kumi/Android-Password-Store
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(autofill-parser): reformat top-level comment

Browse source
This commit is contained in:
Harsh Shandilya 2022-10-07 19:26:10 +05:30
parent 16b9c1330d
commit 9df9936551
No known key found for this signature in database
1 changed files with 36 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt
View file

@ -14,42 +14,42 @@ import android.provider.Settings
import android.service.autofill.SaveInfo
import androidx.annotation.RequiresApi
/*
In order to add a new browser, do the following:
1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
phone and use adb pull to get it onto your computer. We will assume that it is called
browser.apk.
2. Run
aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
to obtain the package name (actually, the application ID) of the app in the .apk.
3. Run
apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
to calculate the hash of browser.apk's first signing certificate.
Note: This will only work if the apk has a single signing certificate. Apps with multiple
signers are very rare, so there is probably no need to add them.
Refer to computeCertificatesHash to learn how the hash would be computed in this case.
4. Verify the package name and the hash, for example by asking other people to repeat the steps
above.
5. Add an entry with the browser apps's package name and the hash to
TRUSTED_BROWSER_CERTIFICATE_HASH.
6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
whether a save request to Password Store is triggered when you submit a registration form.
7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
check whether it correctly distinguishes web origins even if iframes are present on the page.
You can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
*/
/*
/**
* In order to add a new browser, do the following:
*
* 1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
* phone and use adb pull to get it onto your computer. We will assume that it is called
* browser.apk.
*
* 2. Run
*
* aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
*
* to obtain the package name (actually, the application ID) of the app in the .apk.
*
* 3. Run
*
* apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo
* "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
*
* to calculate the hash of browser.apk's first signing certificate. Note: This will only work if
* the apk has a single signing certificate. Apps with multiple signers are very rare, so there is
* probably no need to add them. Refer to computeCertificatesHash to learn how the hash would be
* computed in this case.
*
* 4. Verify the package name and the hash, for example by asking other people to repeat the steps
* above.
*
* 5. Add an entry with the browser apps's package name and the hash to
* TRUSTED_BROWSER_CERTIFICATE_HASH.
*
* 6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
* whether a save request to Password Store is triggered when you submit a registration form.
*
* 7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
* check whether it correctly distinguishes web origins even if iframes are present on the page. You
* can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
*
* **Security assumption**: Browsers on this list correctly report the web origin of the top-level
* window as part of their AssistStructure.
*