Android 5.0 (Lollipop) has been out for a spell now, too most of its novel features have got been introduced, benchmarked, or complained most extensively. The novel unloosen also includes a release of of security enhancements, of which disk encryption has gotten in all likelihood the most media attention. Smart Lock (originally announced at Google I/O 2014), which allows bypassing the device lockscreen when certainly environmental weather condition are met, is in all likelihood the most user-visible novel safety feature. As such, it has also been discussed too blogged about extensively. However, because Smart Lock is a proprietary characteristic incorporated inwards Google Play Services, non many details most its implementation or safety flat are available. This post volition hold off into the Android framework extensions that Smart Lock is create upon, present how to utilisation them to create your ain unlock method, too finally briefly beak over its Play Services implementation.
Trust agents
Smart Lock is create upon a novel Lollipop characteristic called trust agents. To quote from the framework documentation, a trust agent is a 'service that notifies the arrangement most whether it believes the surround of the device to last trusted.' The exact pregnant of 'trusted' is upwardly to the trust agent to define. When a trust agent believes it tin terminate trust the electrical current environment, it notifies the arrangement via a callback, too the arrangement decides how to relax the safety configuration of the device. In the electrical current Android incarnation, existence inwards a trusted surround grants the user the powerfulness to bypass the lockscreen.
Trust is granted per user, hence each user's trust agents tin terminate last configured differently. Additionally, trust tin terminate last granted for a certainly menses of time, too the arrangement automatically reverts to an untrusted state when that menses expires. Device administrators tin terminate laid the maximum trust menses trust agents are allowed to set, or disable trust agents altogether.
Trust is granted per user, hence each user's trust agents tin terminate last configured differently. Additionally, trust tin terminate last granted for a certainly menses of time, too the arrangement automatically reverts to an untrusted state when that menses expires. Device administrators tin terminate laid the maximum trust menses trust agents are allowed to set, or disable trust agents altogether.
Trust agent API
Trust agents are Android services which extend the
TrustAgentService base of operations degree (not available inwards the populace SDK). The base of operations degree provides methods for enabling the trust agent (setManagingTrust()), granting too revoking trust (grant/revokeTrust()), every bit good every bit a release of callback methods, every bit shown below.public degree TrustAgentService extends Service { populace void onUnlockAttempt(boolean successful) { } populace void onTrustTimeout() { } individual void onError(String msg) { Slog.v(TAG, "Remote exception spell " + msg); } populace boolean onSetTrustAgentFeaturesEnabled(Bundle options) { render false; } populace in conclusion void grantTrust( in conclusion CharSequence message, in conclusion long durationMs, in conclusion boolean initiatedByUser) { //... } populace in conclusion void revokeTrust() { //... } populace in conclusion void setManagingTrust(boolean managingTrust) { //... } @Override populace in conclusion IBinder onBind(Intent intent) { render novel TrustAgentServiceWrapper(); } //... } To last picked upwardly yesteryear the system, a trust agent needs to last declared inwards
AndroidManifest.xml amongst an intent filter for the android.service.trust.TrustAgentService action too require the BIND_TRUST_AGENT permission, every bit shown below. This ensures that only the arrangement tin terminate bind to the trust agent, every bit the BIND_TRUST_AGENT permission requires the platform signature. Influenza A virus subtype H5N1 Binder API, which allows calling the agent from other processes, is provided yesteryear the TrustAgentService base of operations class. <manifest ... > <uses-permission android:name="android.permission.CONTROL_KEYGUARD" /> <uses-permission android:name="android.permission.PROVIDE_TRUST_AGENT" /> <application ...> <service android:exported="true" android:label="@string/app_name" android:name=".GhettoTrustAgent" android:permission="android.permission.BIND_TRUST_AGENT"> <intent-filter> <action android:name="android.service.trust.TrustAgentService"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> <meta-data android:name="android.service.trust.trustagent" android:resource="@xml/ghetto_trust_agent"/> </service> ... </application> </manifest>
The arrangement Settings app scans app packages that jibe the intent filter shown above, checks if they concord the
PROVIDE_TRUST_AGENT signature permission (defined inwards the android package) too shows them inwards the Trust agents hide (Settings->Security->Trust agents) if all required weather condition are met. Currently only a unmarried trust agent is supported, hence only the kickoff matched packet is shown. Additionally, if the manifest announcement contains a <meta-data> tag that points to an XML resources that defines a settings activity (see below for an example), a bill of fare entry that opens the settings activity is injected into the Security settings screen. <trust-agent xmlns:android="http://schemas.android.com/apk/res/android" android:title="DroidCedas : Dissecting Lollipop's Smart Lock" android:summary="A bunch of unlock triggers" android:settingsActivity=".GhettoTrustAgentSettings" />
Here's how the Trusted agents hide mightiness hold off similar when a arrangement app that declares a trusted agent is installed.
Trust agents are inactive yesteryear default (unless component of the arrangement image), too are activated when the user toggles the switch inwards the hide above. Active agents are ultimately managed yesteryear the arrangement
TrustManagerService which also keeps a log of trust-related events. You tin terminate larn the electrical current trust state too dump the fifty-fifty log using the dumpsys command every bit shown below.$ adb rhythm out dumpsys trust Trust managing director state: User "Owner" (id=0, flags=0x13) (current): trusted=0, trustManaged=1 Enabled agents: org.nick.ghettounlock/.GhettoTrustAgent bound=1, connected=1, managingTrust=1, trusted=0 Events: #0 12-24 10:42:01.915 TrustTimeout: agent=GhettoTrustAgent #1 12-24 10:42:01.915 TrustTimeout: agent=GhettoTrustAgent #2 12-24 10:42:01.915 TrustTimeout: agent=GhettoTrustAgent ...
Granting trust
Once a trust agent is installed, a trust grant tin terminate last triggered yesteryear whatsoever observable surround event, or direct yesteryear the user (for example, yesteryear via an authentication challenge). An frequently requested, but non especially secure (unless using a WPA2 profile that authenticates WiFi access points), unlock trigger is connecting to a 'home' WiFi AP. This characteristic tin terminate last easily implemented using a broadcast receiver that reacts to
android.net.wifi.STATE_CHANGE (see sample app; based on the sample inwards AOSP). Once a 'trusted' SSID is detected, the receiver only needs to telephone telephone the grantTrust() method of the trust agent service. This tin terminate last achieved inwards a release of ways, but if both the service too the receiver are inwards the same package, a straightforward agency is to utilisation a LocalBroadcastManager (part of the back upwardly library) to shipping a local broadcast, every bit shown below. static void sendGrantTrust(Context context, String message, long durationMs, boolean initiatedByUser) { Intent intent = novel Intent(ACTION_GRANT_TRUST); intent.putExtra(EXTRA_MESSAGE, message); intent.putExtra(EXTRA_DURATION, durationMs); intent.putExtra(EXTRA_INITIATED_BY_USER, initiatedByUser); LocalBroadcastManager.getInstance(context).sendBroadcast(intent); } // inwards the receiver @Override populace void onReceive(Context context, Intent intent) { if (WifiManager.NETWORK_STATE_CHANGED_ACTION.equals(intent.getAction())) { WifiInfo wifiInfo = (WifiInfo) intent .getParcelableExtra(WifiManager.EXTRA_WIFI_INFO); // ... if (secureSsid.equals(wifiInfo.getSSID())) { GhettoTrustAgent.sendGrantTrust(context, "GhettoTrustAgent::WiFi", TRUST_DURATION_5MINS, false); } } } This volition telephone telephone the
TrustAgentServiceCallback installed yesteryear the arrangement lockscreen too effectively laid a per-user trusted flag. If the flag is true, the lockscreen implementation allows the keyguard to last dismissed without authentication. Once the trust timeout expires, the user must move inwards their pattern, PIN or password inwards club to dismiss the keyguard. The electrical current trust state is displayed at the bottom of the keyguard every bit a padlock icon: when unlocked, the electrical current surround is trusted; when locked, explicit authentication is required. The user tin terminate also manually lock the device yesteryear pressing the padlock, fifty-fifty if an active trust agent currently has trust.NFC unlock
As discussed inwards a previous post, implementing NFC unlock inwards previous Android versions was possible, but required some modifications to the arrangement
The
NFCService, because the NFC controller was non polled spell the lockscreen is displayed. In club to create implementing NFC unlock possible, Lollipop introduces several hooks into the NFCService, which allow NFC polling on the lockscreen. If a matching tag is discovered, a reference to a alive Tag object is passed to interested parties. Let's hold off into the how this is implementation inwards a chip to a greater extent than detail.The
NFCAdapter degree has a yoke of novel (hidden) methods that allow adding too removing an NFC unlock handler (addNfcUnlockHandler() and removeNfcUnlockHandler(), respectively). An NFC unlock handler is an implementation of the NfcUnlockHandler interface shown below.interface NfcUnlockHandler { populace boolean onUnlockAttempted(Tag tag); } When registering an unlock handler you lot must specify non only the
NfcUnlockHandler object, but also a listing of NFC technologies that should last polled for at the lockscreen. Calling the addNfcUnlockHandler() method requires the WRITE_SECURE_SETTINGS signature permission. Multiple unlock handlers tin terminate last registered too are tried inwards plough until 1 of them returns
true from onUnlockAttempted(). This terminates the NFC unlock sequence, but doesn't genuinely dismiss the keyguard. In club to unlock the device, an NFC unlock handler should piece of job amongst a trust agent inwards club to grant trust. Judging from NFCService's commit log, this appears to last a fairly recent development: initially, the Settings app included functionality to register trusted tags, which would automatically unlock the device (based on the tag's UID), but this functionality was removed inwards favour of trust agents. Unlock handlers tin terminate authenticate the scanned NFC tag inwards a diverseness of ways, depending on the tag's technology. For passive tags that contain fixed data, authentication typically relies either on the tag's unique ID, or on some shared undercover written to the tag. For active tags that tin terminate execute code, it tin terminate last anything from an OTP to full-blown multi-step usual authentication. However, because NFC communication is non rattling fast, too most tags have got express processing power, a unproblematic protocol amongst few roundtrips is preferable. Influenza A virus subtype H5N1 unproblematic implementation that requires the tag to sign a random value amongst its RSA individual key, too and then verifies the signature using the corresponding populace telephone commutation is included inwards the sample application. For signature verification to work, the trust agent needs to last initialized amongst the tag's populace key, which inwards this instance is imported via the trust agent's settings activity shown below.
Smart Lock
'Smart Lock' is but the marketing parent for the
GoogleTrustAgent which is included inwards Google Play Services (com.google.android.gms package), every bit tin terminate last seen from the dumpsys output below.$ adb rhythm out dumpsys trust Trust managing director state: User "Owner" (id=0, flags=0x13) (current): trusted=1, trustManaged=1 Enabled agents: com.google.android.gms/.auth.trustagent.GoogleTrustAgent bound=1, connected=1, managingTrust=1, trusted=1 message=""
This trust agent offers several trust triggers: trusted devices, trusted places too a trusted face. Trusted seem upwardly is but a rebranding of the seem upwardly unlock method found inwards previous versions. It uses the same proprietary paradigm recognition technology, but is significantly to a greater extent than usable, because, when enabled, the keyguard continuously scans for a matching seem upwardly instead of requiring you lot to remain even hence spell it takes too procedure your picture. The safety flat provided also remains the same -- fairly low, every bit the trusted seem upwardly setup hide warns. Trusted places is based on the geofencing technology, which has been available inwards Google Play services for a while. Trusted places utilisation the 'Home' too 'Work' locations associated amongst your Google concern human relationship to create setup easier, too also allows for registering a custom identify based on the electrical current location or whatsoever coordinates selectable via Google Maps. As a helpful popup warns, accuracy cannot last guaranteed, too the trusted identify make tin terminate last upwardly to 100 meters. In practice, the device tin terminate remain unlocked for a spell fifty-fifty when this distance is exceeded.
Trusted devices supports 2 different types of devices at the fourth dimension of this writing: Bluetooth too NFC. The Bluetooth selection allows the Android device to remain unlocked spell a paired Bluetooth device is inwards range. This features relies on Bluetooth's built-in safety mechanism, too every bit such its safety depends on the paired device. Newer devices, such every bit Android Wear watches or the Pebble watch, back upwardly Secure Simple Pairing (Security Mode 4), which uses Elliptic Curve Diffie-Hellman (ECDH) inwards club to generate a shared link key. During the paring process, these devices display a 6-digit release based on a hash of both devices' populace keys inwards club to supply device authentication too protect against MiTM attacks (a characteristic called numeric comparison). However, older wearables (such every bit the Meta Watch), Bluetooth earphones, too others are also supported. These previous-generation devices only back upwardly Standard Pairing, which generates authentication keys based on the device's physical address too a 4-digit PIN, which is unremarkably fixed too laid to a well-know value such every bit '0000' or '1234'. Such devices tin terminate last easily impersonated.
Google's Smart Lock implementation requires a persistent connective to a trusted device, too trust is revoked 1 time this connective is broken (Update: plainly a trusted connective tin terminate last established without a key on Android < 5.1 ). However, every bit the introductory hide (see below) warns, Bluetooth make is highly variable too may extend upwardly to 100 meters. Thus spell the 'keep device unlocked spell connected to trusted sentinel on wrist' utilisation instance makes a lot of sense, inwards exercise the Android device may remain unlocked fifty-fifty when the trusted Bluetooth device (wearable, etc.) is inwards some other room.
Trusted devices supports 2 different types of devices at the fourth dimension of this writing: Bluetooth too NFC. The Bluetooth selection allows the Android device to remain unlocked spell a paired Bluetooth device is inwards range. This features relies on Bluetooth's built-in safety mechanism, too every bit such its safety depends on the paired device. Newer devices, such every bit Android Wear watches or the Pebble watch, back upwardly Secure Simple Pairing (Security Mode 4), which uses Elliptic Curve Diffie-Hellman (ECDH) inwards club to generate a shared link key. During the paring process, these devices display a 6-digit release based on a hash of both devices' populace keys inwards club to supply device authentication too protect against MiTM attacks (a characteristic called numeric comparison). However, older wearables (such every bit the Meta Watch), Bluetooth earphones, too others are also supported. These previous-generation devices only back upwardly Standard Pairing, which generates authentication keys based on the device's physical address too a 4-digit PIN, which is unremarkably fixed too laid to a well-know value such every bit '0000' or '1234'. Such devices tin terminate last easily impersonated.
Google's Smart Lock implementation requires a persistent connective to a trusted device, too trust is revoked 1 time this connective is broken (Update: plainly a trusted connective tin terminate last established without a key on Android < 5.1 ). However, every bit the introductory hide (see below) warns, Bluetooth make is highly variable too may extend upwardly to 100 meters. Thus spell the 'keep device unlocked spell connected to trusted sentinel on wrist' utilisation instance makes a lot of sense, inwards exercise the Android device may remain unlocked fifty-fifty when the trusted Bluetooth device (wearable, etc.) is inwards some other room.
As discussed earlier, an NFC trusted device tin terminate last quite flexible, too has the wages that, dissimilar Bluetooth, proximity is good defined (typically non to a greater extent than than 10 centimeters). While Google's Smart Lock seems to back upwardly an active NFC device (internally referred to every bit the 'Precious tag'), no such device has been publicly announced yet. If the Precious is non found, Google's NFC-based trust agent falls dorsum to UID-based authentication yesteryear saving the hash of the scanned tag's UID (tag registration hide shown below). For the pop NFC-A tags (most MIFARE variants) this UID is iv or seven bytes long (10-byte UIDs are also theoretically supported). While using the UID for authentication is a fairly wide-spread practice, it was originally intended for anti-collision alone, too non for authentication. 4-byte UIDs are non necessarily unique too may collide fifty-fifty on 'official' NXP tags. While the specification requires 7-byte IDs to last both unique (even across different manufacturers) too read-only, cards amongst a rewritable UID do exists, hence cloning a MIFARE trusted tag is quite possible. Tags tin terminate also last emulated amongst a programmable device such every bit the Proxmark III. Therefore, the safety flat provided yesteryear UID-based authentication is non that high.
Summary
Android 5.0 (Lollipop) introduces a novel trust framework based on trust agents, which tin terminate notify the arrangement when the device is inwards a trusted environment. As the arrangement lockscreen immediately listens for trust events, it tin terminate alter its conduct based on the trust state of the electrical current user. This makes it slow to augment or supersede the traditional pattern/PIN/password user authentication methods yesteryear installing trust agents. Trust agent functionality is currently only available to arrangement applications, too Lollipop tin terminate only back upwardly a unmarried active trust agent. Google Play Services provides several trust triggers (trustlets) nether the parent 'Smart Lock' via its trust agent. While they tin terminate greatly better device usability, none of the currently available Smart Lock methods are especially precise or secure, hence they should last used amongst care.
Tag :
android security
0 Komentar untuk "Droidcedas : Dissecting Lollipop's Smart Lock"