Support for Destructive Panic Actions

PanicKit does distinguish between two kinds of panic responses: * default responses such as logging out which are non-destructive and do not require user interaction, so that the basics work without configuration * destructive responses such as deleting user data. These require some sort of authentication to make sure they are not triggered by malicious apps The second type of responses is implemented with this commit. Authentication is done by comparing the package name which is very weak. It requires the user to opt-in to destructive responses and to configure from which app to receive those (since there might be many different panic trigger apps). While possible to uninstall an app and install one with the same package name afterwards, this always triggers notifications to the user (if the attacker does not have root access). Still that is no sufficient security for Briar's requirements, so that TrustedIntents are used as well to make sure that the app sending the destructive trigger is signed by a signing key that we specified before. Currently, that is the one from the GuardianProject and from IilabEngineering who does the Amnesty International Panic App. The responsibility of checking that the panic TRIGGER is legitimate lies with the app responding to the trigger, so Briar in this case. This commit checks whether the TRIGGER comes from a trusted app before performing destructive actions, but does perform the default action even when triggered from untrusted apps. Closes #210
2026-02-13 11:19:04 +01:00 · 2016-01-07 19:50:20 -02:00
parent e603b4f60e
commit 63d87ae085
5 changed files with 330 additions and 7 deletions
--- a/briar-android/src/org/briarproject/android/panic/PanicResponderActivity.java
+++ b/briar-android/src/org/briarproject/android/panic/PanicResponderActivity.java
@@ -7,25 +7,78 @@ import android.os.Bundle;
 import android.support.v7.preference.PreferenceManager;

 import org.briarproject.android.BriarActivity;
+import org.briarproject.api.db.DatabaseConfig;
+import org.briarproject.util.FileUtils;
+import org.iilab.IilabEngineeringRSA2048Pin;

 import java.util.logging.Logger;

+import javax.inject.Inject;
+
+import info.guardianproject.GuardianProjectRSA4096;
+import info.guardianproject.panic.Panic;
+import info.guardianproject.panic.PanicResponder;
+import info.guardianproject.trustedintents.TrustedIntents;
+
 public class PanicResponderActivity extends BriarActivity {

 	private static final Logger LOG =
 			Logger.getLogger(PanicResponderActivity.class.getName());
+	@Inject private DatabaseConfig databaseConfig;

 	@Override
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);

-		SharedPreferences sharedPref = PreferenceManager
-				.getDefaultSharedPreferences(this);
+		TrustedIntents trustedIntents = TrustedIntents.get(this);
+		// Guardian Project Ripple
+		trustedIntents.addTrustedSigner(GuardianProjectRSA4096.class);
+		// Amnesty International's Panic Button, made by iilab.org
+		trustedIntents.addTrustedSigner(IilabEngineeringRSA2048Pin.class);

-		Intent intent = getIntent();
-		if (intent != null && sharedPref.getBoolean("pref_key_lock", true)) {
-			LOG.info("Signing out...");
-			signOut(true);
+		Intent intent = trustedIntents.getIntentFromTrustedSender(this);
+		if (intent != null) {
+			// received intent from trusted app
+			if (Panic.isTriggerIntent(intent)) {
+				SharedPreferences sharedPref = PreferenceManager
+						.getDefaultSharedPreferences(this);
+
+				LOG.info("Received Panic Trigger...");
+
+				if (PanicResponder.receivedTriggerFromConnectedApp(this)) {
+					LOG.info("Panic Trigger came from connected app.");
+					LOG.info("Performing destructive responses...");
+
+					// Performing destructive panic responses
+					if (sharedPref.getBoolean("pref_key_purge", false)) {
+						LOG.info("Purging all data...");
+						deleteAllData();
+					}
+					// still sign out if enabled
+					else if (sharedPref.getBoolean("pref_key_lock", true)) {
+						LOG.info("Signing out...");
+						signOut(true);
+					}
+
+					// TODO add other panic behavior such as:
+					// * send a pre-defined message to certain contacts (#212)
+					// * uninstall the app (#211)
+
+				}
+				// Performing non-destructive default panic response
+				else if (sharedPref.getBoolean("pref_key_lock", true)) {
+					LOG.info("Signing out...");
+					signOut(true);
+				}
+			}
+		}
+		// received intent from non-trusted app
+		else {
+			intent = getIntent();
+			if (intent != null && Panic.isTriggerIntent(intent)) {
+				LOG.info("Signing out...");
+				signOut(true);
+			}
 		}

 		if (Build.VERSION.SDK_INT >= 21) {
@@ -34,4 +87,23 @@ public class PanicResponderActivity extends BriarActivity {
 			finish();
 		}
 	}
+
+	private void deleteAllData() {
+		runOnDbThread(new Runnable() {
+			@Override
+			public void run() {
+				// TODO somehow delete/shred the database more thoroughly
+				FileUtils
+						.deleteFileOrDir(
+								databaseConfig.getDatabaseDirectory());
+				clearSharedPrefs();
+				PanicResponder.deleteAllAppData(PanicResponderActivity.this);
+
+				// nothing left to do after everything is deleted,
+				// so still sign out
+				LOG.info("Signing out...");
+				signOut(true);
+			}
+		});
+	}
 }