Android 8 (Oreo) - User can access SamsungPass after tapping in the editor
Reported by
vijay.ka...@pearson.com,
Nov 16
|
||||||
Issue descriptionSteps to reproduce the problem: 1. Download Pearson's TestNav app from the store on Android Oreo 8 2. Enable the "SamsungPass" functionality 2. Connect the external keyboard 3. hold keys "ctrl shift 1" until red bar flashes 4. Scroll down and select "Test812" option (located at the left side of the screen) 5. Enter the below user id/pwd user id: epat pwd: b 6. Start the test and navigate to first question 7. Tap into any text editor and type something => Pop up showing Samsung pass shows up.Open the settings button in it. User is taken to settings of the device. 8. Select Google> Google Account (Info,security, & personalization). 9. Choose personal info tab> Chose what others see> Select google apps>Choose Google search => User is directed to Google Search engine where a student can easily search and even copy the text. Note: No error is thrown when returned back to the test. What is the expected behavior? User should not be able to access anything when inside a secured test even when the samsungpass functionality turned on. What went wrong? This breaks the security. User can access google search from the secured test. Did this work before? N/A Chrome version: Channel: n/a OS Version: Android 8 Oreo Flash Version:
,
Nov 19
,
Nov 19
How is this a chromium bug? This appears to be an issue with Android no?
,
Nov 25
Hello, We raised this bug with Android and they rejected it stating that "this is related to the webview issue, which is chrome"
,
Nov 25
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 26
,
Nov 29
Previously filed as https://issuetracker.google.com/issues/119385920. I can't find the statement on that ticket indicating this is a WebView issue. It seems your application needs a way to restrict which other apps can run; this is outside of the scope of WebView team.
,
Jan 4
Hi, this needs to be re-opened. The app is running in kiosk mode using lock task mode - https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode?
,
Jan 4
I don't see any reason to believe this is a WebView issue. The "SamsungPass" feature is being invoked from the keyboard app, which is outside of webview's control, and I suspect that the exact same thing would be possible if the locked task was using a regular TextView. Either the platform itself needs to be preventing the keyboard from launching Settings, or the keyboard app needs to not offer the choice to go into Settings when the foreground task is locked (you'd have to talk to the android team about whether the platform or the keyboard is expected to handle this). Unless you can demonstrate that TextView behaves differently in the same context and the problem is unique to WebView, then there's nothing we can reasonably do here. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by vijay.ka...@pearson.com
, Nov 1613.4 MB
13.4 MB View Download