When disabling the passphrase cache auto-clear setting, the cache needs to be cleared once in order to prevent a malicious user (someone knowing the screen-lock pin but not knowing the correct passphrase) from bypassing the auto-clearing after waking up/unlocking the device, followed by disabling the auto-clearing option in the settings.
However, clearing EncryptedSharedPreferences requires authentication, otherwise the app crashes. Currently, a crash can be provoked as follows:
Open APS, make sure that passphrase caching and auto-clear option are both enabled.
Decrypt some entry in the store with the correct passphrase.
Switch off the screen.
Unlock the device again and keep it awake for one minute or two by doing something within another app, e.g. browsing the internet.
Switch to APS, go directly to the PGP settings screen and disable the auto-clear option.
APS crashes and immediately reloads automatically.
APS crashes because the user authentication has expired in the meantime and clearing the passphrase from EncryptedSharedPreferences is attempted.
After the crash, the auto-clear option is disabled but the passphrase is still present in the cache. From now, the bad user is given access to any store entry by just entering the correct screen-lock pin, without the need to also enter the PGP passphrase. In this way, that user successfully bypassed and disabled the cache auto-clearing.
This PR
restores BiometricAuthenticator before clearing the passphrase from EncryptedSharedPreferences. This prevents app crashing
enforces the auto-clearing option to stay enabled in the case of failed authentication (caused by dismissing the authentication dialog). This prevents the attempt of bypassing cache auto-clearing.
When disabling the passphrase cache auto-clear setting, the cache needs to be cleared once in order to prevent a malicious user (someone knowing the screen-lock pin but not knowing the correct passphrase) from bypassing the auto-clearing after waking up/unlocking the device, followed by disabling the auto-clearing option in the settings.
However, clearing
EncryptedSharedPreferences
requires authentication, otherwise the app crashes. Currently, a crash can be provoked as follows:APS crashes because the user authentication has expired in the meantime and clearing the passphrase from
EncryptedSharedPreferences
is attempted.After the crash, the auto-clear option is disabled but the passphrase is still present in the cache. From now, the bad user is given access to any store entry by just entering the correct screen-lock pin, without the need to also enter the PGP passphrase. In this way, that user successfully bypassed and disabled the cache auto-clearing.
This PR
BiometricAuthenticator
before clearing the passphrase fromEncryptedSharedPreferences
. This prevents app crashing