FAD Add release codeHash verification for APKs (#2910)

* Add logic to calculate code hash from zip file

* Finish codehash check implementation

* Add isInstalledRelease unit tests

* google java format

* Merge and fix tests, add copyright to releaseIdStorage

* add copyright

* java format

* add final copyright

* Add annotations to calculateAPkInternalCodehash

* Add comments, refactor updateApk to take in latestRelease, change logic for cachedCodeHashes to only calcuate ziphash once, add unit test

* Fix tests affected by merge

* Update ziphash comment, change codehash equality method name

Co-authored-by: Rachel Prince <[email protected]>

Author: andrewbibiloni

firebase-app-distribution/firebase-app-distribution.gradle

@@ -48,8 +48,8 @@ dependencies {
     testImplementation 'junit:junit:4.13.2'
     testImplementation "org.robolectric:robolectric:$robolectricVersion"
     testImplementation "com.google.truth:truth:$googleTruthVersion"
-    testImplementation 'org.mockito:mockito-core:2.25.0'
-    androidTestImplementation "org.mockito:mockito-android:2.25.0"
+    testImplementation 'org.mockito:mockito-inline:3.4.0'
+    androidTestImplementation "org.mockito:mockito-android:3.4.0"
     testImplementation 'androidx.test:core:1.2.0'
 
     implementation 'com.google.android.gms:play-services-tasks:17.0.0'

firebase-app-distribution/src/main/java/com/google/firebase/appdistribution/CheckForUpdateClient.java

@@ -14,6 +14,8 @@
 
 package com.google.firebase.appdistribution;
 
+import static com.google.firebase.appdistribution.internal.ReleaseIdentificationUtils.calculateApkInternalCodeHash;
+
 import android.content.Context;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
@@ -27,6 +29,10 @@
 import com.google.firebase.appdistribution.internal.ReleaseIdentificationUtils;
 import com.google.firebase.installations.FirebaseInstallationsApi;
 import com.google.firebase.installations.InstallationTokenResult;
+import java.io.File;
+import java.util.Locale;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.Executor;
 import java.util.concurrent.Executors;
 
@@ -36,6 +42,8 @@ class CheckForUpdateClient {
   private final FirebaseApp firebaseApp;
   private final FirebaseAppDistributionTesterApiClient firebaseAppDistributionTesterApiClient;
   private final FirebaseInstallationsApi firebaseInstallationsApi;
+  private static final ConcurrentMap<String, String> cachedCodeHashes = new ConcurrentHashMap<>();
+  private final ReleaseIdentifierStorage releaseIdentifierStorage;
 
   Task<AppDistributionReleaseInternal> cachedCheckForUpdate = null;
   private final Executor checkForUpdateExecutor;
@@ -49,6 +57,8 @@ class CheckForUpdateClient {
     this.firebaseInstallationsApi = firebaseInstallationsApi;
     // TODO: verify if this is best way to use executorservice here
     this.checkForUpdateExecutor = Executors.newFixedThreadPool(UPDATE_THREAD_POOL_SIZE);
+    this.releaseIdentifierStorage =
+        new ReleaseIdentifierStorage(firebaseApp.getApplicationContext());
   }
 
   CheckForUpdateClient(
@@ -61,6 +71,8 @@ class CheckForUpdateClient {
     this.firebaseInstallationsApi = firebaseInstallationsApi;
     // TODO: verify if this is best way to use executorservice here
     this.checkForUpdateExecutor = executor;
+    this.releaseIdentifierStorage =
+        new ReleaseIdentifierStorage(firebaseApp.getApplicationContext());
   }
 
   @NonNull
@@ -135,11 +147,10 @@ private boolean isNewerBuildVersion(AppDistributionReleaseInternal latestRelease
         > getInstalledAppVersionCode(firebaseApp.getApplicationContext());
   }
 
-  private boolean isInstalledRelease(AppDistributionReleaseInternal latestRelease) {
+  @VisibleForTesting
+  boolean isInstalledRelease(AppDistributionReleaseInternal latestRelease) {
     if (latestRelease.getBinaryType().equals(BinaryType.APK)) {
-      // TODO(rachelprince): APK codehash verification. For now assume
-      // the release is identical unless the build version is different
-      return true;
+      return hasSameCodeHashAsInstallledRelease(latestRelease);
     }
 
     if (latestRelease.getIasArtifactId() == null) {
@@ -165,4 +176,39 @@ private long getInstalledAppVersionCode(Context context) throws FirebaseAppDistr
     }
     return PackageInfoCompat.getLongVersionCode(pInfo);
   }
+
+  @VisibleForTesting
+  String extractApkCodeHash(PackageInfo packageInfo) {
+    File sourceFile = new File(packageInfo.applicationInfo.sourceDir);
+
+    String key =
+        String.format(
+            Locale.ENGLISH, "%s.%d", sourceFile.getAbsolutePath(), sourceFile.lastModified());
+    if (!cachedCodeHashes.containsKey(key)) {
+      cachedCodeHashes.put(key, calculateApkInternalCodeHash(sourceFile));
+    }
+    return releaseIdentifierStorage.getExternalCodeHash(cachedCodeHashes.get(key));
+  }
+
+  private boolean hasSameCodeHashAsInstallledRelease(AppDistributionReleaseInternal latestRelease) {
+    try {
+      Context context = firebaseApp.getApplicationContext();
+      PackageInfo metadataPackageInfo =
+          context
+              .getPackageManager()
+              .getPackageInfo(context.getPackageName(), PackageManager.GET_META_DATA);
+      String externalCodeHash = extractApkCodeHash(metadataPackageInfo);
+      // Will trigger during the first install of the app since no zipHash to externalCodeHash
+      // mapping will have been set in ReleaseIdentifierStorage yet
+      if (externalCodeHash == null) {
+        return false;
+      }
+
+      // If the codeHash for the retrieved latestRelease is equal to the stored codeHash
+      // of the installed release, then they are the same release.
+      return externalCodeHash.equals(latestRelease.getCodeHash());
+    } catch (PackageManager.NameNotFoundException e) {
+      return false;
+    }
+  }
 }

firebase-app-distribution/src/main/java/com/google/firebase/appdistribution/ReleaseIdentifierStorage.java

@@ -0,0 +1,44 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appdistribution;
+
+import android.content.Context;
+import android.content.SharedPreferences;
+import com.google.firebase.appdistribution.internal.AppDistributionReleaseInternal;
+
+public class ReleaseIdentifierStorage {
+
+  private static final String RELEASE_IDENTIFIER_PREFERENCES_NAME =
+      "FirebaseAppDistributionReleaseIdentifierStorage";
+
+  private final SharedPreferences releaseIdentifierSharedPreferences;
+
+  ReleaseIdentifierStorage(Context applicationContext) {
+    this.releaseIdentifierSharedPreferences =
+        applicationContext.getSharedPreferences(
+            RELEASE_IDENTIFIER_PREFERENCES_NAME, Context.MODE_PRIVATE);
+  }
+
+  void setCodeHashMap(String internalCodeHash, AppDistributionReleaseInternal latestRelease) {
+    this.releaseIdentifierSharedPreferences
+        .edit()
+        .putString(internalCodeHash, latestRelease.getCodeHash())
+        .apply();
+  }
+
+  String getExternalCodeHash(String internalCodeHash) {
+    return releaseIdentifierSharedPreferences.getString(internalCodeHash, null);
+  }
+}

firebase-app-distribution/src/main/java/com/google/firebase/appdistribution/UpdateApkClient.java

@@ -16,6 +16,7 @@
 
 import static com.google.firebase.appdistribution.FirebaseAppDistributionException.Status;
 import static com.google.firebase.appdistribution.FirebaseAppDistributionException.Status.NETWORK_FAILURE;
+import static com.google.firebase.appdistribution.internal.ReleaseIdentificationUtils.calculateApkInternalCodeHash;
 
 import android.app.Activity;
 import android.content.Context;
@@ -30,6 +31,7 @@
 import com.google.android.gms.tasks.TaskCompletionSource;
 import com.google.android.gms.tasks.Tasks;
 import com.google.firebase.FirebaseApp;
+import com.google.firebase.appdistribution.internal.AppDistributionReleaseInternal;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.IOException;
@@ -55,6 +57,8 @@ class UpdateApkClient {
   @GuardedBy("updateTaskLock")
   private UpdateTaskImpl cachedUpdateTask;
 
+  private ReleaseIdentifierStorage releaseIdentifierStorage;
+
   @GuardedBy("activityLock")
   private Activity currentActivity;
 
@@ -64,12 +68,15 @@ class UpdateApkClient {
   public UpdateApkClient(@NonNull FirebaseApp firebaseApp) {
     this.downloadExecutor = Executors.newSingleThreadExecutor();
     this.firebaseApp = firebaseApp;
+    this.releaseIdentifierStorage =
+        new ReleaseIdentifierStorage(firebaseApp.getApplicationContext());
     this.appDistributionNotificationsManager =
         new FirebaseAppDistributionNotificationsManager(firebaseApp);
   }
 
   public synchronized UpdateTaskImpl updateApk(
-      @NonNull String downloadUrl, boolean showDownloadNotificationManager) {
+      @NonNull AppDistributionReleaseInternal latestRelease,
+      boolean showDownloadNotificationManager) {
     synchronized (updateTaskLock) {
       if (cachedUpdateTask != null && !cachedUpdateTask.isComplete()) {
         return cachedUpdateTask;
@@ -78,7 +85,7 @@ public synchronized UpdateTaskImpl updateApk(
       cachedUpdateTask = new UpdateTaskImpl();
     }
 
-    downloadApk(downloadUrl, showDownloadNotificationManager)
+    downloadApk(latestRelease, showDownloadNotificationManager)
         .addOnSuccessListener(
             downloadExecutor,
             file ->
@@ -110,24 +117,27 @@ public synchronized UpdateTaskImpl updateApk(
 
   @VisibleForTesting
   @NonNull
-  Task<File> downloadApk(@NonNull String downloadUrl, boolean showDownloadNotificationManager) {
+  Task<File> downloadApk(
+      @NonNull AppDistributionReleaseInternal latestRelease,
+      boolean showDownloadNotificationManager) {
     if (downloadTaskCompletionSource != null
         && !downloadTaskCompletionSource.getTask().isComplete()) {
       return downloadTaskCompletionSource.getTask();
     }
 
     downloadTaskCompletionSource = new TaskCompletionSource<>();
 
-    makeApkDownloadRequest(downloadUrl, showDownloadNotificationManager);
+    makeApkDownloadRequest(latestRelease, showDownloadNotificationManager);
     return downloadTaskCompletionSource.getTask();
   }
 
   private void makeApkDownloadRequest(
-      @NonNull String downloadUrl, boolean showDownloadNotificationManager) {
+      @NonNull AppDistributionReleaseInternal latestRelease,
+      boolean showDownloadNotificationManager) {
     downloadExecutor.execute(
         () -> {
           try {
-            HttpsURLConnection connection = openHttpsUrlConnection(downloadUrl);
+            HttpsURLConnection connection = openHttpsUrlConnection(latestRelease.getDownloadUrl());
             connection.setRequestMethod(REQUEST_METHOD);
             if (connection.getInputStream() == null) {
               setDownloadTaskCompletionError(
@@ -139,10 +149,12 @@ private void makeApkDownloadRequest(
               postUpdateProgress(
                   responseLength, 0, UpdateStatus.PENDING, showDownloadNotificationManager);
               String fileName = getApplicationName() + ".apk";
+
               downloadToDisk(
                   connection.getInputStream(),
                   responseLength,
                   fileName,
+                  latestRelease,
                   showDownloadNotificationManager);
             }
           } catch (IOException | FirebaseAppDistributionException e) {
@@ -156,7 +168,11 @@ private void makeApkDownloadRequest(
   }
 
   private void downloadToDisk(
-      InputStream input, long totalSize, String fileName, boolean showDownloadNotificationManager) {
+      InputStream input,
+      long totalSize,
+      String fileName,
+      AppDistributionReleaseInternal latestRelease,
+      boolean showDownloadNotificationManager) {
 
     File apkFile = getApkFileForApp(fileName);
     apkFile.delete();
@@ -213,6 +229,14 @@ private void downloadToDisk(
               FirebaseAppDistributionException.Status.DOWNLOAD_FAILURE));
     }
 
+    File downloadedFile = new File(firebaseApp.getApplicationContext().getFilesDir(), fileName);
+
+    String internalCodeHash = calculateApkInternalCodeHash(downloadedFile);
+
+    if (internalCodeHash != null) {
+      releaseIdentifierStorage.setCodeHashMap(internalCodeHash, latestRelease);
+    }
+
     // completion
     postUpdateProgress(
         totalSize, totalSize, UpdateStatus.DOWNLOADED, showDownloadNotificationManager);

firebase-app-distribution/src/main/java/com/google/firebase/appdistribution/UpdateAppClient.java

@@ -77,8 +77,7 @@ synchronized UpdateTask updateApp(
         return cachedAabUpdateTask;
       }
     } else {
-      return this.updateApkClient.updateApk(
-          latestRelease.getDownloadUrl(), showDownloadInNotificationManager);
+      return this.updateApkClient.updateApk(latestRelease, showDownloadInNotificationManager);
     }
   }
 

firebase-app-distribution/src/main/java/com/google/firebase/appdistribution/internal/ReleaseIdentificationUtils.java

@@ -20,9 +20,19 @@
 import android.util.Log;
 import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
+import java.io.File;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
 
 public final class ReleaseIdentificationUtils {
   private static final String TAG = "ReleaseIdentification";
+  private static final int BYTES_IN_LONG = 8;
 
   @Nullable
   public static String extractInternalAppSharingArtifactId(@NonNull Context appContext) {
@@ -40,4 +50,74 @@ public static String extractInternalAppSharingArtifactId(@NonNull Context appCon
       return null;
     }
   }
+
+  @Nullable
+  public static String calculateApkInternalCodeHash(@NonNull File file) {
+    Log.v(TAG, String.format("Calculating release id for %s", file.getPath()));
+    Log.v(TAG, String.format("File size: %d", file.length()));
+
+    long start = System.currentTimeMillis();
+    long entries = 0;
+    String zipFingerprint = null;
+    try {
+      MessageDigest digest = MessageDigest.getInstance("SHA-256");
+      ArrayList<Byte> checksums = new ArrayList<>();
+
+      // Since calculating the codeHash returned from the release backend is computationally
+      // expensive, using existing checksum data from the ZipFile we can quickly calculate
+      // an intermediate hash that then gets mapped to the backend's returned release codehash
+      ZipFile zis = new ZipFile(file);
+      try {
+        Enumeration<? extends ZipEntry> zipEntries = zis.entries();
+        while (zipEntries.hasMoreElements()) {
+          ZipEntry zip = zipEntries.nextElement();
+          entries += 1;
+          byte[] crcBytes = longToByteArray(zip.getCrc());
+          for (byte b : crcBytes) {
+            checksums.add(b);
+          }
+        }
+      } finally {
+        zis.close();
+      }
+      byte[] checksumByteArray = digest.digest(arrayListToByteArray(checksums));
+      StringBuilder sb = new StringBuilder();
+      for (byte b : checksumByteArray) {
+        sb.append(String.format("%02x", b));
+      }
+      zipFingerprint = sb.toString();
+
+    } catch (IOException | NoSuchAlgorithmException e) {
+      Log.v(TAG, String.format("id calculation failed for %s", file.getPath()));
+      return null;
+    } finally {
+      long elapsed = System.currentTimeMillis() - start;
+      if (elapsed > 2 * 1000) {
+        Log.v(
+            TAG,
+            String.format(
+                "Long id calculation time %d ms and %d entries for %s",
+                elapsed, entries, file.getPath()));
+      }
+
+      Log.v(TAG, String.format("Finished calculating %d entries in %d ms", entries, elapsed));
+      Log.v(TAG, String.format("%s hashes to %s", file.getPath(), zipFingerprint));
+    }
+
+    return zipFingerprint;
+  }
+
+  private static byte[] longToByteArray(long x) {
+    ByteBuffer buffer = ByteBuffer.allocate(BYTES_IN_LONG);
+    buffer.putLong(x);
+    return buffer.array();
+  }
+
+  private static byte[] arrayListToByteArray(ArrayList<Byte> list) {
+    byte[] result = new byte[list.size()];
+    for (int i = 0; i < list.size(); i++) {
+      result[i] = list.get(i);
+    }
+    return result;
+  }
 }