From 97db7dfda31276b080fb7e64658da653cb960087 Mon Sep 17 00:00:00 2001
From: Torsten Grote <t@grobox.de>
Date: Wed, 11 Aug 2021 11:54:28 +0200
Subject: [PATCH] Ask for system authentication before storing a new recovery
 code

This will help to prevent data extraction via seedvault when somebody gets hold of an unlocked phone. However, it will not help against someone able to force you to provide fingerprints or other device secrets.
---
 README.md                                     |  1 +
 app/src/main/AndroidManifest.xml              |  3 ++
 .../recoverycode/RecoveryCodeInputFragment.kt | 34 ++++++++++++++++++-
 app/src/main/res/values/strings.xml           |  2 ++
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5e3f347e..7973696f 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,7 @@ It uses the same internal APIs as `adb backup` which is deprecated and thus need
 * `android.permission.ACCESS_MEDIA_LOCATION` to backup original media files e.g. without stripped EXIF metadata.
 * `android.permission.FOREGROUND_SERVICE` to do periodic storage backups without interruption.
 * `android.permission.MANAGE_DOCUMENTS` to retrieve the available storage roots (optional) for better UX.
+* `android.permission.USE_BIOMETRIC` to authenticate saving a new recovery code
 
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/seedvault-app/seedvault.
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index c8a8da5e..d3fa7189 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -47,6 +47,9 @@
         android:name="android.permission.QUERY_ALL_PACKAGES"
         tools:ignore="QueryAllPackagesPermission" />
 
+    <!-- Used to authenticate saving a new recovery code -->
+    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
+
     <application
         android:name=".App"
         android:allowBackup="false"
diff --git a/app/src/main/java/com/stevesoltys/seedvault/ui/recoverycode/RecoveryCodeInputFragment.kt b/app/src/main/java/com/stevesoltys/seedvault/ui/recoverycode/RecoveryCodeInputFragment.kt
index 8211a015..8cb7fd89 100644
--- a/app/src/main/java/com/stevesoltys/seedvault/ui/recoverycode/RecoveryCodeInputFragment.kt
+++ b/app/src/main/java/com/stevesoltys/seedvault/ui/recoverycode/RecoveryCodeInputFragment.kt
@@ -1,8 +1,14 @@
 package com.stevesoltys.seedvault.ui.recoverycode
 
 import android.app.Activity.RESULT_OK
+import android.app.KeyguardManager
 import android.content.Intent
+import android.hardware.biometrics.BiometricManager.Authenticators.BIOMETRIC_STRONG
+import android.hardware.biometrics.BiometricManager.Authenticators.DEVICE_CREDENTIAL
+import android.hardware.biometrics.BiometricPrompt
+import android.os.Build.VERSION.SDK_INT
 import android.os.Bundle
+import android.os.CancellationSignal
 import android.view.LayoutInflater
 import android.view.View
 import android.view.View.GONE
@@ -16,8 +22,10 @@ import android.widget.TextView
 import android.widget.Toast
 import android.widget.Toast.LENGTH_LONG
 import androidx.activity.result.contract.ActivityResultContracts.StartActivityForResult
+import androidx.annotation.RequiresApi
 import androidx.appcompat.app.AlertDialog
 import androidx.constraintlayout.widget.ConstraintLayout
+import androidx.core.content.ContextCompat.getMainExecutor
 import androidx.fragment.app.Fragment
 import cash.z.ecc.android.bip39.Mnemonics
 import cash.z.ecc.android.bip39.Mnemonics.ChecksumException
@@ -143,12 +151,36 @@ class RecoveryCodeInputFragment : Fragment() {
             return
         }
         if (forStoringNewCode) {
-            viewModel.storeNewCode(input)
+            val keyguardManager = requireContext().getSystemService(KeyguardManager::class.java)
+            if (SDK_INT >= 30 && keyguardManager.isDeviceSecure) {
+                // if we have a lock-screen secret, we can ask for it before storing the code
+                storeNewCodeAfterAuth(input)
+            } else {
+                // user doesn't seem to care about security, store key without auth
+                viewModel.storeNewCode(input)
+            }
         } else {
             viewModel.verifyExistingCode(input)
         }
     }
 
+    @RequiresApi(30)
+    private fun storeNewCodeAfterAuth(input: List<CharSequence>) {
+        val biometricPrompt = BiometricPrompt.Builder(context)
+            .setConfirmationRequired(true)
+            .setTitle(getString(R.string.recovery_code_auth_title))
+            .setDescription(getString(R.string.recovery_code_auth_description))
+            // BIOMETRIC_STRONG could be made optional in the future, setting guarded by credentials
+            .setAllowedAuthenticators(DEVICE_CREDENTIAL or BIOMETRIC_STRONG)
+            .build()
+        val callback = object : BiometricPrompt.AuthenticationCallback() {
+            override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult?) {
+                viewModel.storeNewCode(input)
+            }
+        }
+        biometricPrompt.authenticate(CancellationSignal(), getMainExecutor(context), callback)
+    }
+
     private fun allFilledOut(input: List<CharSequence>): Boolean {
         for (i in input.indices) {
             if (input[i].isNotEmpty()) continue
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
index e502e9c7..562a517b 100644
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@@ -93,6 +93,8 @@
     <string name="recovery_code_verification_new_dialog_title">Wait one second…</string>
     <string name="recovery_code_verification_new_dialog_message">Generating a new code will make your existing backups inaccessible. We\'ll try to delete them if possible.\n\nAre you sure you want to do this?</string>
     <string name="recovery_code_recreated">New recovery code has been created successfully</string>
+    <string name="recovery_code_auth_title">Confirm it\'s really you</string>
+    <string name="recovery_code_auth_description">This ensures that nobody else can get your data when finding your phone unlocked.</string>
 
     <!-- Notification -->
     <string name="notification_channel_title">Backup notification</string>