Before, we were faking a backup and just returned true, but remembering that next time, we need to do a fresh non-incremental @pm@ backup.
Now, we backup to local cache, but don't upload it. On next run, when we can do backups again, we will upload the updated cache. This simplifies things and reduces the special logic required.
This will only hide installed apps from naive attackers as the APKs are still not encrypted and even then other attacks would be possible.
However, it allows us to simplify our storage plugin API.
We ask the user to generate a new key, because actively asking for the old one is training bad security habits, but technically verifying the old key will also work.
* 'master' of https://github.com/seedvault-app/seedvault: (50 commits)
Bump version to 11-2.2
Changelog: Update till 11-2.1
Restrict exported components
Allow launching restore through a dialer code
Add expert settings with an option for unlimited quota
Prevent screenshots of recovery code
Use clearer more generic strings
Ask for system authentication before storing a new recovery code
Split up validating, verifying and storing of recovery code
Disable Nextcloud restore when not installed and no store available
Disable spell-checker on recovery code input
Add warning for third-party tools to README
document potential information leakage through the long-lived SQL caches
Provide an overview over key derivations
Compares kotlin-bip39 library with bitcoinj library
Link FAQ in Readme to make it more discoverable
Move LocalContactsBackup to product partition
Add newline at the end of all files
Improve .editorconfig setup
Don't backup on metered networks
...
Conflicts:
app/src/main/res/values-de/strings.xml
app/src/main/res/values-es/strings.xml
app/src/main/res/values-pt/strings.xml
app/src/main/res/values-zh-rCN/strings.xml
Conflicts resolved by simply checking out translations from android11,
since they are not modified in master at all.
Change-Id: I0a83c72dbc78b38985b46f9b75ce92e27acd2e03
User-facing changes:
* Don't backup on metered networks
* Disable spell-checker on recovery code input
* Disable Nextcloud restore when not installed and no store available
* Ask for system authentication before storing a new recovery code
* Prevent screenshots of recovery code
* Add expert settings with an option for unlimited quota
* Allow launching restore through a dialer code
* Restrict exported components
Others:
* Improve .editorconfig setup
* Move LocalContactsBackup to product partition
* Link FAQ in Readme to make it more discoverable
* Compares kotlin-bip39 library with bitcoinj library
* Provide an overview over key derivations
* document potential information leakage through the long-lived SQL caches
* Add warning for third-party tools to README
Change-Id: I095af13d0ff010c9602bc323267c074ce7d019a2
* We don't show Restore in menu by default since it's
not the best idea to restore a running system
* However, at the same time, it's good to have a way to do
that for those who'd like to restore anyway, and the only
current way is adb, which is not ideal
* Dialing "*#*#RESTORE#*#*" will launch the restore activity
Change-Id: I258fead82f7e916a4de0b314e1840d7aa4b3746c
This is may be inconvenient for some people, but it is way more secure as screenshots can be accessed by malicious apps that look our for BIP39 codes. Better to store the code on paper.
This will help to prevent data extraction via seedvault when somebody gets hold of an unlocked phone. However, it will not help against someone able to force you to provide fingerprints or other device secrets.
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (Ukrainian)
Currently translated at 25.9% (35 of 135 strings)
Co-authored-by: Tymofii Lytvynenko <till.svit@gmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/uk/
Translation: CalyxOS/Seedvault
Currently translated at 99.2% (134 of 135 strings)
Translated using Weblate (Slovak)
Currently translated at 11.8% (16 of 135 strings)
Co-authored-by: František Oboňa <frantisekobona@gmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/sk/
Translation: CalyxOS/Seedvault
Currently translated at 95.5% (129 of 135 strings)
Translated using Weblate (Telugu)
Currently translated at 65.1% (88 of 135 strings)
Co-authored-by: Shashi A <bitcoinbabu401@gmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/te/
Translation: CalyxOS/Seedvault
Attempting to install Nextcloud in SetupWizard on a device
that has no app store installed results in a crash.
Disable the option and use an appropriate summary.
Change-Id: Ie3dff8d85ed68b27858fa37b3efb97eb345fa372
* We better not overuse metered networks as such connections
* are usually sensitive to heavy data usage due to monetary costs and/or data limitations.
* Only change here is the BIP39 dependency replacement, however
I'm still bumping version so that it's easy to figure out in case
there ever was a build with just 2.0 and not this due to whatever reason
Change-Id: I9783d5e038d002e871c09be6fe61174c5a5b901f
* delete all storage backups for current user
* clears the storage backup cache
* start a new app data restore set and initializes it
The reason is that old backups won't be readable anymore with the new key. We also can't delete other backups safely as we did before, because we can't be sure that they don't belong to a different device or user.
Previously, we would put our files directly in the root of the storage location and delete any existing backups there. When used by different devices or user profiles, these would keep deleting each other's backups.
Currently translated at 51.1% (69 of 135 strings)
Translated using Weblate (Burmese)
Currently translated at 50.3% (68 of 135 strings)
Translated using Weblate (Burmese)
Currently translated at 48.8% (66 of 135 strings)
Co-authored-by: Chirayu Desai <chirayudesai1@gmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/my/
Translation: CalyxOS/Seedvault
Currently translated at 99.2% (134 of 135 strings)
Translated using Weblate (Polish)
Currently translated at 51.8% (70 of 135 strings)
Co-authored-by: m4sk1n <me@m4sk.in>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/pl/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (Spanish)
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (Spanish)
Currently translated at 97.0% (131 of 135 strings)
Co-authored-by: Óscar Fernández Díaz <oscfdezdz@tuta.io>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/es/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (Spanish)
Currently translated at 97.0% (131 of 135 strings)
Translated using Weblate (Spanish)
Currently translated at 91.8% (124 of 135 strings)
Co-authored-by: Oscar Nydza <onn.tico@gmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/es/
Translation: CalyxOS/Seedvault
Currently translated at 20.0% (27 of 135 strings)
Translated using Weblate (Telugu)
Currently translated at 21.7% (27 of 124 strings)
Co-authored-by: Chaitanya Chowdary <chaitanyachowdaryy@protonmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/te/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (124 of 124 strings)
Translated using Weblate (Chinese (Simplified))
Currently translated at 100.0% (124 of 124 strings)
Co-authored-by: Zkdc <Zkdc2345@qq.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/zh_Hans/
Translation: CalyxOS/Seedvault
Currently translated at 94.8% (128 of 135 strings)
Translated using Weblate (Korean)
Currently translated at 95.9% (119 of 124 strings)
Co-authored-by: Yurical <yurical1@outlook.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/ko/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (German)
Currently translated at 100.0% (124 of 124 strings)
Co-authored-by: nautilusx <translate@disroot.org>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/de/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (135 of 135 strings)
Translated using Weblate (Turkish)
Currently translated at 100.0% (124 of 124 strings)
Co-authored-by: Oğuz Ersen <oguzersen@protonmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/tr/
Translation: CalyxOS/Seedvault
Currently translated at 94.7% (108 of 114 strings)
Translated using Weblate (Korean)
Currently translated at 88.5% (101 of 114 strings)
Co-authored-by: Yurical <yurical1@outlook.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/ko/
Translation: CalyxOS/Seedvault
Currently translated at 100.0% (112 of 112 strings)
Translated using Weblate (Russian)
Currently translated at 98.2% (110 of 112 strings)
Co-authored-by: Nikita Epifanov <nikgreens@protonmail.com>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/ru/
Translation: CalyxOS/Seedvault
This commit also refactors the code in SettingsFragment and moves it into the SettingsViewModel.
The UsbMonitor turned out not to be reliable in determining changes to USB storage, so it was replaced with a ContentObserver which works for other storage types as well.
This is the same behavior as Google backup when it has no internet connection and after extensive research the only option we can keep the system from considering the backup state to be compromised.
K/V backups are run at least every day, no matter what backup interval we set in settings and when they run, we don't get asked before, if now is a good time for backups. So we need to fake an OK for @pm@ backup and can error out afterwards without compromising state.
K/V backups are normally only attempted when charging and having an (un-metered) internet connection. However, if the system could not do a backup for more than a day, it ignores these requirements and still attempts a backup run. If a backup storage is used that is only accessible on the internet, but there is no internet connection, the backup attempt will fail. Therefore, we check if our storage requires the internet and if so, we treat it similar to a removable storage, by rejecting backup attempts and suppressing error notifications.
There is a possibility that incompatible APK splits make a an app crash when starting after re-installing it.
With that config option each OEM can decide with they want to take this risk or not.
that tries to figure out compatibility only based on the name of the split.
This is not an exact science and there might be errors, but we hope to correctly identify most cases that matter in practice.
We are re-installing system apps if they are present on the restore device as a system app and have a newer version code.
Before, when one of those conditions is not true, we were showing a failure and gave the user the option to re-install the app from an app store.
Now, we don't offer the manual re-install option anymore and only show a success when a newer or same version of the system app is already installed.
When an app fails to install during restore, we offer the option to manually install it.
If this doesn't happen with the same app store,
it is likely that the installed app will have a different signature (e.g. Aurora vs. F-Droid).
If the signature doesn't match, the data restore will fail.
Therefore, we attempt to let the user only use the same store for re-install.
There's a known issue that F-Droid doesn't report the proper package name:
https://gitlab.com/fdroid/fdroidclient/-/issues/2085
When one or more apps fail to install, the user is shown a dialog explaining that we need the apps installed in order for restore to work.
After the dialog is dismissed, the list of apps is resorted so failed apps are at the top. They are made clickable and the user is brought to an app store to re-install them.
Otherwise gradle pulls in newer versions of some libraries that require
a newer Kotlin version at runtime and then make the app crash.
This also moves the dependency declarations into a dedicated file.
Updated by "Cleanup translation files" hook in Weblate.
Translated using Weblate (Portuguese (Brazil))
Currently translated at 100.0% (108 of 108 strings)
Translated using Weblate (Portuguese (Brazil))
Currently translated at 79.6% (86 of 108 strings)
Translated using Weblate (Spanish)
Currently translated at 99.0% (107 of 108 strings)
Translated using Weblate (Portuguese (Brazil))
Currently translated at 72.2% (78 of 108 strings)
Translated using Weblate (Russian)
Currently translated at 100.0% (108 of 108 strings)
Translated using Weblate (Chinese (Simplified))
Currently translated at 14.8% (16 of 108 strings)
Translated using Weblate (Norwegian Bokmål)
Currently translated at 94.4% (102 of 108 strings)
Translated using Weblate (Russian)
Currently translated at 7.4% (8 of 108 strings)
Translated using Weblate (Russian)
Currently translated at 6.4% (7 of 108 strings)
Translated using Weblate (Chinese (Simplified))
Currently translated at 3.7% (4 of 108 strings)
Translated using Weblate (German)
Currently translated at 70.3% (76 of 108 strings)
Translated using Weblate (Icelandic)
Currently translated at 100.0% (108 of 108 strings)
Translated using Weblate (Spanish (American))
Currently translated at 97.2% (105 of 108 strings)
Translated using Weblate (Spanish)
Currently translated at 34.2% (37 of 108 strings)
Translated using Weblate (Italian)
Currently translated at 60.1% (65 of 108 strings)
Translated using Weblate (Italian)
Currently translated at 38.8% (42 of 108 strings)
Translated using Weblate (Norwegian Bokmål)
Currently translated at 94.4% (102 of 108 strings)
Translated using Weblate (German)
Currently translated at 10.1% (11 of 108 strings)
Translated using Weblate (French)
Currently translated at 100.0% (108 of 108 strings)
Translated using Weblate (French)
Currently translated at 65.7% (71 of 108 strings)
Added translation using Weblate (Dutch)
Added translation using Weblate (Zulu)
Added translation using Weblate (Chinese (Traditional, Hong Kong))
Added translation using Weblate (Chinese (Traditional))
Added translation using Weblate (Chinese (Simplified))
Added translation using Weblate (Vietnamese)
Added translation using Weblate (Uzbek)
Added translation using Weblate (Urdu)
Added translation using Weblate (Ukrainian)
Added translation using Weblate (Turkish)
Added translation using Weblate (Tagalog)
Added translation using Weblate (Thai)
Added translation using Weblate (Telugu)
Added translation using Weblate (Tamil)
Added translation using Weblate (Swahili)
Added translation using Weblate (Swedish)
Added translation using Weblate (Serbian (latin))
Added translation using Weblate (Serbian)
Added translation using Weblate (Albanian)
Added translation using Weblate (Slovenian)
Added translation using Weblate (Slovak)
Added translation using Weblate (Sinhala)
Added translation using Weblate (Romanian)
Added translation using Weblate (Portuguese (Portugal))
Added translation using Weblate (Portuguese (Brazil))
Added translation using Weblate (Portuguese)
Added translation using Weblate (Polish)
Added translation using Weblate (Punjabi)
Added translation using Weblate (Odia)
Added translation using Weblate (Nepali)
Added translation using Weblate (Burmese)
Added translation using Weblate (Malay)
Added translation using Weblate (Marathi)
Added translation using Weblate (Mongolian)
Added translation using Weblate (Malayalam)
Added translation using Weblate (Macedonian)
Added translation using Weblate (Latvian)
Added translation using Weblate (Lithuanian)
Added translation using Weblate (Lao)
Added translation using Weblate (Kyrgyz)
Added translation using Weblate (Korean)
Added translation using Weblate (Kannada)
Added translation using Weblate (Central Khmer)
Added translation using Weblate (Kazakh)
Added translation using Weblate (Georgian)
Added translation using Weblate (Japanese)
Added translation using Weblate (Icelandic)
Added translation using Weblate (Indonesian)
Added translation using Weblate (Armenian)
Added translation using Weblate (Hungarian)
Added translation using Weblate (Croatian)
Added translation using Weblate (Galician)
Added translation using Weblate (French (Canada))
Added translation using Weblate (Finnish)
Added translation using Weblate (Persian)
Added translation using Weblate (Basque)
Added translation using Weblate (Estonian)
Added translation using Weblate (English (India))
Added translation using Weblate (English (United Kingdom))
Added translation using Weblate (English (Canada))
Added translation using Weblate (English (Australia))
Added translation using Weblate (Danish)
Added translation using Weblate (Czech)
Added translation using Weblate (Catalan)
Added translation using Weblate (Bosnian)
Added translation using Weblate (Bengali)
Added translation using Weblate (Bulgarian)
Added translation using Weblate (Belarusian)
Added translation using Weblate (Azerbaijani)
Added translation using Weblate (Assamese)
Added translation using Weblate (Amharic)
Added translation using Weblate (Afrikaans)
Added translation using Weblate (Spanish (American))
Added translation using Weblate (Spanish)
Added translation using Weblate (Arabic)
Added translation using Weblate (Italian)
Added translation using Weblate (Hebrew)
Added translation using Weblate (Norwegian Bokmål)
Added translation using Weblate (Hindi)
Added translation using Weblate (Russian)
Added translation using Weblate (German)
Added translation using Weblate (Gujarati)
Added translation using Weblate (French)
Translated using Weblate (Greek)
Currently translated at 29.6% (32 of 108 strings)
Added translation using Weblate (Greek)
Co-authored-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
Co-authored-by: Allan Nordhøy <epost@anotheragency.no>
Co-authored-by: Catherine Pierattini <catherine.pierattini@gmail.com>
Co-authored-by: CatieC <catie@calyxinstitute.org>
Co-authored-by: Chirayu Desai <chirayudesai1@gmail.com>
Co-authored-by: Daniel <dan.ef1999@gmail.com>
Co-authored-by: H <joaquinfc@protonmail.com>
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: J. Lavoie <j.lavoie@net-c.ca>
Co-authored-by: Meili Huang <meilihuang1216@gmail.com>
Co-authored-by: Michael Bestas <mkbestas@gmail.com>
Co-authored-by: Mordur Aslaugarson <mordur@1984.is>
Co-authored-by: Nikita Epifanov <nikgreens@protonmail.com>
Co-authored-by: Robin Kunze <robinkunze@outlook.com>
Co-authored-by: Samuel Carvalho de Araújo <samuelnegro12345@gmail.com>
Co-authored-by: Santiago Cruz <scruz4@tuta.io>
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/de/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/el/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/es/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/es_US/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/fr/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/is/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/it/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/nb_NO/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/pt_BR/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/ru/
Translate-URL: https://hosted.weblate.org/projects/calyxos/seedvault/zh_Hans/
Translation: CalyxOS/Seedvault
Outside of SetupWizard restore, we don't offer to set up an account,
because we don't know if one already exists and the app was locked with
a passcode.
Apps that have FLAG_STOPPED will not get backed up, just like apps
without flag ALLOW_BACKUP will not get backed up.
In the UI both cases are shown the same way: app does not allow backup
This can be confusing for the user as it is not true for stopped apps.
Therefore, this commit introduces a new stopped state for apps,
so we can differentiate between both cases.
* Add Android.bp to compile using AOSP build system instead of gradle
* Add prebuilt external libs that are not available on AOSP
Fixes#97
Co-authored-by: Chirayu Desai <chirayudesai1@gmail.com>
* All previous aar versions have their modified date set to 0 which trigger
the following openjdk bug:
https://bugs.openjdk.java.net/browse/JDK-8184940
This fixes the following compilation error while building in AOSP environment:
java.time.DateTimeException: Invalid value for MonthOfYear (valid values 1 - 12): 0
The system triggers backup jobs periodically or when a package is
announcing that its data has changed. So far we were not showing
notifications for those. This commit shows a notification with an
indeterminate progress bar as we don't have any information about how
many packages will get backed up.
It turned out that call log backup is already in AOSP, but it is
disabled by an undocumented flag. This commit sets this flag (for new
and existing installs) to enable call log backup.
This commit makes creating new RestoreSets explicit.
Initializing a backup transport now actually cleans its data as the AOSP
documentation demands. This should be fine as we usually do a fresh
backup after a new initialization.
Contrary to before, an initialization does not create new RestoreSets
anymore, but works within the existing set. For now, only manually
choosing a new storage location creates a new RestoreSet.
Fine-grained progress reporting causes apps to show up twice which is
confusing. Also @pm@ metadata and opt-out APKs are too much detail for
normal users. So we decided to only show a percentage in the progress
notification.
When the backup finished, the app now shows "x of n apps backed up"
which is more positive when the previous negative message of how many
apps were not backed up.
Some further minor tweets were done to app counting to report proper
totals.
This adds @pm@ record backup and APK backup of opt-out apps to the
progress reporting since these two operations are slow when using a
cloud storage SAF backend.
Loading cursors can happen with cloud-based documents providers
such as Nextcloud.
When they return a cursor that is still loading,
we might continue with stale information.
So now we wait for a loading cursor to be fully loaded
before continuing.
This restores only the @pm@ keys that are really needed
and thus speeds up installation with auto restore considerably
when using cloud storage such as NextCloud for example.
@stevesoltys this removes your old way of retreiving installed packages
via getInstalledPackages(0, UserHandle.USER_SYSTEM) as I couldn't find a
difference to the official way.
Also IGNORED_PACKAGES isn't needed anymore since
filterAppsEligibleForBackupForUser() already filters those out.
This should also affect apps that have other errors during the backup
process, but it does not affect apps that opt-out of backup completely.
First part of #65
Apps that have nothing to back up start a backup but then get a call to cancelFullBackup()
and never even call finishBackup().
Do not write metadata for such apps, the call got moved to finishBackup().
These might return outdated or now content when queried,
then check their cloud storage and report back with up-to-date content.
We now detect this (when looking for backups on newly setup storage)
and wait until the content has been loaded before acting on the
response.
This is affecting and was tested with NextCloud.
as storage location.
The backup backoff time is not reliable for this as the system still
attempts to backup the magic @pm@ package without checking for the
backoff value.
This is needed to reliably identify USB mass storage devices.
If someone has several identical thumb drives,
this prevents a backup from being performed when non-backup drives get attached.
Also allow auto-completion when entering the 12-word code.
This makes testing and entering the code easier
and does not compromise security as the word list is public anyway.
Before, we were always returnign a dummy RestoreSet,
if one was actually available or not.
Now, we also include the device name.
Note that it is planned to store the actual device name
and other metadata in an encrypted file
so that the backup server will not learn it.
The implementation is rudimentary for now.
E.g. The notification is only shown when a device init fails
which seems to be triggered after the first failure.
* to get rid of global state
* to have a testable architecture
* to allow for authenticated encryption
* to have a backup format version
* to potentially allow for other storage plugins
* With the upcoming changes, and the increasing number of external
libraries being used, plus the usage of Kotlin, it's getting harder
and harder to build this with the AOSP build system.
* It's best to leverage the existing gradle build system instead,
and use the apk that builds.
* Add a script which downloads the apk matching the tag if a tag is
checked out, otherwise downloads the latest.
For the current transport it is important to know when the backup ends,
because it resets its state only then and closes the ZIP file.
The detection was broken,
because some packages didn't have data to back up (LOG_EVENT_ID_NO_DATA_TO_SEND),
so the transport's methods weren't called and the package counter not updated.
The hacky solution is to use the BackupObserver to call back into the
transport at the end of backup.
Ideally, future transports won't need to know when the backup finishes.
We do this as a temporary fix, because our backup methods are not called
which are updating the package counter. So our mechanism to find out
about the end of the backup is broken. Excluding key-value backups fixes
it for now.
This is being done to implement automatic background updates
and not supposed to be part of a release.
The backup key will later be generated and shown to the user instead of
allowing them to choose their own.
Prior to this commit, some of the application data was not included during encryption. This is a breaking change, any backups made prior to this commit can no longer be restored.
1. Encrypt 'full' backup data.
2. Increase number of key generation iterations to 32767.
3. Change cipher to 'AES/CBC/PKCS5Padding'.
1. Add prompt for entering password during backup and restore.
2. Use PBKDF2 to generate a secret key that is used to encrypt backups.
3. Store salt in backup zip file.
4. Fetch salt from backup zip file during restore and use it to decrypt restoration data.
The output file descriptor was not being closed after each chunk was written.
1. The output stream will no longer be stored in the restore state.
2. The output file descriptor will be closed after a chunk is transferred.