ios/android: fix screen lock bugs

On some Android versions (e.g. Android 9) the authentication flow was
causing an endless loop of auth requests. This was fixed by moving the
setup of `BiometricAuthHelper` from `onStart` to `onCreate`.

In both Android and iOS the auth flow freezed if there was no
authentication method setup on the device. This was fixed by refactoring
the authentication flow code and adding a new possible authentication
response `authres-missing`, that allows to handle this case.

Author: Beerosagos

CHANGELOG.md

@@ -10,6 +10,8 @@
 - Fix wrong btc/ltc transaction timestamp during header sync
 - Ethereum bugfix: show all internal transactions that share the same transaction ID
 - Allow up to 6 unused BTC/LTC accounts (previously 5)
+- Android: fix screen lock authentication loop bug
+- Android/iOS: fix screen lock bug when no authentication is configured on the device
 
 ## v4.48.4
 - macOS: fix potential USB communication issue with BitBox02 bootloaders <v1.1.2 and firmwares <v9.23.1

backend/backend.go

@@ -127,16 +127,35 @@ type deviceEvent struct {
 
 type authEventType string
 
+// AuthResultType represents the possible results of the authentication flow.
+type AuthResultType string
+
 const (
+	// authRequired is fired when we need the user to authenticate.
 	authRequired authEventType = "auth-required"
-	authForced   authEventType = "auth-forced"
-	authCanceled authEventType = "auth-canceled"
-	authOk       authEventType = "auth-ok"
-	authErr      authEventType = "auth-err"
+	// authForced is fired when we need the user to authenticate even if
+	// the authentication flag is not set in the settings. This allows to check
+	// that the user is able to authenticate before enabling the screen lock.
+	authForced authEventType = "auth-forced"
+	// authResult is fired when the authentication flow produced a result.
+	authResult authEventType = "auth-result"
+
+	// AuthResultOk means that the authentication succeeded.
+	AuthResultOk AuthResultType = "authres-ok"
+	// AuthResultErr means that there is an authentication error.
+	// E.g. on Android when a biometric is valid, but not recognized.
+	AuthResultErr AuthResultType = "authres-err"
+	// AuthResultCancel menas that the authentication has been aborted
+	// by the user.
+	AuthResultCancel AuthResultType = "authres-cancel"
+	// AuthResultMissing means that there is no authentication method configured
+	// on the device.
+	AuthResultMissing AuthResultType = "authres-missing"
 )
 
 type authEventObject struct {
-	Typ authEventType `json:"typ"`
+	Typ    authEventType   `json:"typ"`
+	Result *AuthResultType `json:"result,omitempty"`
 }
 
 // Environment represents functionality where the implementation depends on the environment the app
@@ -373,7 +392,7 @@ func (backend *Backend) Authenticate(force bool) {
 	if backend.config.AppConfig().Backend.Authentication || force {
 		backend.environment.Auth()
 	} else {
-		backend.AuthResult(true)
+		backend.AuthResult(AuthResultOk)
 	}
 }
 
@@ -388,17 +407,6 @@ func (backend *Backend) TriggerAuth() {
 	})
 }
 
-// CancelAuth triggers an auth-canceled notification.
-func (backend *Backend) CancelAuth() {
-	backend.Notify(observable.Event{
-		Subject: "auth",
-		Action:  action.Replace,
-		Object: authEventObject{
-			Typ: authCanceled,
-		},
-	})
-}
-
 // ForceAuth triggers an auth-forced notification
 // followed by an auth-required notification.
 func (backend *Backend) ForceAuth() {
@@ -420,17 +428,14 @@ func (backend *Backend) ForceAuth() {
 
 // AuthResult triggers an auth-ok or auth-err notification
 // depending on the input value.
-func (backend *Backend) AuthResult(ok bool) {
-	backend.log.Infof("Auth result: %v", ok)
-	typ := authErr
-	if ok {
-		typ = authOk
-	}
+func (backend *Backend) AuthResult(result AuthResultType) {
+	backend.log.Infof("Auth result: %v", result)
 	backend.Notify(observable.Event{
 		Subject: "auth",
 		Action:  action.Replace,
 		Object: authEventObject{
-			Typ: typ,
+			Typ:    authResult,
+			Result: &result,
 		},
 	})
 }

backend/bridgecommon/bridgecommon.go

@@ -143,25 +143,16 @@ func TriggerAuth() {
 	globalBackend.TriggerAuth()
 }
 
-// CancelAuth triggers an authentication canceled notification.
-func CancelAuth() {
-	mu.Lock()
-	defer mu.Unlock()
-	if globalBackend == nil {
-		return
-	}
-	globalBackend.CancelAuth()
-}
-
 // AuthResult triggers an authentication result notification
 // on the base of the input value.
-func AuthResult(ok bool) {
+func AuthResult(result string) {
 	mu.Lock()
 	defer mu.Unlock()
 	if globalBackend == nil {
 		return
 	}
-	globalBackend.AuthResult(ok)
+
+	globalBackend.AuthResult(backend.AuthResultType(result))
 }
 
 // UsingMobileDataChanged should be called when the network connnection changed.

backend/mobileserver/mobileserver.go

@@ -23,6 +23,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/BitBoxSwiss/bitbox-wallet-app/backend"
 	"github.com/BitBoxSwiss/bitbox-wallet-app/backend/bridgecommon"
 	"github.com/BitBoxSwiss/bitbox-wallet-app/backend/devices/usb"
 	"github.com/BitBoxSwiss/bitbox-wallet-app/util/config"
@@ -34,6 +35,17 @@ var (
 	once sync.Once
 )
 
+const (
+	// AuthResultOk exports backend.AuthResultOk.
+	AuthResultOk string = string(backend.AuthResultOk)
+	// AuthResultErr exports backend.AuthResultErr.
+	AuthResultErr string = string(backend.AuthResultErr)
+	// AuthResultCancel exports backend.AuthResultCancel.
+	AuthResultCancel string = string(backend.AuthResultCancel)
+	// AuthResultMissing exports backend.AuthResultMissing.
+	AuthResultMissing string = string(backend.AuthResultMissing)
+)
+
 // fixTimezone sets the local timezone on Android. This is a workaround to the bug that on Android,
 // time.Local is hard-coded to UTC. See https://github.com/golang/go/issues/20455.
 //
@@ -235,15 +247,10 @@ func TriggerAuth() {
 	bridgecommon.TriggerAuth()
 }
 
-// CancelAuth triggers an auth canceled notification towards the frontend.
-func CancelAuth() {
-	bridgecommon.CancelAuth()
-}
-
-// AuthResult triggers an auth feedback notification (auth-ok/auth-err) towards the frontend,
+// AuthResult triggers an auth feedback notification (auth-ok/auth-err/..) towards the frontend,
 // depending on the input value.
-func AuthResult(ok bool) {
-	bridgecommon.AuthResult(ok)
+func AuthResult(result string) {
+	bridgecommon.AuthResult(result)
 }
 
 // ManualReconnect wraps bridgecommon.ManualReconnect.

cmd/servewallet/main.go

@@ -87,7 +87,7 @@ func (webdevEnvironment) Auth() {
 	log := logging.Get().WithGroup("servewallet")
 	log.Info("Webdev Auth")
 	if backend != nil {
-		backend.AuthResult(true)
+		backend.AuthResult(backendPkg.AuthResultOk)
 		log.Info("Webdev Auth OK")
 	}
 }

frontends/android/BitBoxApp/app/src/main/java/ch/shiftcrypto/bitboxapp/BiometricAuthHelper.java

@@ -17,9 +17,23 @@ public interface AuthCallback {
         void onSuccess();
         void onFailure();
         void onCancel();
+        void noAuthConfigured();
     }
 
     public static void showAuthenticationPrompt(FragmentActivity activity, AuthCallback callback) {
+
+        BiometricManager biometricManager = BiometricManager.from(activity);
+        int canAuthenticate = biometricManager.canAuthenticate(
+                BiometricManager.Authenticators.DEVICE_CREDENTIAL |
+                        BiometricManager.Authenticators.BIOMETRIC_WEAK
+        );
+
+        if (canAuthenticate != BiometricManager.BIOMETRIC_SUCCESS) {
+            Util.log("Authentication not available: code " + canAuthenticate);
+            new Handler(Looper.getMainLooper()).post(callback::noAuthConfigured);
+            return;
+        }
+
         Executor executor = ContextCompat.getMainExecutor(activity);
         BiometricPrompt biometricPrompt = new BiometricPrompt(activity, executor, new BiometricPrompt.AuthenticationCallback() {
             @Override

frontends/android/BitBoxApp/app/src/main/java/ch/shiftcrypto/bitboxapp/GoViewModel.java

@@ -202,7 +202,7 @@ public boolean detectDarkTheme() {
     }
 
     private final MutableLiveData<Boolean> isDarkTheme = new MutableLiveData<>();
-    private final MutableLiveData<Boolean> authenticator = new MutableLiveData<>(false);
+    private final MutableLiveData<Boolean> authRequested = new MutableLiveData<>(false);
     // The value of the backend config's Authentication setting.
     private final MutableLiveData<Boolean> authSetting = new MutableLiveData<>(false);
     private final GoEnvironment goEnvironment;
@@ -218,8 +218,8 @@ public MutableLiveData<Boolean> getIsDarkTheme() {
         return isDarkTheme;
     }
 
-    public MutableLiveData<Boolean> getAuthenticator() {
-        return authenticator;
+    public MutableLiveData<Boolean> getAuthRequested() {
+        return authRequested;
     }
 
     public MutableLiveData<Boolean> getAuthSetting() {
@@ -235,11 +235,11 @@ public GoAPI getGoAPI() {
     }
 
     public void requestAuth() {
-        this.authenticator.postValue(true);
+        this.authRequested.postValue(true);
     }
 
     public void closeAuth() {
-        this.authenticator.postValue(false);
+        this.authRequested.postValue(false);
     }
 
     public void setMessageHandlers(Handler callResponseHandler, Handler pushNotificationHandler) {

frontends/android/BitBoxApp/app/src/main/java/ch/shiftcrypto/bitboxapp/MainActivity.java

@@ -269,42 +269,9 @@ public void handleOnBackPressed() {
                 backPressedHandler();
             }
         });
-    }
-
-    @Override
-    public void onRequestPermissionsResult(int requestCode, @NonNull String[] permissions, @NonNull int[] grantResults) {
-        super.onRequestPermissionsResult(requestCode, permissions, grantResults);
-        if (requestCode == PERMISSIONS_REQUEST_CAMERA_QRCODE) {
-            webChrome.onCameraPermissionResult(grantResults.length > 0 && grantResults[0] == PackageManager.PERMISSION_GRANTED);
-        }
-    }
-
-    private void startServer() {
-        final GoViewModel gVM = ViewModelProviders.of(this).get(GoViewModel.class);
-        goService.startServer(getApplicationContext().getFilesDir().getAbsolutePath(), gVM.getGoEnvironment(), gVM.getGoAPI());
-
-        // Trigger connectivity check (as the network may already be unavailable when the app starts).
-        checkConnectivity();
-    }
-
-    @Override
-    protected void onNewIntent(Intent intent) {
-        // This is only called reliably when intents are received (e.g. USB is attached or when
-        // handling 'aopp:' URIs through the android.intent.action.VIEW intent) with
-        // android:launchMode="singleTop"
-        super.onNewIntent(intent);
-        setIntent(intent); // make sure onResume will have access to this intent
-    }
-
-    @Override
-    protected void onStart() {
-        super.onStart();
-        Util.log("lifecycle: onStart");
-        final GoViewModel goViewModel = ViewModelProviders.of(this).get(GoViewModel.class);
-        goViewModel.getIsDarkTheme().observe(this, this::setDarkTheme);
 
-        goViewModel.getAuthenticator().observe(this, requestAuth -> {
-            if (!requestAuth) {
+        goViewModel.getAuthRequested().observe(this, authRequested -> {
+            if (!authRequested) {
                 return;
             }
 
@@ -314,23 +281,31 @@ public void onSuccess() {
                     // Authenticated successfully
                     Util.log("Auth success");
                     goViewModel.closeAuth();
-                    Mobileserver.authResult(true);
+                    Mobileserver.authResult(Mobileserver.AuthResultOk);
                 }
 
                 @Override
                 public void onFailure() {
                     // Failed
                     Util.log("Auth failed");
                     goViewModel.closeAuth();
-                    Mobileserver.authResult(false);
+                    Mobileserver.authResult(Mobileserver.AuthResultErr);
                 }
 
                 @Override
                 public void onCancel() {
                     // Canceled
                     Util.log("Auth canceled");
                     goViewModel.closeAuth();
-                    Mobileserver.cancelAuth();
+                    Mobileserver.authResult(Mobileserver.AuthResultCancel);
+                }
+
+                @Override
+                public void noAuthConfigured() {
+                    // No Auth configured
+                    Util.log("Auth not configured");
+                    goViewModel.closeAuth();
+                    Mobileserver.authResult(Mobileserver.AuthResultMissing);
                 }
             });
         });
@@ -347,6 +322,41 @@ public void onCancel() {
             }
         }));
 
+    }
+
+    @Override
+    public void onRequestPermissionsResult(int requestCode, @NonNull String[] permissions, @NonNull int[] grantResults) {
+        super.onRequestPermissionsResult(requestCode, permissions, grantResults);
+        if (requestCode == PERMISSIONS_REQUEST_CAMERA_QRCODE) {
+            webChrome.onCameraPermissionResult(grantResults.length > 0 && grantResults[0] == PackageManager.PERMISSION_GRANTED);
+        }
+    }
+
+    private void startServer() {
+        final GoViewModel gVM = ViewModelProviders.of(this).get(GoViewModel.class);
+        goService.startServer(getApplicationContext().getFilesDir().getAbsolutePath(), gVM.getGoEnvironment(), gVM.getGoAPI());
+
+        // Trigger connectivity check (as the network may already be unavailable when the app starts).
+        checkConnectivity();
+    }
+
+    @Override
+    protected void onNewIntent(Intent intent) {
+        // This is only called reliably when intents are received (e.g. USB is attached or when
+        // handling 'aopp:' URIs through the android.intent.action.VIEW intent) with
+        // android:launchMode="singleTop"
+        super.onNewIntent(intent);
+        setIntent(intent); // make sure onResume will have access to this intent
+    }
+
+    @Override
+    protected void onStart() {
+        super.onStart();
+        Util.log("lifecycle: onStart");
+        final GoViewModel goViewModel = ViewModelProviders.of(this).get(GoViewModel.class);
+        goViewModel.getIsDarkTheme().observe(this, this::setDarkTheme);
+
+
         NetworkRequest request = new NetworkRequest.Builder()
             .addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET)
             .addTransportType(NetworkCapabilities.TRANSPORT_WIFI)

frontends/ios/BitBoxApp/BitBoxApp/BitBoxAppApp.swift

@@ -43,21 +43,21 @@ class GoEnvironment: NSObject, MobileserverGoEnvironmentInterfaceProtocol, UIDoc
             context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason) { success, authenticationError in
                 DispatchQueue.main.async {
                     if success {
-                        MobileserverAuthResult(true);
+                        MobileserverAuthResult(MobileserverAuthResultOk);
                     } else {
                         if let laError = authenticationError as? LAError,
                            laError.code == .userCancel {
-                            MobileserverCancelAuth();
+                            MobileserverAuthResult(MobileserverAuthResultCancel);
                         } else {
-                            MobileserverAuthResult(false);
+                            MobileserverAuthResult(MobileserverAuthResultErr);
                         }
                     }
                 }
             }
         } else {
             // Biometric authentication not available
             DispatchQueue.main.async {
-                MobileserverAuthResult(false);
+                MobileserverAuthResult(MobileserverAuthResultMissing);
             }
         }
     }