Skip to content
Commit 90433d3f authored by Curtis Belmonte's avatar Curtis Belmonte
Browse files

DO NOT MERGE Check fingerprint client against top activity in auth callback

Due to a race condition with activity task stack broadcasts, it's
currently possible for fingerprint authentication to succeed for a
non-top activity. This means, for example, that a malicious overlay
could be drawn in order to mislead the user about what they are
authenticating for.

This commit addresses the issue by adding a check to the biometric
authentication client interface that ensures the authenticating
activity is on top at the time of authentication. Otherwise, the
pending authentication will fail, as if an incorrect biometric had
been presented.

Test: Follow steps from b/159249069:
1. Install com.pro100svitlo.fingerprintauthdemo from the Play store.
2. Install the PoC attack app from b/159249069.
3. Start the PoC attack app and press the "Launch PoC attack" button.
4. Use fingerprint to authenticate while the overlay is showing.

Before: Authentication succeeds, and a new activity is launched.
After: Authentication fails, and no new activity is launched.

Bug: 159249069
Change-Id: I3a810cd7e6b97333f648c978e44242662342ec57
Merged-In: I289d67e5c7055ed60f7a96725c523d07cd047b23
parent 9893f166
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment