wangjin / seek-for-android

Automatically exported from code.google.com/p/seek-for-android
0 stars 0 forks source link

Connection Refused !! #52

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What's the problem?
When we attempt to call the smartcard api from an android service in a remote 
process, the openLogicalChannel throw a SecurityException with a "Connection 
refused !!!" message.
When the service is in the same process as the application, it works !

What steps will reproduce the problem?
Create a service and define as remote process in Manifest,
then try to open a channel

What is the expected output? What do you see instead?
The channel should be open.

What version of the product are you using? On what operating system?
2.3.2, android 4.0.3

Original issue reported on code.google.com by march...@gmail.com on 7 Mar 2013 at 5:55

GoogleCodeExporter commented 9 years ago
Can you post part of your code?  An Android service should be able to call 
Smartcard service without any problem.   You might need to make sure you have 
right permission set in the manifest file of your service.

Original comment by danny.w....@gmail.com on 28 Mar 2013 at 2:02

GoogleCodeExporter commented 9 years ago
More information needed to understand the issue

Original comment by Daniel.A...@gi-de.com on 15 Apr 2013 at 3:43

GoogleCodeExporter commented 9 years ago
We also found the same problem On Galaxy S3.

Original comment by batori.g...@gmail.com on 29 May 2013 at 11:49

GoogleCodeExporter commented 9 years ago
I found the workaround for that bug:

Problem.
1. Application uses a Service to connect to the SE, this Service use SEService 
to connect.
2. Your application's package for example "hu.any.seek.test.PROD"

Ok:
3a. If run the application everything works fine, because the Process name of 
the Application and it's Service is the same ("hu.any.seek.test.PROD")
Result: WORKS!

Wrong:
3b. Change the Service process name in the manifest to ex. 
"hu.any.seek.test.PROD:TestService".
Result: Security Exception: Connection refused!!!

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="hu.any.seek.test.PROD"
    android:versionCode="1"
    android:versionName="1.0.0" >

    <uses-permission android:name="org.simalliance.openmobileapi.SMARTCARD" />

    <application                            <!-- process name will be: hu.any.seek.test.PROD (default) -->
        android:debuggable="true"   
        android:icon="@drawable/test_icon_72x72" 
        android:label="@string/app_name">

    <service
            android:name="hu.any.seek.test.TestService"   <!-- process name will be: hu.any.seek.test.PROD (default) -->
            android:enabled="true"
            android:exported="false">
        </service>

    </application>
</manifest> 

The TestService and the Application RUN ON THE SAME process.
TestService's process will be: hu.any.seek.test.PROD (default)
Application's process will be: hu.any.seek.test.PROD (default)
Result: Works.

Set the Service run in another process than the application:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="hu.any.seek.test.PROD"
    android:versionCode="1"
    android:versionName="1.0.0" >
    <uses-permission android:name="org.simalliance.openmobileapi.SMARTCARD" />
    <application                                <!-- process name will be: hu.any.seek.test.PROD (default) -->
        android:debuggable="true" 
        android:icon="@drawable/test_icon_72x72" 
        android:label="@string/app_name">

    <service
            android:process=":TestService"                 <!-- process name will be: hu.any.seek.test.PROD:TestService -->
            android:name="hu.any.seek.test.TestService"
            android:enabled="true"
            android:exported="false">
        </service>

    </application>
</manifest>

The TestService and the Application RUN ON DIFFERENT processes. 
TestService's process will be: hu.any.seek.test.PROD:TestService
Application's process will be: hu.any.seek.test.PROD (default)
Result: SecurityException: "Connection refused !!!"
Notice: THIS STILL WORKS FINE ON SONY Xperia phones (Xperia S, P, T and Z)! 
Only detect this bug only on S3!.

Look deeper into the Seek's source I noticed, that the problem is the following:

The seek's security modell checks that the current process has a right to use 
the SE. 
Method: get Process ID -> get Process Name -> get Application Package from it-> 
get application signature keys to check the access to PKCS#15.

The problem is that in S3 implementation the "Package name" and "Process name" 
means the same, but it's NOT true! So, in this case the Seek look for the 
application which has the package:"hu.any.seek.test.PROD:TestService" but of 
course NOT found! The process name and the application name not the same, but 
in S3 the programmers made a little mistake about it?!?!

Logically, the workaround is the following and simple:
Use the application package name as process name and use different name for the 
rest of your application.
In example, the solution for the above exmaples is:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="hu.any.seek.test.PROD"
    android:versionCode="1"
    android:versionName="1.0.0" >
    <uses-permission android:name="org.simalliance.openmobileapi.SMARTCARD" />
    <application 
        android:process="hu.any.seek.test.PRODAPP"                          <!-- process name will be: hu.any.seek.test.PRODAPP -->
        android:debuggable="true" 
        android:icon="@drawable/test_icon_72x72" 
        android:label="@string/app_name">

    <service
            android:process="hu.any.seek.test.PROD"                         <!-- process name will be: hu.any.seek.test.PROD-->
            android:name="hu.any.seek.test.TestService"
            android:enabled="true"
            android:exported="false">
        </service>

    </application>
</manifest>

The TestService and the Application RUN ON DIFFERENT processes. 
TestService's process will be: hu.any.seek.test.PRODAPP
Application's process will be: hu.any.seek.test.PROD (same as the default but 
MUST be defined!)
Result: Everything is works fine!!!!

The service and the application now run on DIFFERENT process, and the SE access 
control check will be success, because the Service's process name same as the 
Application Name so the seek found the valid certificate by it's name. 

In summary: The security check for the process use the process's name to detect 
which application call the SmartcardService, but the process's name not the 
application name (It's another that very easy to be able to find it.)

Original comment by batori.g...@gmail.com on 29 May 2013 at 12:35

GoogleCodeExporter commented 9 years ago
SO~ how can we do?

Original comment by natsu0...@gmail.com on 2 Jul 2013 at 3:19

GoogleCodeExporter commented 9 years ago
"Connection refused !!!" is a message that does not come from code that is 
hosted on SEEK. That means that the error is caused by a 3rd party module hence 
support on SEEK might/will not work.

Original comment by Daniel.A...@gi-de.com on 5 Jul 2013 at 1:54

GoogleCodeExporter commented 9 years ago
not SEEK specific

Original comment by marc.obr...@gi-de.com on 19 Mar 2014 at 4:26