blob: 8fc235ba9dae17bda1a7e2bd5ec50d6b1f0a1424 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
/*
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security.cts.cve_2021_0642;
import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
import static org.hamcrest.CoreMatchers.notNullValue;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeNoException;
import static org.junit.Assume.assumeTrue;
import android.content.ActivityNotFoundException;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.telephony.TelephonyManager;
import androidx.test.runner.AndroidJUnit4;
import androidx.test.uiautomator.By;
import androidx.test.uiautomator.BySelector;
import androidx.test.uiautomator.UiDevice;
import androidx.test.uiautomator.UiObject2;
import androidx.test.uiautomator.Until;
import java.util.List;
import org.junit.Test;
import org.junit.runner.RunWith;
@RunWith(AndroidJUnit4.class)
public class DeviceTest {
static final String APP_TITLE = "CVE-2021-0642";
static final String PACKAGE_NAME = "com.android.phone";
static final int LAUNCH_TIMEOUT_MS = 20000;
@Test
public void testCVE_2021_0642() {
UiDevice device = UiDevice.getInstance(getInstrumentation());
Context context = getApplicationContext();
assertThat(context, notNullValue());
PackageManager packageManager = context.getPackageManager();
assertThat(packageManager, notNullValue());
assumeTrue(packageManager.hasSystemFeature(PackageManager.FEATURE_TELEPHONY));
final Intent intent = new Intent(TelephonyManager.ACTION_CONFIGURE_VOICEMAIL);
intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
try {
context.startActivity(intent);
} catch (ActivityNotFoundException e) {
assumeNoException(e);
}
// Check if "com.android.phone" exists on the system
try {
packageManager.getPackageUid(PACKAGE_NAME, 0);
} catch (PackageManager.NameNotFoundException e) {
assumeNoException(e);
}
// Wait for activity (which is part of package "com.android.phone") that
// handles ACTION_CONFIGURE_VOICEMAIL to get launched
boolean isVoicemailVisible =
device.wait(Until.hasObject(By.pkg(PACKAGE_NAME)), LAUNCH_TIMEOUT_MS);
// To check if PocActivity was launched
BySelector selector = By.enabled(true);
List<UiObject2> objects = device.findObjects(selector);
boolean isPocActivityVisible = false;
for (UiObject2 o : objects) {
String visibleText = o.getText();
if ((visibleText != null) && (visibleText.equalsIgnoreCase(APP_TITLE))) {
isPocActivityVisible = true;
break;
}
}
device.pressHome();
assumeTrue(isVoicemailVisible || isPocActivityVisible);
String outputMsg = "Device is vulnerable to b/185126149 "
+ "hence sensitive Iccid could be sniffed by intercepting "
+ "ACTION_CONFIGURE_VOICEMAIL implicit intent";
assertTrue(outputMsg, ((isVoicemailVisible) && (!isPocActivityVisible)));
}
}
|
