Fix security issue that app can query which applications are installed on the device without requiring QUERY_ALL_PACKAGES in `getDeviceId` method of `PhoneSubInfoController` class
Test: Manual verified with Test app; Safety net log added
Bug: 185591180
Change-Id: Iff04a59a4ebfc842818960aea930dda2b86b1973
diff --git a/src/java/com/android/internal/telephony/PhoneSubInfoController.java b/src/java/com/android/internal/telephony/PhoneSubInfoController.java
index 8db71d9..36ed749 100644
--- a/src/java/com/android/internal/telephony/PhoneSubInfoController.java
+++ b/src/java/com/android/internal/telephony/PhoneSubInfoController.java
@@ -23,6 +23,7 @@
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.app.AppOpsManager;
import android.compat.annotation.UnsupportedAppUsage;
import android.content.Context;
import android.content.pm.PackageManager;
@@ -35,6 +36,7 @@
import android.telephony.PhoneNumberUtils;
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyFrameworkInitializer;
+import android.util.EventLog;
import com.android.internal.telephony.uicc.IsimRecords;
import com.android.internal.telephony.uicc.UiccCard;
@@ -48,6 +50,7 @@
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
private final Context mContext;
+ private AppOpsManager mAppOps;
public PhoneSubInfoController(Context context) {
ServiceRegisterer phoneSubServiceRegisterer = TelephonyFrameworkInitializer
@@ -56,6 +59,7 @@
if (phoneSubServiceRegisterer.get() == null) {
phoneSubServiceRegisterer.register(this);
}
+ mAppOps = context.getSystemService(AppOpsManager.class);
mContext = context;
}
@@ -71,6 +75,7 @@
public String getDeviceIdForPhone(int phoneId, String callingPackage,
String callingFeatureId) {
+ enforceCallingPackageUidMatched(callingPackage);
return callPhoneMethodForPhoneIdWithReadDeviceIdentifiersCheck(phoneId, callingPackage,
callingFeatureId, "getDeviceId", (phone) -> phone.getDeviceId());
}
@@ -265,6 +270,15 @@
return PhoneFactory.getPhone(phoneId);
}
+ private void enforceCallingPackageUidMatched(String callingPackage) {
+ try {
+ mAppOps.checkPackage(Binder.getCallingUid(), callingPackage);
+ } catch (SecurityException se) {
+ EventLog.writeEvent(0x534e4554, "188677422", Binder.getCallingUid());
+ throw se;
+ }
+ }
+
private boolean enforceIccSimChallengeResponsePermission(Context context, int subId,
String callingPackage, String callingFeatureId, String message) {
if (TelephonyPermissions.checkCallingOrSelfUseIccAuthWithDeviceIdentifier(context,