search

NeoApplications / Neo-Backup

backup manager for android
GNU Affero General Public License v3.0
2.37k stars 120 forks source link

[Bug] Session F-Droid: Signature problems #840

Closed mid-kid closed 5 months ago

mid-kid commented 5 months ago

Description Restoring a backup of this app on a new device does not work.

Steps To Reproduce

  1. Back up the app
  2. Wipe phone/switch to new phone
  3. Restore the app
  4. Crash

Expected behavior No crash

System Information(please complete the following information):

Logcat

01-24 23:43:45.807   700   700 E KeyMasterHalDevice: Finish send cmd failed
01-24 23:43:45.807   700   700 E KeyMasterHalDevice: ret: 0
01-24 23:43:45.807   700   700 E KeyMasterHalDevice: resp->status: -30
01-24 23:43:45.807   698   747 E keystore2: system/security/keystore2/src/error.rs:180 - system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
01-24 23:43:45.807   698   747 E keystore2: 
01-24 23:43:45.807   698   747 E keystore2: Caused by:
01-24 23:43:45.807   698   747 E keystore2:     0: system/security/keystore2/src/operation.rs:426: Finish failed.
01-24 23:43:45.807   698   747 E keystore2:     1: Error::Km(r#VERIFICATION_FAILED)
01-24 23:43:45.808  7879  7879 D AndroidRuntime: Shutting down VM
01-24 23:43:45.809  7879  7879 E AndroidRuntime: FATAL EXCEPTION: main
01-24 23:43:45.809  7879  7879 E AndroidRuntime: Process: network.loki.messenger.fdroid, PID: 7879
01-24 23:43:45.809  7879  7879 E AndroidRuntime: java.lang.AssertionError: javax.crypto.AEADBadTagException
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.crypto.KeyStoreHelper.unseal(KeyStoreHelper.java:83)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.crypto.DatabaseSecretProvider.getEncryptedDatabaseSecret(DatabaseSecretProvider.java:58)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.crypto.DatabaseSecretProvider.getOrCreateDatabaseSecret(DatabaseSecretProvider.java:29)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.dependencies.DatabaseModule.provideOpenHelper(DatabaseModule.kt:34)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.dependencies.DatabaseModule_ProvideOpenHelperFactory.provideOpenHelper(DatabaseModule_ProvideOpenHelperFactory.java:39)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.DaggerApplicationContext_HiltComponents_SingletonC$SingletonCImpl$SwitchingProvider.get(DaggerApplicationContext_HiltComponents_SingletonC.java:1471)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.DaggerApplicationContext_HiltComponents_SingletonC$SingletonCImpl$SwitchingProvider.get(DaggerApplicationContext_HiltComponents_SingletonC.java:1468)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.DaggerApplicationContext_HiltComponents_SingletonC$SingletonCImpl.injectApplicationContext2(DaggerApplicationContext_HiltComponents_SingletonC.java:1443)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.DaggerApplicationContext_HiltComponents_SingletonC$SingletonCImpl.injectApplicationContext(DaggerApplicationContext_HiltComponents_SingletonC.java:1298)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.Hilt_ApplicationContext.hiltInternalInject(Hilt_ApplicationContext.java:50)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.Hilt_ApplicationContext.onCreate(Hilt_ApplicationContext.java:41)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.ApplicationContext.onCreate(ApplicationContext.java:214)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1322)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.app.ActivityThread.handleBindApplication(ActivityThread.java:7058)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.app.ActivityThread.-$$Nest$mhandleBindApplication(Unknown Source:0)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2261)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.os.Looper.loopOnce(Looper.java:205)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:294)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:8244)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:552)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:878)
01-24 23:43:45.809  7879  7879 E AndroidRuntime: Caused by: javax.crypto.AEADBadTagException
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:626)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at javax.crypto.Cipher.doFinal(Cipher.java:2056)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at org.thoughtcrime.securesms.crypto.KeyStoreHelper.unseal(KeyStoreHelper.java:80)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    ... 24 more
01-24 23:43:45.809  7879  7879 E AndroidRuntime: Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
01-24 23:43:45.809  7879  7879 E AndroidRuntime: 
01-24 23:43:45.809  7879  7879 E AndroidRuntime: Caused by:
01-24 23:43:45.809  7879  7879 E AndroidRuntime:     0: system/security/keystore2/src/operation.rs:426: Finish failed.
01-24 23:43:45.809  7879  7879 E AndroidRuntime:     1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:386)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:618)
01-24 23:43:45.809  7879  7879 E AndroidRuntime:    ... 26 more
01-24 23:43:45.812  7879  7879 I Process : Sending signal. PID: 7879 SIG: 9
01-24 23:43:45.822  1906  2251 I ActivityManager: Process network.loki.messenger.fdroid (pid 7879) has died: fg  TOP 
01-24 23:43:45.823  1906  2060 I libprocessgroup: Successfully killed process cgroup uid 10444 pid 7879 in 0ms
01-24 23:43:45.823  1906  2036 D DisplayManagerService: Drop pending events for gone uid 10444
01-24 23:43:45.823   989   989 I Zygote  : Process 7879 exited due to signal 9 (Killed)
MrEngineerMind commented 5 months ago

The line "01-24 23:43:45.807 698 747 E keystore2: system/security/keystore2/src/error.rs:180 - system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish" suggests that the app uses keystore.

Keystore data can not be backed-up using NeoBackup due to security reasons.

The restored app is probably crashing because the non-keystore app data that was restored properly is also expecting data in the keystore (which was on the original phone but it is not there on the new phone after the restore), causing the app to crash due to this mis-match invalid state.

mid-kid commented 5 months ago

That's annoying, nothing I dislike more than software refusing to do its job for "security reasons". Now I've lost all my messages... Is there any app that would allow backing up keystore data? I'm reading that it can't be retrieved from the device (as it's hardware backed), but could there be something to decrypt relevant data?

machiav3lli commented 5 months ago

It's not like NB can backup KeyStore at all. As it stands for now, there's no app able to backup/restore any keys of KeyStore, which means it's doing it's job well, although it's unfortunate for functionality of backup apps (be aware that we already mentioned this in the FAQ with e.g. Signal, which Session is based on, as an example).

mid-kid commented 5 months ago

I see, I hadn't seen the note in the FAQ. Thanks for pointing that out. I wonder, do you maybe know of any way to force a ROM to use a software keystore, so I can back that up in the future?

mid-kid commented 5 months ago

Anyway, thanks for answering my question! Sorry if I was a bit rude.

machiav3lli commented 5 months ago

@mid-kid nah, no issue, we all may be frustrated at such situation.

There's noone I know of invested in such hack, for once this would require writting your own accessible provider that hijacks the remote calls, which means AOSP itself should be patched to provide such, plus, the privacy-oriented devs would invest their time in the contrary measures, keeping such data even more secure rather than hacking it.

mid-kid commented 5 months ago

I don't really think this does much for privacy, but yeah it's definitely a "security thing"... At least signal provides an alternative backup mechanism, which decrypts and re-encrypts all the data... Just wish that could be done for everything. I might look into it once I have the time. Surely there must be something for phones that don't have a hardware keystore?

mid-kid commented 5 months ago

https://developer.android.com/reference/android/security/keystore/KeyInfo#getSecurityLevel()

Yeah there's definitely a software-backed store already.

I'll stop bothering you now, thanks again.