From 4f35431eb542182d0359dcd62c4bb77f05794261 Mon Sep 17 00:00:00 2001 From: Chirayu Desai Date: Wed, 30 Jan 2019 18:18:10 +0530 Subject: [PATCH] Allow selective signature spoofing for microG * Permission FAKE_PACKAGE_SIGNATURE required * Only microG and FakeStore can spoof signature * Only the official Google signature can be spoofed, the "fake-signature" field is unused. Change-Id: I34745f9bf585221d17c28269f74b3e0d0c834abf --- core/res/AndroidManifest.xml | 7 +++++ core/res/res/values/config.xml | 2 ++ core/res/res/values/strings.xml | 4 +++ .../server/pm/PackageManagerService.java | 28 +++++++++++++++++-- 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml index 7bcd7a048db..10853678f39 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -2655,6 +2655,13 @@ android:description="@string/permdesc_getPackageSize" android:protectionLevel="normal" /> + + + diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml index a84d23b624b..89754ba11ef 100644 --- a/core/res/res/values/config.xml +++ b/core/res/res/values/config.xml @@ -1875,6 +1875,8 @@ com.android.location.fused + + com.google.android.gms diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml index 7e975f68ec3..69932c6ac16 100644 --- a/core/res/res/values/strings.xml +++ b/core/res/res/values/strings.xml @@ -830,6 +830,10 @@ + + Spoof package signature + + Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only! disable or modify status bar diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 9d287a53af3..205217b3009 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -635,6 +635,11 @@ public class PackageManagerService extends IPackageManager.Stub private static final String[] INSTANT_APP_BROADCAST_PERMISSION = new String[] { android.Manifest.permission.ACCESS_INSTANT_APPS }; + /** + * The Google signature faked by microG. + */ + private static final String MICROG_FAKE_SIGNATURE = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a"; + final ServiceThread mHandlerThread; final PackageHandler mHandler; @@ -4197,8 +4202,9 @@ public class PackageManagerService extends IPackageManager.Stub }); } - PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags, - ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId); + PackageInfo packageInfo = mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags, + ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId), + permissions); if (packageInfo == null) { return null; @@ -4234,6 +4240,24 @@ public class PackageManagerService extends IPackageManager.Stub } } + private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi, + Set permissions) { + try { + if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") + && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1 + && p.mAppMetaData != null) { + // Only allow microG and FakeStore + if (p.packageName.equals("com.google.android.gms") || p.packageName.equals("com.android.vending")) { + pi.signatures = new Signature[] {new Signature(MICROG_FAKE_SIGNATURE)}; + } + } + } catch (Throwable t) { + // We should never die because of any failures, this is system code! + Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); + } + return pi; + } + @Override public void checkPackageStartable(String packageName, int userId) { final int callingUid = Binder.getCallingUid(); -- 2.25.1