Google Git
Sign in
android / platform / frameworks / opt / telephony / ac114bf^! / .
commitac114bf880c089a72cbb29007fef07b2bd57256c[log] [tgz]
authorChen Xu <fionaxu@google.com>Thu May 13 15:49:01 2021 -0700
committerandroid-build-team Robot <android-build-team-robot@google.com>Wed Jun 16 01:11:27 2021 +0000
treec6f13fdbfec89de1fa6c199818f64b988b91f155
parent10a271abc88baff3297a50f8992f648fbbd5dba3 [diff]
filter deviceIdentifiers for subscriptionInfo if callers without perm

Fix a security issue that app can read iccId of sim card(s) without
requiring READ_PRIVILEGED_PHONE_STATE permission when calling hidden API SubscriptionManager.getAllActiveSubscriptionInfoList. Apply
deviceIdentifier filter to remove those info if the caller does not have proper permissions.

Bug: 183612370
Test: Manual
Merged-in: If7d243c40d187008f8cb314b162228cbad1702a4
Change-Id: If7d243c40d187008f8cb314b162228cbad1702a4
(cherry picked from commit f6bb9b20840c29e74a37ea2b880e63b3fc9470ff)
(cherry picked from commit f24c432620af8a772fdf09ba960573e78f2a99cf)

diff --git a/src/java/com/android/internal/telephony/SubscriptionController.java b/src/java/com/android/internal/telephony/SubscriptionController.java
index c0939f1..94d6d5f 100644
--- a/src/java/com/android/internal/telephony/SubscriptionController.java
+++ b/src/java/com/android/internal/telephony/SubscriptionController.java

@@ -891,6 +891,10 @@
             subList = getSubInfo(null, null);
             if (subList != null) {
                 if (VDBG) logd("[getAllSubInfoList]- " + subList.size() + " infos return");
+                subList.stream().map(
+                        subscriptionInfo -> conditionallyRemoveIdentifiers(subscriptionInfo,
+                                callingPackage, callingFeatureId, "getAllSubInfoList"))
+                        .collect(Collectors.toList());
             } else {
                 if (VDBG) logd("[getAllSubInfoList]- no info return");
             }