@@ -14,42 +14,42 @@ import android.provider.Settings
1414import android.service.autofill.SaveInfo
1515import androidx.annotation.RequiresApi
1616
17- /*
18- In order to add a new browser, do the following:
19-
20- 1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
21- phone and use adb pull to get it onto your computer. We will assume that it is called
22- browser.apk.
23-
24- 2. Run
25-
26- aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
27-
28- to obtain the package name (actually, the application ID) of the app in the .apk.
29-
30- 3. Run
31-
32- apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
33-
34- to calculate the hash of browser.apk's first signing certificate.
35- Note: This will only work if the apk has a single signing certificate. Apps with multiple
36- signers are very rare, so there is probably no need to add them.
37- Refer to computeCertificatesHash to learn how the hash would be computed in this case.
38-
39- 4. Verify the package name and the hash, for example by asking other people to repeat the steps
40- above.
41-
42- 5. Add an entry with the browser apps's package name and the hash to
43- TRUSTED_BROWSER_CERTIFICATE_HASH.
44-
45- 6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
46- whether a save request to Password Store is triggered when you submit a registration form.
47-
48- 7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
49- check whether it correctly distinguishes web origins even if iframes are present on the page.
50- You can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
51- */
52- / *
17+ /* *
18+ * In order to add a new browser, do the following:
19+ *
20+ * 1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
21+ * phone and use adb pull to get it onto your computer. We will assume that it is called
22+ * browser.apk.
23+ *
24+ * 2. Run
25+ *
26+ * aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
27+ *
28+ * to obtain the package name (actually, the application ID) of the app in the .apk.
29+ *
30+ * 3. Run
31+ *
32+ * apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo
33+ * "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
34+ *
35+ * to calculate the hash of browser. apk's first signing certificate. Note: This will only work if
36+ * the apk has a single signing certificate. Apps with multiple signers are very rare, so there is
37+ * probably no need to add them. Refer to computeCertificatesHash to learn how the hash would be
38+ * computed in this case.
39+ *
40+ * 4. Verify the package name and the hash, for example by asking other people to repeat the steps
41+ * above.
42+ *
43+ * 5. Add an entry with the browser apps's package name and the hash to
44+ * TRUSTED_BROWSER_CERTIFICATE_HASH.
45+ *
46+ * 6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
47+ * whether a save request to Password Store is triggered when you submit a registration form.
48+ *
49+ * 7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
50+ * check whether it correctly distinguishes web origins even if iframes are present on the page. You
51+ * can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
52+ *
5353 * **Security assumption**: Browsers on this list correctly report the web origin of the top-level
5454 * window as part of their AssistStructure.
5555 *
0 commit comments