Don’t require strong auth on regular time interval

This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will. Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval. Ref: frameworks/base/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000. Note that this patch circumvents the values that DeviceAdmin may provide. In other words, it ignores whatever a MDM would request for the strong auth timeout! To be clear, this patch is a practical approach, in an ideal world, we would properly use the DeviceAdmin feature. Confirmed working on: * Android 9 * Android 10 Submitted to: * hashbang/os#32 * RattlesnakeOS/community_patches#9 * https://github.com/ypid/ypid-android-patches
ypid · Nov 24, 2019 · fd12f05 · fd12f05
1 parent 86a9704
commit fd12f05
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 13 deletions.
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
@@ -534,7 +534,7 @@ protected int myUserId() {
      *
      * @hide
      */
-    public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h
+    public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 42 * 24 * 60 * 60 * 1000; // 42d
 
     /**
      * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that

diff --git a/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java b/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java
@@ -120,18 +120,7 @@ private void handleRemoveUser(int userId) {
     private void handleScheduleStrongAuthTimeout(int userId) {
         final DevicePolicyManager dpm =
                 (DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
-        long when = SystemClock.elapsedRealtime() + dpm.getRequiredStrongAuthTimeout(null, userId);
-        // cancel current alarm listener for the user (if there was one)
-        StrongAuthTimeoutAlarmListener alarm = mStrongAuthTimeoutAlarmListenerForUser.get(userId);
-        if (alarm != null) {
-            mAlarmManager.cancel(alarm);
-        } else {
-            alarm = new StrongAuthTimeoutAlarmListener(userId);
-            mStrongAuthTimeoutAlarmListenerForUser.put(userId, alarm);
-        }
-        // schedule a new alarm listener for the user
-        mAlarmManager.set(AlarmManager.ELAPSED_REALTIME, when, STRONG_AUTH_TIMEOUT_ALARM_TAG,
-                alarm, mHandler);
+        Slog.d(TAG, "getRequiredStrongAuthTimeout: " + dpm.getRequiredStrongAuthTimeout(null, userId));
     }
 
     private void notifyStrongAuthTrackers(int strongAuthReason, int userId) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -534,7 +534,7 @@ protected int myUserId() { @@
          *
          * @hide
          */
-        public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h
+        public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 42 * 24 * 60 * 60 * 1000; // 42d
         /**
          * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that
@@ Expand Down @@