enforce keyguard authentication and more logging

ajungg · ajungg · commit 92aafec1e8bc · 2021-09-09T16:37:49.000+02:00
diff --git a/core/src/main/java/io/snabble/sdk/UserPreferences.java b/core/src/main/java/io/snabble/sdk/UserPreferences.java
@@ -206,34 +206,6 @@ public String getConsentVersion() {
         return sharedPreferences.getString(SHARED_PREFERENCES_CONSENT_VERSION, null);
     }
 
-    /**
-     * Enables keyguard authentication for online payment using user credentials.
-     * Requires the user to have a PIN, Fingerprint or other security locks.
-     *
-     * Payment credentials will then be securely stored using a generated key
-     * using the Android KeyStore API.
-     *
-     * Removing the secure lock will cause the keys to be wiped and rendering the
-     * stored payment credentials useless.
-     *
-     * Only supported for Android >= 4.3. For earlier Android versions the credentials will only
-     * be stored using asynchronous RSA.
-     *
-     */
-    public void setRequireKeyguardAuthenticationForPayment(boolean enabled) {
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR2) {
-            sharedPreferences.edit().putBoolean(SHARED_PREFERENCES_USE_KEYGUARD, enabled).apply();
-        }
-    }
-
-    public boolean isRequiringKeyguardAuthenticationForPayment() {
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR2) {
-            return sharedPreferences.getBoolean(SHARED_PREFERENCES_USE_KEYGUARD, false);
-        }
-
-        return false;
-    }
-
     public void addOnNewAppUserListener(OnNewAppUserListener onNewAppUserListener) {
         if (!onNewAppUserListeners.contains(onNewAppUserListener)) {
             onNewAppUserListeners.add(onNewAppUserListener);
diff --git a/core/src/main/java/io/snabble/sdk/payment/PaymentCredentialsStore.java b/core/src/main/java/io/snabble/sdk/payment/PaymentCredentialsStore.java
@@ -62,32 +62,27 @@ public void init(Context context, Environment environment) {
     @SuppressLint("NewApi")
     private void initializeKeyStore() {
         if (keyStoreCipher == null) {
-            Snabble snabble = Snabble.getInstance();
-
-            // KeyStore is not available on Android < 4.3
-            if (userPreferences.isRequiringKeyguardAuthenticationForPayment()) {
-                keyStoreCipher = KeyStoreCipher.create(snabble.getApplication(), "SnabblePaymentCredentialsStore", true);
-            }
+            keyStoreCipher = KeyStoreCipher.create(Snabble.getInstance().getApplication(), "SnabblePaymentCredentialsStore", true);
         }
     }
 
     private void ensureKeyStoreIsAccessible() {
         initializeKeyStore();
 
-        if (keyStoreCipher != null) {
-            keyStoreCipher.validate();
+        keyStoreCipher.validate();
 
-            String id = keyStoreCipher.id();
-            if (id == null) {
-                keyStoreCipher = null;
-                return;
-            }
+        String id = keyStoreCipher.id();
+        if (id == null) {
+            Logger.errorEvent("Keystore has no id!");
+            keyStoreCipher = null;
+            return;
+        }
 
-            if (!id.equals(data.id)) {
-                data.id = keyStoreCipher.id();
-                data.isKeyguarded = true;
-                removeInvalidCredentials();
-            }
+        if (!id.equals(data.id)) {
+            data.id = keyStoreCipher.id();
+            data.isKeyguarded = true;
+            Logger.errorEvent("Removing payment credentials, because key store id differs");
+            removeInvalidCredentials();
         }
 
         Context context = Snabble.getInstance().getApplication();
@@ -103,7 +98,8 @@ private void ensureKeyStoreIsAccessible() {
             }
         }
 
-        if (!secure || data.isKeyguarded != userPreferences.isRequiringKeyguardAuthenticationForPayment()) {
+        if (!secure) {
+            Logger.errorEvent("Removing payment credentials, because device is not secure. KeyguardManager is " + (keyguardManager != null ? "not null" : "null"));
             removeInvalidCredentials();
         }
     }
@@ -211,7 +207,7 @@ private void load() {
             try {
                 data = gson.fromJson(json, Data.class);
             } catch (Exception e) {
-                Logger.e("Could not read payment credentials: %s", e.getMessage());
+                Logger.errorEvent("Could not read payment credentials: %s", e.getMessage());
             }
 
             if (data.credentialsList == null) {
diff --git a/sample/src/main/java/io/snabble/testapp/App.java b/sample/src/main/java/io/snabble/testapp/App.java
@@ -95,9 +95,6 @@ public void onReady() {
                 // we invent one here
                 project.setCustomerCardId("2206467131013");
 
-                // if you want to force keyguard authentication before online payment
-                snabble.getUserPreferences().setRequireKeyguardAuthenticationForPayment(true);
-
                 // optional: preload assets
                 project.getAssets().update();
 
diff --git a/ui/src/main/java/io/snabble/sdk/ui/payment/CreditCardInputView.java b/ui/src/main/java/io/snabble/sdk/ui/payment/CreditCardInputView.java
@@ -243,25 +243,21 @@ private void loadForm(HashResponse hashResponse) {
     private void authenticateAndSave(final CreditCardInfo creditCardInfo) {
         cancelPreAuth(creditCardInfo);
 
-        if (Snabble.getInstance().getUserPreferences().isRequiringKeyguardAuthenticationForPayment()) {
-            Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
-                @Override
-                public void success() {
-                    save(creditCardInfo);
-                }
+        Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
+            @Override
+            public void success() {
+                save(creditCardInfo);
+            }
 
-                @Override
-                public void error() {
-                    if (isShown()) {
-                        finish();
-                    } else {
-                        acceptedKeyguard = true;
-                    }
+            @Override
+            public void error() {
+                if (isShown()) {
+                    finish();
+                } else {
+                    acceptedKeyguard = true;
                 }
-            });
-        } else {
-            save(creditCardInfo);
-        }
+            }
+        });
     }
 
     private void save(CreditCardInfo info) {
diff --git a/ui/src/main/java/io/snabble/sdk/ui/payment/PaydirektInputView.java b/ui/src/main/java/io/snabble/sdk/ui/payment/PaydirektInputView.java
@@ -222,25 +222,21 @@ public void error(Throwable t) {
     }
 
     private void authenticateAndSave() {
-        if (Snabble.getInstance().getUserPreferences().isRequiringKeyguardAuthenticationForPayment()) {
-            Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
-                @Override
-                public void success() {
-                    save();
-                }
+        Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
+            @Override
+            public void success() {
+                save();
+            }
 
-                @Override
-                public void error() {
-                    if (isShown()) {
-                        finish();
-                    } else {
-                        acceptedKeyguard = true;
-                    }
+            @Override
+            public void error() {
+                if (isShown()) {
+                    finish();
+                } else {
+                    acceptedKeyguard = true;
                 }
-            });
-        } else {
-            save();
-        }
+            }
+        });
     }
 
     private void save() {
diff --git a/ui/src/main/java/io/snabble/sdk/ui/payment/SEPACardInputView.java b/ui/src/main/java/io/snabble/sdk/ui/payment/SEPACardInputView.java
@@ -258,28 +258,24 @@ private void saveCard() {
         }
 
         if (ok) {
-            if (Snabble.getInstance().getUserPreferences().isRequiringKeyguardAuthenticationForPayment()) {
-                if (KeyguardUtils.isDeviceSecure()) {
-                    Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
-                        @Override
-                        public void success() {
-                            add(name, iban);
-                        }
+            if (KeyguardUtils.isDeviceSecure()) {
+                Keyguard.unlock(UIUtils.getHostFragmentActivity(getContext()), new Keyguard.Callback() {
+                    @Override
+                    public void success() {
+                        add(name, iban);
+                    }
 
-                        @Override
-                        public void error() {
+                    @Override
+                    public void error() {
 
-                        }
-                    });
-                } else {
-                    new AlertDialog.Builder(getContext())
-                            .setMessage(R.string.Snabble_Keyguard_requireScreenLock)
-                            .setPositiveButton(R.string.Snabble_OK, null)
-                            .setCancelable(false)
-                            .show();
-                }
+                    }
+                });
             } else {
-                add(name, iban);
+                new AlertDialog.Builder(getContext())
+                        .setMessage(R.string.Snabble_Keyguard_requireScreenLock)
+                        .setPositiveButton(R.string.Snabble_OK, null)
+                        .setCancelable(false)
+                        .show();
             }
         }
     }
diff --git a/utils/src/main/java/io/snabble/sdk/utils/security/KeyStoreCipherMarshmallow.java b/utils/src/main/java/io/snabble/sdk/utils/security/KeyStoreCipherMarshmallow.java
@@ -17,6 +17,7 @@
 import javax.crypto.KeyGenerator;
 import javax.crypto.spec.IvParameterSpec;
 
+import io.snabble.sdk.utils.Dispatch;
 import io.snabble.sdk.utils.Logger;
 import io.snabble.sdk.utils.Utils;
 
@@ -133,7 +134,7 @@ public byte[] encrypt(byte[] input) {
             c.init(Cipher.ENCRYPT_MODE, keyStore.getKey(alias, null), ivParameterSpec);
             return c.doFinal(input);
         } catch (KeyPermanentlyInvalidatedException e) {
-            Logger.e("Key permanently invalidated");
+            Logger.errorEvent("Key permanently invalidated " + e.getClass().getName() + ": " + e.getMessage());
         } catch (Exception e) {
             Logger.e("Could not encrypt data: %s", e.getMessage());
         }
@@ -148,7 +149,7 @@ public byte[] decrypt(byte[] encrypted) {
             c.init(Cipher.DECRYPT_MODE, keyStore.getKey(alias, null), ivParameterSpec);
             return c.doFinal(encrypted);
         } catch (KeyPermanentlyInvalidatedException e) {
-            Logger.e("Key permanently invalidated");
+            Logger.errorEvent("Key permanently invalidated " + e.getClass().getName() + ": " + e.getMessage());
         } catch (Exception e) {
             Logger.e("Could not decrypt data: %s", e.getMessage());
         }
