Default to not allowing cleartext traffic for ephemeral apps (b8feba10) · Commits · e / os / android_frameworks_base

core/java/android/security/net/config/ManifestConfigSource.java

+13 −5

Original line number	Original line	Diff line number	Diff line
	@@ -32,6 +32,7 @@ public class ManifestConfigSource implements ConfigSource {
	private final int mApplicationInfoFlags;		private final int mApplicationInfoFlags;
	private final int mTargetSdkVersion;		private final int mTargetSdkVersion;
	private final int mConfigResourceId;		private final int mConfigResourceId;
			private final boolean mEphemeralApp;

	private ConfigSource mConfigSource;		private ConfigSource mConfigSource;

	@@ -42,6 +43,7 @@ public class ManifestConfigSource implements ConfigSource {
	mApplicationInfoFlags = info.flags;		mApplicationInfoFlags = info.flags;
	mTargetSdkVersion = info.targetSdkVersion;		mTargetSdkVersion = info.targetSdkVersion;
	mConfigResourceId = info.networkSecurityConfigRes;		mConfigResourceId = info.networkSecurityConfigRes;
			mEphemeralApp = info.isEphemeralApp();
	}		}

	@Override		@Override
	@@ -69,14 +71,18 @@ public class ManifestConfigSource implements ConfigSource {
	+ " debugBuild: " + debugBuild);		+ " debugBuild: " + debugBuild);
	}		}
	source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild,		source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild,
	mTargetSdkVersion);		mTargetSdkVersion, mEphemeralApp);
	} else {		} else {
	if (DBG) {		if (DBG) {
	Log.d(LOG_TAG, "No Network Security Config specified, using platform default");		Log.d(LOG_TAG, "No Network Security Config specified, using platform default");
	}		}
			// the legacy FLAG_USES_CLEARTEXT_TRAFFIC is not supported for Ephemeral apps, they
			// should use the network security config.
	boolean usesCleartextTraffic =		boolean usesCleartextTraffic =
	(mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0;		(mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0
	source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion);		&& !mEphemeralApp;
			source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion,
			mEphemeralApp);
	}		}
	mConfigSource = source;		mConfigSource = source;
	return mConfigSource;		return mConfigSource;
	@@ -87,8 +93,10 @@ public class ManifestConfigSource implements ConfigSource {

	private final NetworkSecurityConfig mDefaultConfig;		private final NetworkSecurityConfig mDefaultConfig;

	public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion) {		public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion,
	mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion)		boolean ephemeralApp) {
			mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion,
			ephemeralApp)
	.setCleartextTrafficPermitted(usesCleartextTraffic)		.setCleartextTrafficPermitted(usesCleartextTraffic)
	.build();		.build();
	}		}

core/java/android/security/net/config/NetworkSecurityConfig.java

+4 −3

Original line number	Original line	Diff line number	Diff line
	@@ -164,7 +164,8 @@ public final class NetworkSecurityConfig {
	* <p>		* <p>
	* The default configuration has the following properties:		* The default configuration has the following properties:
	* <ol>		* <ol>
	* <li>Cleartext traffic is permitted.</li>		* <li>Cleartext traffic is permitted for non-ephemeral apps.</li>
			* <li>Cleartext traffic is not permitted for ephemeral apps.</li>
	* <li>HSTS is not enforced.</li>		* <li>HSTS is not enforced.</li>
	* <li>No certificate pinning is used.</li>		* <li>No certificate pinning is used.</li>
	* <li>The system certificate store is trusted for connections.</li>		* <li>The system certificate store is trusted for connections.</li>
	@@ -174,9 +175,9 @@ public final class NetworkSecurityConfig {
	*		*
	* @hide		* @hide
	*/		*/
	public static final Builder getDefaultBuilder(int targetSdkVersion) {		public static final Builder getDefaultBuilder(int targetSdkVersion, boolean ephemeralApp) {
	Builder builder = new Builder()		Builder builder = new Builder()
	.setCleartextTrafficPermitted(DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED)		.setCleartextTrafficPermitted(!ephemeralApp)
	.setHstsEnforced(DEFAULT_HSTS_ENFORCED)		.setHstsEnforced(DEFAULT_HSTS_ENFORCED)
	// System certificate store, does not bypass static pins.		// System certificate store, does not bypass static pins.
	.addCertificatesEntryRef(		.addCertificatesEntryRef(

core/java/android/security/net/config/XmlConfigSource.java

+9 −1

Original line number	Original line	Diff line number	Diff line
	@@ -37,6 +37,7 @@ public class XmlConfigSource implements ConfigSource {
	private final int mResourceId;		private final int mResourceId;
	private final boolean mDebugBuild;		private final boolean mDebugBuild;
	private final int mTargetSdkVersion;		private final int mTargetSdkVersion;
			private final boolean mEphemeralApp;

	private boolean mInitialized;		private boolean mInitialized;
	private NetworkSecurityConfig mDefaultConfig;		private NetworkSecurityConfig mDefaultConfig;
	@@ -53,12 +54,19 @@ public class XmlConfigSource implements ConfigSource {
	this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT);		this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT);
	}		}

			@VisibleForTesting
	public XmlConfigSource(Context context, int resourceId, boolean debugBuild,		public XmlConfigSource(Context context, int resourceId, boolean debugBuild,
	int targetSdkVersion) {		int targetSdkVersion) {
			this(context, resourceId, debugBuild, targetSdkVersion, false);
			}

			public XmlConfigSource(Context context, int resourceId, boolean debugBuild,
			int targetSdkVersion, boolean ephemeralApp) {
	mResourceId = resourceId;		mResourceId = resourceId;
	mContext = context;		mContext = context;
	mDebugBuild = debugBuild;		mDebugBuild = debugBuild;
	mTargetSdkVersion = targetSdkVersion;		mTargetSdkVersion = targetSdkVersion;
			mEphemeralApp = ephemeralApp;
	}		}

	public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() {		public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() {
	@@ -357,7 +365,7 @@ public class XmlConfigSource implements ConfigSource {
	// Use the platform default as the parent of the base config for any values not provided		// Use the platform default as the parent of the base config for any values not provided
	// there. If there is no base config use the platform default.		// there. If there is no base config use the platform default.
	NetworkSecurityConfig.Builder platformDefaultBuilder =		NetworkSecurityConfig.Builder platformDefaultBuilder =
	NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion);		NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mEphemeralApp);
	addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder);		addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder);
	if (baseConfigBuilder != null) {		if (baseConfigBuilder != null) {
	baseConfigBuilder.setParent(platformDefaultBuilder);		baseConfigBuilder.setParent(platformDefaultBuilder);

tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java

+3 −3

Original line number	Original line	Diff line number	Diff line
	@@ -227,7 +227,7 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> {
	public void testConfigBuilderUsesParents() throws Exception {		public void testConfigBuilderUsesParents() throws Exception {
	// Check that a builder with a parent uses the parent's values when non is set.		// Check that a builder with a parent uses the parent's values when non is set.
	NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()		NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()
	.setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N))		.setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false))
	.build();		.build();
	assert(!config.getTrustAnchors().isEmpty());		assert(!config.getTrustAnchors().isEmpty());
	}		}
	@@ -268,9 +268,9 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> {
	// Install the test CA.		// Install the test CA.
	store.installCertificate(TEST_CA_CERT);		store.installCertificate(TEST_CA_CERT);
	NetworkSecurityConfig preNConfig =		NetworkSecurityConfig preNConfig =
	NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build();		NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, false).build();
	NetworkSecurityConfig nConfig =		NetworkSecurityConfig nConfig =
	NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build();		NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false).build();
	Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();		Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();
	Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();		Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();
	Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();		Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();