[PATCH] Don’t require strong auth on regular time interval #9
Conversation
This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will. Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect for some reason. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval. In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000.
|
Thanks @ypid! This is an interesting use case that I've never really thought about. Seems like it is a bit of a mixed bag in terms of improving/reducing security, but for that specific use case it does seem useful. Other than reviewing the change I generally like to see the author confirm it works end to end with a RattlesnakeOS build, but I'm assuming you are building locally/hashbang? |
|
You are welcome.
True. There is room for improvement. I would prefer when the strong auth is required when for an configurable amount of time (say 12 hours) no successful (weak/strong) auth is made. Because then it is likely that the device owner is not around and the device should go into lockdown. For my use case, this would make authentication even stronger without the downside of removing the interval based need for strong auth as with the current patch. Maybe I look into this but I guess this would require actual development work.
This is true, I am using the Hashbang OS build system and successfully tested this patch. I fact, I posted this message from the build with this patch ;-) . But I know RattlesnakeOS quite well as I have used the scripts locally before. The two are similar and I see no reason why the patch should not also work for RattlesnakeOS but I have not tested it. |
|
Sounds good! Thanks for the patch. |
This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will. Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval. Ref: frameworks/base/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000. Note that this patch circumvents the values that DeviceAdmin may provide. In other words, it ignores whatever a MDM would request for the strong auth timeout! To be clear, this patch is a practical approach, in an ideal world, we would properly use the DeviceAdmin feature. Confirmed working on: * Android 9 * Android 10 Submitted to: * hashbang/os#32 * RattlesnakeOS/community_patches#9 * https://github.com/ypid/ypid-android-patches
This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will.
Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect for some reason. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval.
In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000.
Also submitted to: hashbang/os#32