Canceling registration modal throws ConstraintError [271863184]

Fixed

Bug

Status Update

No update yet.

Description

va...@shopify.com

created issue #1

Mar 7, 2023 12:04AM

Component used: Credentials

Version used: 1.0.0-alpha03

Devices/Android versions reproduced on: Huawei P30 Pro (VOG-L29)

I have multiple Google accounts on my phone. After triggering the passkey registration modal, I pressed the "Cancel" button and I got a CreatePublicKeyCredentialDomException with ConstraintError instead of the expected CreateCredentialCancellationException

Here are some logs (PasskeyUtils is from my application):

03-06 18:59:09.005 19307 19307 I Fido    : [AuthenticateChimeraActivity] FIDO2 operation is called from com.shopify.arrive.debug [CONTEXT service_id=287 ]
03-06 18:59:09.007 19307 19307 I Fido    : [AuthenticateViewModel] Determining the attachment [CONTEXT service_id=287 ]
03-06 18:59:09.017 19307 19307 I Fido    : [AuthenticateChimeraActivity] onAttachmentUpdate [CONTEXT service_id=287 ]
03-06 18:59:09.018 19307 19385 I Fido    : [AuthenticateViewModel] StrongBox not needed. [CONTEXT service_id=287 ]
03-06 18:59:09.020 19307 19307 I Fido    : [AuthenticateChimeraActivity] Using default UserVerifier. [CONTEXT service_id=287 ]
03-06 18:59:09.023 19307 19307 I Fido    : [StringStoreKeyHandleCache] initU2fDeviceCache
03-06 18:59:09.023 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for resume
03-06 18:59:09.099  1508  5553 I ActivityManager: Process com.huawei.skytone (pid 25789) has died: svcb SVC
03-06 18:59:09.099  1508  5553 W ActivityManager: Scheduling restart of crashed service com.huawei.skytone/com.huawei.android.vsim.service.VSimService in 1000ms
03-06 18:59:09.248 19307 19384 I Fido    : [RegistrationRequestHandler] Registering key via credential store.
03-06 18:59:09.304 19307 19307 I Fido    : [PasskeysCreationFragment] PasskeysCreationFragment is shown [CONTEXT service_id=287 ]
03-06 18:59:10.897 19307 19384 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
03-06 18:59:10.901 19307 19384 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
03-06 18:59:10.915 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for pause
03-06 18:59:10.915 19307 19307 E Fido    : [FidoApiImpl] pauseSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
03-06 18:59:10.957 31580 31580 D PasskeyUtils: error:androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: Unable to get sync account.
03-06 18:59:10.957 31580 31580 D PasskeyUtils: domError:androidx.credentials.exceptions.domerrors.ConstraintError@8d8d7a9
03-06 18:59:10.979 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for stop
03-06 18:59:10.979 19307 19307 E Fido    : [FidoApiImpl] finishSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.

Comments

he...@google.com <he...@google.com> #2Mar 7, 2023 12:43AM

Reassigned to he...@google.com.

My application offers 'suggested applications' that it can install and then use the functionality of, acting as a plug-in. Tasker is one of those.

My only work-around is to prompt the user to reinstall my application after the suggested applications have been installed, so permissions are detected.

It's of course a horrible 'solution'. Have starred the issue.

brandall

ap...@google.com <ap...@google.com> #3Mar 7, 2023 05:07AM

May be related: "protectionLevel=permission is not checked if other application is installed first and defines the same permission?"

https://groups.google.com/group/android-security-discuss/browse_thread/thread/96cc19067c40fbf7.

he...@google.com <he...@google.com> #4Mar 7, 2023 07:37PM

Marked as fixed.

Using the terminology from the original issue report, one workaround is for App A *and* App B to define the same <permission>. This gets a bit dicey in plugin situations, where App A is not written by the author of App B, only because App A would need all relevant resources (e.g., internationalized strings). OTOH, it works.

pr...@google.com <pr...@google.com> #5Mar 22, 2023 08:23PM

This has security implications as well. Consider the following:

---
App HOST allows access to personally-identifying information through a permission.
App PLUGIN can get access to this information by defining the <permission> as well, and using its own permission.
However, if HOST is not already installed, this permission is not shown to the user when PLUGIN is installed.
When HOST is later installed, PLUGIN now has access to HOST's data, even though the user was never aware of it.
---

Perhaps this is a separate bug. The expected behavior is, if an app has a <uses-permission>, that permission should be shown to the user REGARDLESS of whether the permission exists in another app or doesn't.

sh...@gmail.com <sh...@gmail.com> #6Mar 23, 2023 07:52AM

It doesn't work this way. Permissions are granted at install time *only*, so if you install HOST after PLUGIN, PLUGIN doesn't get any extra permissions. Of course, if they are using sharedUserId you get the union of both sets of permissions, but that's a different story.

va...@shopify.com <va...@shopify.com> #7Mar 25, 2023 12:57AM

Perhaps it's not meant to work this way, but I just tested and it does. I installed PLUGIN first (which has both <permission> and <uses-permission>), which obviously doesn't work correctly because HOST is not installed. Then I installed HOST (which has the same <permission> defined). PLUGIN now has access to HOST.

va...@shopify.com <va...@shopify.com> #8Apr 4, 2023 05:20PM

#9: However, you were presented with the custom permission at install time of PLUGIN, as you had <uses-permission>. The exception to this is signature-level permissions, which are never presented to the user, as the signature match alone is sufficient.

he...@google.com <he...@google.com> #9Apr 4, 2023 09:26PM

The problem here is that the PLUGIN can have a different description of the permission in its <permission> tag than the HOST.
You could even use descriptions that look like a boring android permission like INTERNET.

va...@shopify.com <va...@shopify.com> #10Apr 4, 2023 10:01PM

@mmurphy: That's the thing - at the time of PLUGIN's install, I did *not* see that permission. Could be my ROM though - running 4.2.2/SlimROM/Galaxy Nexus. Would be good if someone could confirm.

@domschuermann: But yes, different descriptions/icons/names are also a problem, and the solution to this isn't trivial.

he...@google.com <he...@google.com> #11Apr 4, 2023 10:02PM

Might I add, the permission level was kept at the default, and I signed the two packages with different signatures (one with a debug key, the other with a release).