[Stylus Handwriting] Add checking direct writing pkg fingerprint

Store a Token of direct writing service package name and verify it when service connection is established before proceeding to send further messages to the service. This is to prevent any attacker from spoofing the package name and tricking Chrome into connecting to it. Bug: 1300551 Change-Id: If98588b479a46bbd882a2001cbb6ef8185494b82 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3755022 Commit-Queue: Peter Conn <peconn@chromium.org> Reviewed-by: Peter Conn <peconn@chromium.org> Cr-Commit-Position: refs/heads/main@{#1026212}
marcosholgado · Jul 20, 2022 · 726599c · 726599c
1 parent 136a29e
commit 726599c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/...g/android/java/src/org/chromium/components/stylus_handwriting/DirectWritingConstants.java b/...g/android/java/src/org/chromium/components/stylus_handwriting/DirectWritingConstants.java
@@ -15,6 +15,11 @@ private DirectWritingConstants() {}
     static final String SERVICE_CLS_NAME =
             "com.samsung.android.directwriting.service.DirectWritingService";
 
+    // The fingerprint of valid Samsung Direct Writing service package.
+    static final String SERVICE_PKG_SHA_256_FINGERPRINT =
+            "C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13"
+            + ":F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8";
+
     /**
      * Set text and selection from service callback
      */

diff --git a/...droid/java/src/org/chromium/components/stylus_handwriting/DirectWritingServiceBinder.java b/...droid/java/src/org/chromium/components/stylus_handwriting/DirectWritingServiceBinder.java
@@ -20,6 +20,9 @@
 import android.widget.directwriting.IDirectWritingService;
 
 import org.chromium.base.Log;
+import org.chromium.base.PackageUtils;
+
+import java.util.List;
 
 /**
  * Direct writing Service connection handler class. Takes care of calling DW Service APIs for
@@ -92,10 +95,20 @@ private void requestBindService(Context context, DirectWritingTriggerCallback tr
             Log.d(TAG, "bindService already requested");
             return;
         }
+
+        // Verify that connecting service package fingerprint matches with expected fingerprint of
+        // Direct Writing service package. This is to prevent any attacker from spoofing the package
+        // name and tricking Chrome into connecting to it.
+        List<String> fingerprints = PackageUtils.getCertificateSHA256FingerprintForPackage(
+                context.getPackageManager(), DirectWritingConstants.SERVICE_PKG_NAME);
+        if (fingerprints == null || fingerprints.size() > 1
+                || !fingerprints.get(0).equals(
+                        DirectWritingConstants.SERVICE_PKG_SHA_256_FINGERPRINT)) {
+            Log.e(TAG, "Don't connect to service due to package fingerprint mismatch");
+            return;
+        }
         try {
             Intent intent = new Intent();
-            // TODO(mahesh.ma): Check the signature of Direct writing service so that a non-Samsung
-            // device cannot trick us into connecting to it.
             intent.setComponent(new ComponentName(DirectWritingConstants.SERVICE_PKG_NAME,
                     DirectWritingConstants.SERVICE_CLS_NAME));
             context.bindService(intent, mConnection, BIND_AUTO_CREATE);