdd4..a99931de8a 100644 --- a/app/src/main/java/eu/kanade/tachiyomi/ui/setting/SettingsSecurityController.kt +++ b/app/src/main/java/eu/kanade/tachiyomi/ui/setting/SettingsSecurityController.kt @@ -1,5 +1,8 @@ package eu.kanade.tachiyomi.ui.setting +import androidx.biometric.BiometricPrompt +import androidx.fragment.app.FragmentActivity +import androidx.preference.Preference import androidx.preference.PreferenceScreen import eu.kanade.tachiyomi.R import eu.kanade.tachiyomi.data.preference.asImmediateFlow @@ -9,6 +12,9 @@ import eu.kanade.tachiyomi.util.preference.summaryRes import eu.kanade.tachiyomi.util.preference.switchPreference import eu.kanade.tachiyomi.util.preference.titleRes import eu.kanade.tachiyomi.util.system.AuthenticatorUtil +import eu.kanade.tachiyomi.util.system.AuthenticatorUtil.isAuthenticationSupported +import eu.kanade.tachiyomi.util.system.AuthenticatorUtil.startAuthentication +import eu.kanade.tachiyomi.util.system.toast import kotlinx.coroutines.flow.launchIn import eu.kanade.tachiyomi.data.preference.PreferenceKeys as Keys @@ -17,11 +23,36 @@ class SettingsSecurityController : SettingsController() { override fun setupPreferenceScreen(screen: PreferenceScreen) = screen.apply { titleRes = R.string.pref_category_security - if (AuthenticatorUtil.isSupported(context)) { + if (context.isAuthenticationSupported()) { switchPreference { key = Keys.useAuthenticator titleRes = R.string.lock_with_biometrics defaultValue = false + onPreferenceChangeListener = Preference.OnPreferenceChangeListener { _, newValue -> + (activity as? FragmentActivity)?.startAuthentication( + activity!!.getString(R.string.lock_with_biometrics), + activity!!.getString(R.string.confirm_lock_change), + callback = object : AuthenticatorUtil.AuthenticationCallback() { + override fun onAuthenticationSucceeded( + activity: FragmentActivity?, + result: BiometricPrompt.AuthenticationResult + ) { + super.onAuthenticationSucceeded(activity, result) + isChecked = newValue as Boolean + } + + override fun onAuthenticationError( + activity: FragmentActivity?, + errorCode: Int, + errString: CharSequence + ) { + super.onAuthenticationError(activity, errorCode, errString) + activity?.toast(errString.toString()) + } + } + ) + false + } } intListPreference { key = Keys.lockAppAfter @@ -37,6 +68,33 @@ class SettingsSecurityController : SettingsController() { entryValues = values defaultValue = "0" summary = "%s" + onPreferenceChangeListener = Preference.OnPreferenceChangeListener { _, newValue -> + if (value == newValue) return@OnPreferenceChangeListener false + + (activity as? FragmentActivity)?.startAuthentication( + activity!!.getString(R.string.lock_when_idle), + activity!!.getString(R.string.confirm_lock_change), + callback = object : AuthenticatorUtil.AuthenticationCallback() { + override fun onAuthenticationSucceeded( + activity: FragmentActivity?, + result: BiometricPrompt.AuthenticationResult + ) { + super.onAuthenticationSucceeded(activity, result) + value = newValue as String + } + + override fun onAuthenticationError( + activity: FragmentActivity?, + errorCode: Int, + errString: CharSequence + ) { + super.onAuthenticationError(activity, errorCode, errString) + activity?.toast(errString.toString()) + } + } + ) + false + } preferences.useAuthenticator().asImmediateFlow { isVisible = it } .launchIn(viewScope) diff --git a/app/src/main/java/eu/kanade/tachiyomi/util/system/AuthenticatorUtil.kt b/app/src/main/java/eu/kanade/tachiyomi/util/system/AuthenticatorUtil.kt index 72dd5830b0..c0e8a971da 100644 --- a/app/src/main/java/eu/kanade/tachiyomi/util/system/AuthenticatorUtil.kt +++ b/app/src/main/java/eu/kanade/tachiyomi/util/system/AuthenticatorUtil.kt @@ -1,43 +1,108 @@ package eu.kanade.tachiyomi.util.system import android.content.Context -import android.os.Build +import androidx.annotation.CallSuper import androidx.biometric.BiometricManager import androidx.biometric.BiometricManager.Authenticators +import androidx.biometric.BiometricPrompt +import androidx.biometric.BiometricPrompt.AuthenticationError +import androidx.biometric.auth.AuthPromptCallback +import androidx.biometric.auth.startClass2BiometricOrCredentialAuthentication +import androidx.core.content.ContextCompat +import androidx.fragment.app.FragmentActivity object AuthenticatorUtil { - fun getSupportedAuthenticators(context: Context): Int { - if (isLegacySecured(context)) { - return Authenticators.BIOMETRIC_WEAK or Authenticators.DEVICE_CREDENTIAL - } + /** + * A check to avoid double authentication on older APIs when confirming settings changes since + * the biometric prompt is launched in a separate activity outside of the app. + */ + var isAuthenticating = false - return listOf( - Authenticators.BIOMETRIC_STRONG, - Authenticators.BIOMETRIC_WEAK, - Authenticators.DEVICE_CREDENTIAL, + /** + * Launches biometric prompt. + * + * @param title String title that will be shown on the prompt + * @param subtitle Optional string subtitle that will be shown on the prompt + * @param confirmationRequired Whether require explicit user confirmation after passive biometric is recognized + * @param callback Callback object to handle the authentication events + */ + fun FragmentActivity.startAuthentication( + title: String, + subtitle: String? = null, + confirmationRequired: Boolean = true, + callback: AuthenticationCallback + ) { + isAuthenticating = true + startClass2BiometricOrCredentialAuthentication( + title = title, + subtitle = subtitle, + confirmationRequired = confirmationRequired, + executor = ContextCompat.getMainExecutor(this), + callback = callback ) - .filter { BiometricManager.from(context).canAuthenticate(it) == BiometricManager.BIOMETRIC_SUCCESS } - .fold(0) { acc, auth -> acc or auth } - } - - fun isSupported(context: Context): Boolean { - return isLegacySecured(context) || getSupportedAuthenticators(context) != 0 - } - - fun isDeviceCredentialAllowed(context: Context): Boolean { - return isLegacySecured(context) || (getSupportedAuthenticators(context) and Authenticators.DEVICE_CREDENTIAL != 0) } /** - * Returns whether the device is secured with a PIN, pattern or password. + * Returns true if Class 2 biometric or credential lock is set and available to use */ - private fun isLegacySecured(context: Context): Boolean { - if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.Q) { - if (context.keyguardManager.isDeviceSecure) { - return true - } + fun Context.isAuthenticationSupported(): Boolean { + val authenticators = Authenticators.BIOMETRIC_WEAK or Authenticators.DEVICE_CREDENTIAL + return BiometricManager.from(this).canAuthenticate(authenticators) == BiometricManager.BIOMETRIC_SUCCESS + } + + /** + * [AuthPromptCallback] with extra check + * + * @see isAuthenticating + */ + abstract class AuthenticationCallback : AuthPromptCallback() { + /** + * Called when an unrecoverable error has been encountered and authentication has stopped. + * + * + * After this method is called, no further events will be sent for the current + * authentication session. + * + * @param activity The activity that is currently hosting the prompt. + * @param errorCode An integer ID associated with the error. + * @param errString A human-readable string that describes the error. + */ + @CallSuper + override fun onAuthenticationError( + activity: FragmentActivity?, + @AuthenticationError errorCode: Int, + errString: CharSequence + ) { + isAuthenticating = false + } + + /** + * Called when the user has successfully authenticated. + * + * + * After this method is called, no further events will be sent for the current + * authentication session. + * + * @param activity The activity that is currently hosting the prompt. + * @param result An object containing authentication-related data. + */ + @CallSuper + override fun onAuthenticationSucceeded( + activity: FragmentActivity?, + result: BiometricPrompt.AuthenticationResult + ) { + isAuthenticating = false + } + + /** + * Called when an authentication attempt by the user has been rejected. + * + * @param activity The activity that is currently hosting the prompt. + */ + @CallSuper + override fun onAuthenticationFailed(activity: FragmentActivity?) { + isAuthenticating = false } - return false } } diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml index 9adf4c6f92..4f44316951 100644 --- a/app/src/main/res/values/strings.xml +++ b/app/src/main/res/values/strings.xml @@ -25,6 +25,7 @@ Help Unlock Tachiyomi + Authenticate to confirm change Press back again to exit