search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
349 stars 19 forks source link

User can disable "ask for pin before unpinning app" setting without entering pin by pressing back button. #3745

Open benjistokman opened 2 months ago

benjistokman commented 2 months ago

This is the toggle in Settings > Security > More security settings > App pinning > Ask for pin before unpinning

If you wanna turn this off it asks for the pin first, but you can just press the back button and it turns it off anyway.

ali-zair commented 1 month ago

Honestly what a find! Thank you so much for reporting this issue.

thestinger commented 1 month ago

@benjistokman This could be reported through https://bughunters.google.com/report/vrp as a minor security bug.

FID02 commented 1 month ago

This is the toggle in Settings > Security > More security settings > App pinning > Ask for pin before unpinning

If you wanna turn this off it asks for the pin first, but you can just press the back button and it turns it off anyway.

That's not the behaviour I'm seeing on my end. By going through the provided steps, I can confirm that the Settings UI displays "Ask for PIN before unpinning" as disabled. However, if I then proceed to pin an app and then unpin it, I am redirected to the lockscreen and have to provide my device credentials, as if the feature is enabled.

Moreover, when I do the provided steps and then swipe back in the Settings UI, and then re-enter the "App pinning" menu, "Ask for PIN before unpinning" again displays as enabled.

On my end it seems like just a UI bug. Tested on Pixel 8, GOS 2024070900

ali-zair commented 1 month ago

This is the toggle in Settings > Security > More security settings > App pinning > Ask for pin before unpinning

If you wanna turn this off it asks for the pin first, but you can just press the back button and it turns it off anyway.

That's not the behaviour I'm seeing on my end. By going through the provided steps, I can confirm that the Settings UI displays "Ask for PIN before unpinning" as disabled. However, if I then proceed to pin an app and then unpin it, I am redirected to the lockscreen and have to provide my device credentials, as if the feature is enabled.

Moreover, when I do the provided steps and then swipe back in the Settings UI, and then re-enter the "App pinning" menu, "Ask for PIN before unpinning" again displays as enabled.

On my end it seems like just a UI bug. Tested on Pixel 8, GOS 2024070900

Yes I can also confirm that it is just the UI that displays it as disabled however, it does still ask for the PIN / Password if it is not disabled properly by entering the PIN / Password.

benjistokman commented 1 month ago

Oh right. I didn't actually confirm that. Sorry.

ali-zair commented 1 month ago

Oh right. I didn't actually confirm that. Sorry.

Nothing to be sorry for. You only wanted the FOSS community to benefit. Thank you for your contribution.