hostsidetests/securitybulletin/test-apps/CVE-2022-20347/src/android/security/cts/CVE_2022_20347/DeviceTest.java - platform/cts - Git at Google

 /*
  * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts.CVE_2022_20347;

 import static org.junit.Assert.assertFalse;
 import static org.junit.Assume.assumeNoException;
 import static org.junit.Assume.assumeTrue;

 import android.app.UiAutomation;
 import android.bluetooth.BluetoothAdapter;
 import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.SharedPreferences;
 import android.content.SharedPreferences.OnSharedPreferenceChangeListener;
 import android.content.res.Resources;
 import android.net.Uri;
 import android.provider.Settings;

 import androidx.test.InstrumentationRegistry;
 import androidx.test.runner.AndroidJUnit4;
 import androidx.test.uiautomator.By;
 import androidx.test.uiautomator.UiDevice;
 import androidx.test.uiautomator.Until;

 import org.junit.After;
 import org.junit.Test;
 import org.junit.runner.RunWith;

 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;

 @RunWith(AndroidJUnit4.class)
 public class DeviceTest {
     Context mContext;
     Semaphore mPreferenceChanged;
     UiDevice mDevice;

     String getSettingsPkgName() {
         Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS);
         ComponentName settingsComponent =
                 settingsIntent.resolveActivity(mContext.getPackageManager());
         String pkgName = settingsComponent != null ? settingsComponent.getPackageName()
                 : mContext.getString(R.string.defaultSettingsPkg);
         return pkgName;
     }

     int getInteger(int resId) {
         return mContext.getResources().getInteger(resId);
     }

     void switchBluetoothMode(String action) {
         Intent intent = new Intent(mContext, PocActivity.class);
         intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
         intent.putExtra(mContext.getString(R.string.btAction), action);
         mContext.startActivity(intent);
     }

     @Test
     public void testBluetoothDiscoverable() {
         OnSharedPreferenceChangeListener sharedPrefListener;
         SharedPreferences sharedPrefs;
         boolean btState = false;
         try {
             mContext = InstrumentationRegistry.getInstrumentation().getContext();
             Resources resources = mContext.getResources();
             sharedPrefs = mContext.getSharedPreferences(
                     resources.getString(R.string.sharedPreferences), Context.MODE_APPEND);
             mPreferenceChanged = new Semaphore(0);
             sharedPrefListener = new OnSharedPreferenceChangeListener() {
                 @Override
                 public void onSharedPreferenceChanged(SharedPreferences sharedPreferences,
                         String key) {
                     if (key.equals(resources.getString(R.string.resultKey))) {
                         mPreferenceChanged.release();
                     }
                 }
             };
             sharedPrefs.registerOnSharedPreferenceChangeListener(sharedPrefListener);
             BluetoothAdapter btAdapter = BluetoothAdapter.getDefaultAdapter();

             // Save the state of bluetooth adapter to reset after the test
             btState = btAdapter.isEnabled();

             // Disable bluetooth if already enabled in 'SCAN_MODE_CONNECTABLE_DISCOVERABLE' mode
             if (btAdapter.getScanMode() == btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE) {
                 switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
                 assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
                         TimeUnit.MILLISECONDS));
                 int result = sharedPrefs.getInt(resources.getString(R.string.resultKey),
                         resources.getInteger(R.integer.assumptionFailure));
                 String message = sharedPrefs.getString(resources.getString(R.string.messageKey),
                         resources.getString(R.string.defaultSemaphoreMsg));
                 assumeTrue(message, result != resources.getInteger(R.integer.assumptionFailure));
             }

             // Enable bluetooth if in disabled state
             switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_ENABLE);
             assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
                     TimeUnit.MILLISECONDS));
             int result = sharedPrefs.getInt(resources.getString(R.string.resultKey),
                     resources.getInteger(R.integer.assumptionFailure));
             String message = sharedPrefs.getString(resources.getString(R.string.messageKey),
                     resources.getString(R.string.defaultSemaphoreMsg));
             assumeTrue(message, result != resources.getInteger(R.integer.assumptionFailure));

             // Checking if bluetooth is enabled. The test requires bluetooth to be enabled
             assumeTrue(btAdapter.isEnabled());

             // Checking if bluetooth mode is not set to SCAN_MODE_CONNECTABLE_DISCOVERABLE
             assumeTrue(btAdapter.getScanMode() != btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE);

             // Launch bluetooth settings which is supposed to set scan mode to
             // SCAN_MODE_CONNECTABLE_DISCOVERABLE if vulnerability is present
             UiAutomation uiautomation =
                     InstrumentationRegistry.getInstrumentation().getUiAutomation();
             uiautomation
                     .adoptShellPermissionIdentity(android.Manifest.permission.MODIFY_PHONE_STATE);
             String settingsPkg = getSettingsPkgName();
             Intent intent = new Intent();
             intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
             intent.setData(Uri.parse(mContext.getString(R.string.uri)));
             intent.setClassName(settingsPkg, settingsPkg + mContext.getString(R.string.className));
             mContext.startActivity(intent);
             mDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation());
             assumeTrue(mDevice.wait(Until.hasObject(By.pkg(settingsPkg)),
                     getInteger(R.integer.timeoutMs)));
             boolean isBtDiscoverable = false;
             isBtDiscoverable =
                     (btAdapter.getScanMode() == btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE);
             uiautomation.dropShellPermissionIdentity();

             // The test fails if bluetooth is made discoverable through PoC
             assertFalse(mContext.getString(R.string.failMessage), isBtDiscoverable);
         } catch (Exception e) {
             assumeNoException(e);
         } finally {
             try {
                 // Disable bluetooth if it was OFF before the test
                 if (!btState) {
                     switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
                     assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
                             TimeUnit.MILLISECONDS));
                 }
                 // Go to home screen
                 mDevice.pressHome();
             } catch (Exception e) {
                 // ignore exceptions here
             }
         }
     }
 }
	/*
	* Copyright (C) 2022 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts.CVE_2022_20347;

	import static org.junit.Assert.assertFalse;
	import static org.junit.Assume.assumeNoException;
	import static org.junit.Assume.assumeTrue;

	import android.app.UiAutomation;
	import android.bluetooth.BluetoothAdapter;
	import android.content.ComponentName;
	import android.content.Context;
	import android.content.Intent;
	import android.content.SharedPreferences;
	import android.content.SharedPreferences.OnSharedPreferenceChangeListener;
	import android.content.res.Resources;
	import android.net.Uri;
	import android.provider.Settings;

	import androidx.test.InstrumentationRegistry;
	import androidx.test.runner.AndroidJUnit4;
	import androidx.test.uiautomator.By;
	import androidx.test.uiautomator.UiDevice;
	import androidx.test.uiautomator.Until;

	import org.junit.After;
	import org.junit.Test;
	import org.junit.runner.RunWith;

	import java.util.concurrent.Semaphore;
	import java.util.concurrent.TimeUnit;

	@RunWith(AndroidJUnit4.class)
	public class DeviceTest {
	Context mContext;
	Semaphore mPreferenceChanged;
	UiDevice mDevice;

	String getSettingsPkgName() {
	Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS);
	ComponentName settingsComponent =
	settingsIntent.resolveActivity(mContext.getPackageManager());
	String pkgName = settingsComponent != null ? settingsComponent.getPackageName()
	: mContext.getString(R.string.defaultSettingsPkg);
	return pkgName;
	}

	int getInteger(int resId) {
	return mContext.getResources().getInteger(resId);
	}

	void switchBluetoothMode(String action) {
	Intent intent = new Intent(mContext, PocActivity.class);
	intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
	intent.putExtra(mContext.getString(R.string.btAction), action);
	mContext.startActivity(intent);
	}

	@Test
	public void testBluetoothDiscoverable() {
	OnSharedPreferenceChangeListener sharedPrefListener;
	SharedPreferences sharedPrefs;
	boolean btState = false;
	try {
	mContext = InstrumentationRegistry.getInstrumentation().getContext();
	Resources resources = mContext.getResources();
	sharedPrefs = mContext.getSharedPreferences(
	resources.getString(R.string.sharedPreferences), Context.MODE_APPEND);
	mPreferenceChanged = new Semaphore(0);
	sharedPrefListener = new OnSharedPreferenceChangeListener() {
	@Override
	public void onSharedPreferenceChanged(SharedPreferences sharedPreferences,
	String key) {
	if (key.equals(resources.getString(R.string.resultKey))) {
	mPreferenceChanged.release();
	}
	}
	};
	sharedPrefs.registerOnSharedPreferenceChangeListener(sharedPrefListener);
	BluetoothAdapter btAdapter = BluetoothAdapter.getDefaultAdapter();

	// Save the state of bluetooth adapter to reset after the test
	btState = btAdapter.isEnabled();

	// Disable bluetooth if already enabled in 'SCAN_MODE_CONNECTABLE_DISCOVERABLE' mode
	if (btAdapter.getScanMode() == btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE) {
	switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
	assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
	TimeUnit.MILLISECONDS));
	int result = sharedPrefs.getInt(resources.getString(R.string.resultKey),
	resources.getInteger(R.integer.assumptionFailure));
	String message = sharedPrefs.getString(resources.getString(R.string.messageKey),
	resources.getString(R.string.defaultSemaphoreMsg));
	assumeTrue(message, result != resources.getInteger(R.integer.assumptionFailure));
	}

	// Enable bluetooth if in disabled state
	switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_ENABLE);
	assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
	TimeUnit.MILLISECONDS));
	int result = sharedPrefs.getInt(resources.getString(R.string.resultKey),
	resources.getInteger(R.integer.assumptionFailure));
	String message = sharedPrefs.getString(resources.getString(R.string.messageKey),
	resources.getString(R.string.defaultSemaphoreMsg));
	assumeTrue(message, result != resources.getInteger(R.integer.assumptionFailure));

	// Checking if bluetooth is enabled. The test requires bluetooth to be enabled
	assumeTrue(btAdapter.isEnabled());

	// Checking if bluetooth mode is not set to SCAN_MODE_CONNECTABLE_DISCOVERABLE
	assumeTrue(btAdapter.getScanMode() != btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE);

	// Launch bluetooth settings which is supposed to set scan mode to
	// SCAN_MODE_CONNECTABLE_DISCOVERABLE if vulnerability is present
	UiAutomation uiautomation =
	InstrumentationRegistry.getInstrumentation().getUiAutomation();
	uiautomation
	.adoptShellPermissionIdentity(android.Manifest.permission.MODIFY_PHONE_STATE);
	String settingsPkg = getSettingsPkgName();
	Intent intent = new Intent();
	intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
	intent.setData(Uri.parse(mContext.getString(R.string.uri)));
	intent.setClassName(settingsPkg, settingsPkg + mContext.getString(R.string.className));
	mContext.startActivity(intent);
	mDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation());
	assumeTrue(mDevice.wait(Until.hasObject(By.pkg(settingsPkg)),
	getInteger(R.integer.timeoutMs)));
	boolean isBtDiscoverable = false;
	isBtDiscoverable =
	(btAdapter.getScanMode() == btAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE);
	uiautomation.dropShellPermissionIdentity();

	// The test fails if bluetooth is made discoverable through PoC
	assertFalse(mContext.getString(R.string.failMessage), isBtDiscoverable);
	} catch (Exception e) {
	assumeNoException(e);
	} finally {
	try {
	// Disable bluetooth if it was OFF before the test
	if (!btState) {
	switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
	assumeTrue(mPreferenceChanged.tryAcquire(getInteger(R.integer.timeoutMs),
	TimeUnit.MILLISECONDS));
	}
	// Go to home screen
	mDevice.pressHome();
	} catch (Exception e) {
	// ignore exceptions here
	}
	}
	}
	}