Google Git
Sign in
android / platform / frameworks / base / 921dd75^! / .
commit921dd754ab49df0cd580ff96503f7616c4c85f4a[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Wed Feb 24 13:21:41 2016 -0800
committerAlex Klyubin <klyubin@google.com>Wed Feb 24 14:42:02 2016 -0800
tree9b7afaa54e84fbbd727d2030b5ac094c2a318012
parent074d630f9e7a4dfd8acf3fa4fa1dfcb500184156 [diff]
Disallow downgrading of non-debuggable packages.

An attacker could downgrade a package to an older version with known
security vulnerabilities and then use some of the vulnerabilities to
access the application's data. This would constitute a bypass of
Android Application Sandbox. Thus, downgrading while keeping
application data is no longer permitted.

To help developers debug their apps, packages marked as debuggable can
still be downgraded while keeping their data. This does not put the
installed base at risk because, as a security measure, most
application stores reject packages marked as debuggable.

To downgrade a non-debuggable (i.e., release) package, uninstall the
package (thus wiping its data), then install the older version of the
package.

Bug: 27327503
Change-Id: Iac75ed3c3831b5d925dfd8b660527cfa95813da8

diff --git a/core/java/android/content/pm/PackageManager.java b/core/java/android/content/pm/PackageManager.java
index b7f968c..4dd8155 100644
--- a/core/java/android/content/pm/PackageManager.java
+++ b/core/java/android/content/pm/PackageManager.java

@@ -602,7 +602,8 @@
     /**
      * Flag parameter for {@link #installPackage} to indicate that it is okay
      * to install an update to an app where the newly installed app has a lower
-     * version code than the currently installed app.
+     * version code than the currently installed app. This is permitted only if
+     * the currently installed app is marked debuggable.
      *
      * @hide
      */

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 41077d0..f426e19 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java

@@ -11566,20 +11566,41 @@
             boolean onSd = (installFlags & PackageManager.INSTALL_EXTERNAL) != 0;
             // reader
             synchronized (mPackages) {
-                PackageParser.Package pkg = mPackages.get(packageName);
-                if (pkg != null) {
-                    if ((installFlags & PackageManager.INSTALL_REPLACE_EXISTING) != 0) {
-                        // Check for downgrading.
-                        if ((installFlags & PackageManager.INSTALL_ALLOW_DOWNGRADE) == 0) {
-                            try {
-                                checkDowngrade(pkg, pkgLite);
-                            } catch (PackageManagerException e) {
-                                Slog.w(TAG, "Downgrade detected: " + e.getMessage());
-                                return PackageHelper.RECOMMEND_FAILED_VERSION_DOWNGRADE;
-                            }
+                // Currently installed package which the new package is attempting to replace or
+                // null if no such package is installed.
+                PackageParser.Package installedPkg = mPackages.get(packageName);
+                // Package which currently owns the data which the new package will own if installed.
+                // If an app is unstalled while keeping data (e.g., adb uninstall -k), installedPkg
+                // will be null whereas dataOwnerPkg will contain information about the package
+                // which was uninstalled while keeping its data.
+                PackageParser.Package dataOwnerPkg = installedPkg;
+                if (dataOwnerPkg  == null) {
+                    PackageSetting ps = mSettings.mPackages.get(packageName);
+                    if (ps != null) {
+                        dataOwnerPkg = ps.pkg;
+                    }
+                }
+
+                if (dataOwnerPkg != null) {
+                    // If installed, the package will get access to data left on the device by its
+                    // predecessor. As a security measure, this is permited only if this is not a
+                    // version downgrade or if the predecessor package is marked as debuggable and
+                    // a downgrade is explicitly requested.
+                    if (((dataOwnerPkg.applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) == 0)
+                            || ((installFlags & PackageManager.INSTALL_ALLOW_DOWNGRADE) == 0)) {
+                        try {
+                            checkDowngrade(dataOwnerPkg, pkgLite);
+                        } catch (PackageManagerException e) {
+                            Slog.w(TAG, "Downgrade detected: " + e.getMessage());
+                            return PackageHelper.RECOMMEND_FAILED_VERSION_DOWNGRADE;
                         }
+                    }
+                }
+
+                if (installedPkg != null) {
+                    if ((installFlags & PackageManager.INSTALL_REPLACE_EXISTING) != 0) {
                         // Check for updated system application.
-                        if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
+                        if ((installedPkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
                             if (onSd) {
                                 Slog.w(TAG, "Cannot install update to system app on sdcard");
                                 return PackageHelper.RECOMMEND_FAILED_INVALID_LOCATION;
@@ -11598,7 +11619,7 @@
                                 // App explictly prefers external. Let policy decide
                             } else {
                                 // Prefer previous location
-                                if (isExternal(pkg)) {
+                                if (isExternal(installedPkg)) {
                                     return PackageHelper.RECOMMEND_INSTALL_EXTERNAL;
                                 }
                                 return PackageHelper.RECOMMEND_INSTALL_INTERNAL;