From 5b19e54e8ad9d2c707ecc29ca78e3cc173dbb366 Mon Sep 17 00:00:00 2001 From: Tyler Gunn Date: Tue, 22 Apr 2025 22:01:54 +0000 Subject: [PATCH 1/2] Remove get/set of voicemail ringtone uri in shared preferences. Prior to Android P, TelephonyManager#setVoicemailRingtoneUri was used by the dialer app to set the voicemail notification sound played when the platform got a new voicemail notification. Likewise, getVoicemailRingtoneUri was used to retrieve the set value. Prior to P this was just saved in the shared prefs, but after P a migration was done to move the shared preference to the NotificationChannel#getSound for the voicemail notification. If, however, you called `setVoicemailRingtoneUri` it was still possible to change the shared preference and have that migrated to be set on the notification channel, causing a cross-profile exploit. In the current world, the notifications for voicemail are NOT posted in Telephony any more, and are instead associated with the notification channel for voicemail IN the dialer app. On the off chance a dialer does not show the voicemail notification, Telephony can post it as well, but at this point the related sound is expected to be associated with the notification channel. To mitigate this cross-profile vulnerability: 1. Ensure TelephonyManager#setVoicemailRingtoneUri does not save to shared preferences any more. 2. Ensure the TelephonyManager#getVoicemailRingtoneUrigetRingtoneUri ONLY queries from the notification channel, and not from the shared preferences since that is not used. This ensures we can never return a bad URI set via the setter. 3. Remove the code in migrateVoicemailNotificationSettings which will take the shared preference and migrate it over to the channel; this is not needed as realistically ANY device from P would have updated LONG ago and had its notification setting migrated to the channel anyways. Test: Change the default voicemail notification channel sound on "phone services"; verify that Dialer can still get this value. Test: Changed the voicemail notification channel in the dialer app so that it has a different value; verify that voicemail notifications use the correct sound. Flag: EXEMPT security patch. Bug: 325030433 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8e47af093625b997ffb8ca0379a4a56c02ddeb20) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5057ee3badc307777a961daafe94471ffcaf577e) Merged-In: I7252c692eb2a5ff4b4fcbddba77425cb423539f3 Change-Id: I7252c692eb2a5ff4b4fcbddba77425cb423539f3 --- .../util/NotificationChannelController.java | 6 ----- .../VoicemailNotificationSettingsUtil.java | 22 ++++--------------- 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/src/java/com/android/internal/telephony/util/NotificationChannelController.java b/src/java/com/android/internal/telephony/util/NotificationChannelController.java index de1ddd3026..ac6a385fa4 100644 --- a/src/java/com/android/internal/telephony/util/NotificationChannelController.java +++ b/src/java/com/android/internal/telephony/util/NotificationChannelController.java @@ -23,7 +23,6 @@ import android.content.Context; import android.content.Intent; import android.content.IntentFilter; import android.media.AudioAttributes; -import android.net.Uri; import android.provider.Settings; import android.telephony.SubscriptionManager; @@ -138,7 +137,6 @@ public class NotificationChannelController { /** * migrate deprecated voicemail notification settings to initial notification channel settings - * {@link VoicemailNotificationSettingsUtil#getRingTonePreference(Context)}} * {@link VoicemailNotificationSettingsUtil#getVibrationPreference(Context)} * notification settings are based on subId, only migrate if sub id matches. * otherwise fallback to predefined voicemail channel settings. @@ -151,10 +149,6 @@ public class NotificationChannelController { NotificationManager.IMPORTANCE_DEFAULT); voiceMailChannel.enableVibration( VoicemailNotificationSettingsUtil.getVibrationPreference(context)); - Uri sound = VoicemailNotificationSettingsUtil.getRingTonePreference(context); - voiceMailChannel.setSound( - (sound == null) ? Settings.System.DEFAULT_NOTIFICATION_URI : sound, - new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_NOTIFICATION).build()); context.getSystemService(NotificationManager.class) .createNotificationChannel(voiceMailChannel); } diff --git a/src/java/com/android/internal/telephony/util/VoicemailNotificationSettingsUtil.java b/src/java/com/android/internal/telephony/util/VoicemailNotificationSettingsUtil.java index d8988e3230..3dd3d375c9 100644 --- a/src/java/com/android/internal/telephony/util/VoicemailNotificationSettingsUtil.java +++ b/src/java/com/android/internal/telephony/util/VoicemailNotificationSettingsUtil.java @@ -21,10 +21,8 @@ import android.content.Context; import android.content.SharedPreferences; import android.net.Uri; import android.preference.PreferenceManager; -import android.provider.Settings; import android.telephony.SubscriptionManager; import android.telephony.TelephonyManager; -import android.text.TextUtils; public class VoicemailNotificationSettingsUtil { private static final String VOICEMAIL_NOTIFICATION_RINGTONE_SHARED_PREFS_KEY_PREFIX = @@ -64,27 +62,15 @@ public class VoicemailNotificationSettingsUtil { } public static void setRingtoneUri(Context context, Uri ringtoneUri) { - SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context); - String ringtoneUriStr = ringtoneUri != null ? ringtoneUri.toString() : ""; - - SharedPreferences.Editor editor = prefs.edit(); - editor.putString(getVoicemailRingtoneSharedPrefsKey(), ringtoneUriStr); - editor.commit(); + // Do nothing; we don't use the shared preference any more. } public static Uri getRingtoneUri(Context context) { final NotificationChannel channel = NotificationChannelController.getChannel( NotificationChannelController.CHANNEL_ID_VOICE_MAIL, context); - return (channel != null) ? channel.getSound() : getRingTonePreference(context); - } - - public static Uri getRingTonePreference(Context context) { - SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context); - migrateVoicemailRingtoneSettingsIfNeeded(context, prefs); - String uriString = prefs.getString( - getVoicemailRingtoneSharedPrefsKey(), - Settings.System.DEFAULT_NOTIFICATION_URI.toString()); - return !TextUtils.isEmpty(uriString) ? Uri.parse(uriString) : null; + // Note: NEVER look at the shared preferences; this was migrated to the notification channel + // in Android P. + return (channel != null) ? channel.getSound() : null; } /** -- GitLab From 077e86b3ab5a1c3c34365b23147cda4d01a8d342 Mon Sep 17 00:00:00 2001 From: arunvoddu Date: Tue, 1 Jul 2025 16:48:48 +0000 Subject: [PATCH 2/2] [Telephony][Security Fix] Launch Browser only if device is unlocked. Ignore the launch browser proactive cmd from modem to STK if the device screen is locked. Bug: 404254549 Flag: EXEMPT Bugfix. Test: Verified manually with TestApk (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dcf5c112a93dc8fcc67d65434707e205fd79cee2) Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:caba6e5e5adf45c1ff85fb2fe4765a4118df3563 Merged-In: I9f651c7f1c5674df5774f5a7609f6d3749b5c50c Change-Id: I9f651c7f1c5674df5774f5a7609f6d3749b5c50c --- .../internal/telephony/cat/CommandParamsFactory.java | 10 +++++++++- .../internal/telephony/cat/ResultException.java | 3 +-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/java/com/android/internal/telephony/cat/CommandParamsFactory.java b/src/java/com/android/internal/telephony/cat/CommandParamsFactory.java index 7fbebfad8e..db0532a772 100644 --- a/src/java/com/android/internal/telephony/cat/CommandParamsFactory.java +++ b/src/java/com/android/internal/telephony/cat/CommandParamsFactory.java @@ -22,6 +22,7 @@ import static com.android.internal.telephony.cat.CatCmdMessage.SetupEventListCon import static com.android.internal.telephony.cat.CatCmdMessage.SetupEventListConstants.LANGUAGE_SELECTION_EVENT; import static com.android.internal.telephony.cat.CatCmdMessage.SetupEventListConstants.USER_ACTIVITY_EVENT; +import android.app.KeyguardManager; import android.compat.annotation.UnsupportedAppUsage; import android.content.Context; import android.content.res.Resources.NotFoundException; @@ -86,6 +87,7 @@ class CommandParamsFactory extends Handler { private static final int MAX_GSM7_DEFAULT_CHARS = 239; private static final int MAX_UCS2_CHARS = 118; + private Context mContext; static synchronized CommandParamsFactory getInstance(RilMessageDecoder caller, IccFileHandler fh, Context context) { if (sInstance != null) { @@ -99,6 +101,7 @@ class CommandParamsFactory extends Handler { private CommandParamsFactory(RilMessageDecoder caller, IccFileHandler fh, Context context) { mCaller = caller; + mContext = context; mIconLoader = IconLoader.getInstance(this, fh); try { mNoAlphaUsrCnf = context.getResources().getBoolean( @@ -797,7 +800,12 @@ class CommandParamsFactory extends Handler { */ private boolean processLaunchBrowser(CommandDetails cmdDet, List ctlvs) throws ResultException { - + KeyguardManager keyguardManager = mContext.getSystemService(KeyguardManager.class); + if (keyguardManager != null && keyguardManager.isDeviceLocked()) { + CatLog.d(this, "The device is locked, cannot launch the Browser"); + throw new ResultException(ResultCode.LAUNCH_BROWSER_ERROR, + "The device is locked, unable to process the command."); + } CatLog.d(this, "process LaunchBrowser"); TextMessage confirmMsg = new TextMessage(); diff --git a/src/java/com/android/internal/telephony/cat/ResultException.java b/src/java/com/android/internal/telephony/cat/ResultException.java index 0de9ffe578..a0f1406d18 100644 --- a/src/java/com/android/internal/telephony/cat/ResultException.java +++ b/src/java/com/android/internal/telephony/cat/ResultException.java @@ -34,13 +34,12 @@ public class ResultException extends CatException { public ResultException(ResultCode result) { super(); - // ETSI TS 102 223, 8.12 -- For the general results '20', '21', '26', + // ETSI TS 102 223, 8.12 -- For the general results '20', '21', // '38', '39', '3A', '3C', and '3D', it is mandatory for the terminal // to provide a specific cause value as additional information. switch (result) { case TERMINAL_CRNTLY_UNABLE_TO_PROCESS: // 0x20 case NETWORK_CRNTLY_UNABLE_TO_PROCESS: // 0x21 - case LAUNCH_BROWSER_ERROR: // 0x26 case MULTI_CARDS_CMD_ERROR: // 0x38 case USIM_CALL_CONTROL_PERMANENT: // 0x39 case BIP_ERROR: // 0x3a -- GitLab