Don’t require strong auth on regular time interval

ypid · ypid · commit fd12f056cc52 · 2019-11-24T12:32:44.000+01:00
This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will. Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval. Ref: frameworks/base/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000. Note that this patch circumvents the values that DeviceAdmin may provide. In other words, it ignores whatever a MDM would request for the strong auth timeout! To be clear, this patch is a practical approach, in an ideal world, we would properly use the DeviceAdmin feature. Confirmed working on: * Android 9 * Android 10 Submitted to: * hashbang/os#32 * RattlesnakeOS/community_patches#9 * https://github.com/ypid/ypid-android-patches
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
@@ -534,7 +534,7 @@ protected int myUserId() {
      *
      * @hide
      */
-    public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h
+    public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 42 * 24 * 60 * 60 * 1000; // 42d
 
     /**
      * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java b/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java
@@ -120,18 +120,7 @@ private void handleRemoveUser(int userId) {
     private void handleScheduleStrongAuthTimeout(int userId) {
         final DevicePolicyManager dpm =
                 (DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
-        long when = SystemClock.elapsedRealtime() + dpm.getRequiredStrongAuthTimeout(null, userId);
-        // cancel current alarm listener for the user (if there was one)
-        StrongAuthTimeoutAlarmListener alarm = mStrongAuthTimeoutAlarmListenerForUser.get(userId);
-        if (alarm != null) {
-            mAlarmManager.cancel(alarm);
-        } else {
-            alarm = new StrongAuthTimeoutAlarmListener(userId);
-            mStrongAuthTimeoutAlarmListenerForUser.put(userId, alarm);
-        }
-        // schedule a new alarm listener for the user
-        mAlarmManager.set(AlarmManager.ELAPSED_REALTIME, when, STRONG_AUTH_TIMEOUT_ALARM_TAG,
-                alarm, mHandler);
+        Slog.d(TAG, "getRequiredStrongAuthTimeout: " + dpm.getRequiredStrongAuthTimeout(null, userId));
     }
 
     private void notifyStrongAuthTrackers(int strongAuthReason, int userId) {

Original file line number	Diff line number	Diff line change
`@@ -534,7 +534,7 @@ protected int myUserId() {`
`534`	`534`	`*`
`535`	`535`	`* @hide`
`536`	`536`	`*/`
`537`		`- public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h`
	`537`	`+ public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 42 * 24 * 60 * 60 * 1000; // 42d`
`538`	`538`
`539`	`539`	`/**`
`540`	`540`	`* A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that`