WebView crashes when used in a system app that sets defaultToDeviceProtectedStorage=true |
|||||
Issue descriptionWebView intentionally crashes when used with a device-protected storage context, to avoid developer confusion and leakage of data to a lower-than-intended privilege level. However, there's a manifest flag for system apps which allows them to use device-protected storage by default instead of the usual credential-protected. This means that the application context for these apps is device-protected, and we crash when setting up the app context, even if the app developer passed a credential-protected context as the actual context to use. We don't want to relax the restriction on not using WebView with device-protected storage, but system app developers want to be able to use this flag and still use WebView in their app. The most plausible way to avoid this issue is to check if the application context is device-protected during startup (before passing it to the context wrapping code that does the existing check). If it is, check if the credential-protected storage is available (i.e. if the device has already been unlocked since boot), and if so, just explicitly switch that context to credential-protected storage before using it; there is a @SystemApi method for this on Context. This won't have any impact on normal apps, whose application contexts are always credential-protected. This potentially leaves some confusing cases for the developer of these apps, but means they aren't entirely unable to use WebView, and doesn't change anything for normal third party app developers, so I think it's fairly reasonable.
,
Sep 12 2016
Yeah. It's the mirror of the public createDeviceProtectedStorageContext - it's not in the public API purely because non-system apps can't set the default to device in the first place and so have no reason to convert a device context back to a credential one.
,
Sep 12 2016
Oh, this was b/31052660 internally (raised by a partner), fyi.
,
Sep 12 2016
how does one "check if the credential-protected storage is available"? in case if you already know that is
,
Sep 12 2016
Not sure. May not be necessary: it's definitely possible (likely?) that calling createCredentialProtectedStorageContext throws an exception if it's not, which we can just rethrow with a more explicit message. That will be somewhat annoying to test, though, as it'll involve having an app actually try to init WebView in pre-credential-decryption state, which probably means reading the direct boot app developer docs :)
,
Sep 12 2016
,
Sep 13 2016
Nate, please take a look at this one. this bug requires a little bit of background and investigation. The first thing is to verify if what Torne mentioned in #5 is correct, i.e. does createCredentialProtectedStorageContext throw an exception when an app is created using device encrypted context. hopefully it does, otherwise not sure. as for background, please take a look at https://source.android.com/security/encryption/index.html the api that Bo pointed out is this: @SystemApi public abstract Context createCredentialProtectedStorageContext(); and this is where we are doing the check at present. https://cs.chromium.org/chromium/src/android_webview/glue/java/src/com/android/webview/chromium/WebViewChromiumFactoryProvider.java?q=isdeviceprote+file:%5Esrc/android_webview/&sq=package:chromium&l=256
,
Sep 13 2016
really assigning to Nate :) please see my comment at #11
,
Sep 13 2016
the createCredentialProtectedStorageContext() api is part of Context class. do a search in internal codebase.
,
Sep 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/18dad59572f1ed74069538bde20f25a4a8b3e586 commit 18dad59572f1ed74069538bde20f25a4a8b3e586 Author: ntfschr <ntfschr@chromium.org> Date: Fri Sep 23 21:08:14 2016 Android webview tries to switch to CE context If Webview is started in an application using defaultToDeviceProtectedStorage="true", it will first try to switch to a CE context. If it's unable to switch contexts, it throws an exception. BUG= 645921 Review-Url: https://codereview.chromium.org/2339343002 Cr-Commit-Position: refs/heads/master@{#420730} [modify] https://crrev.com/18dad59572f1ed74069538bde20f25a4a8b3e586/android_webview/glue/java/src/com/android/webview/chromium/WebViewChromiumFactoryProvider.java
,
Sep 23 2016
,
Sep 29 2016
Verified on Nexus 5X NME90B on 55.0.2875.3 build by loading test apk in b/31052660 and not observing crash.
,
Sep 29 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by boliu@chromium.org
, Sep 12 2016