Merge pull request #29 from wordpress-mobile/issue/27-hash-pin

Address security issue by storing hashed password rather than encrypted

Author: tonyr59h

library/gradle.properties-example

@@ -1,5 +1,4 @@
 passcodelock.password_preference_key=passcode_lock_prefs_password_key
-passcodelock.password_salt=11-maggio-2014-osvaldo-al-49novesimo!
 passcodelock.password_enc_secret=5-maggio-2002-Karel-Poborsky
 
 ossrhUsername=hello

library/src/org/wordpress/passcodelock/AbstractAppLock.java

@@ -1,35 +1,65 @@
 package org.wordpress.passcodelock;
 
+import android.annotation.TargetApi;
 import android.app.Application;
+import android.os.Build;
 
+/**
+ * Interface for AppLock implementations.
+ *
+ * There are situations where the AppLock should not be required within an app. Methods for tracking
+ * exempt {@link android.app.Activity}'s are provided and sub-class implementations are expected to
+ * comply with requested exemptions.
+ * @see #isExemptActivity(String)
+ * @see #setExemptActivities(String[])
+ * @see #getExemptActivities()
+ *
+ * Applications can request a one-time delay in locking the app. This can be useful for activities
+ * that launch external applications with the expectation that the user will return to the calling
+ * application shortly.
+ */
+@TargetApi(Build.VERSION_CODES.ICE_CREAM_SANDWICH)
 public abstract class AbstractAppLock implements Application.ActivityLifecycleCallbacks {
-    public static final int DEFAULT_TIMEOUT = 2; //2 seconds
-    public static final int EXTENDED_TIMEOUT = 60; //60 seconds
+    public static final String FINGERPRINT_VERIFICATION_BYPASS = "fingerprint-bypass__";
+    public static final int DEFAULT_TIMEOUT_S = 2;
+    public static final int EXTENDED_TIMEOUT_S = 60;
 
-    protected static final String FINGERPRINT_VERIFICATION_BYPASS = "fingerprint-bypass__";
+    private int mLockTimeout = DEFAULT_TIMEOUT_S;
+    private String[] mExemptActivities;
 
-    protected int lockTimeOut = DEFAULT_TIMEOUT;
-    protected String[] appLockDisabledActivities = new String[0];
+    public boolean isExemptActivity(String name) {
+        if (name == null) return false;
+        for (String activityName : getExemptActivities()) {
+            if (name.equals(activityName)) return true;
+        }
+        return false;
+    }
+
+    public void setExemptActivities(String[] exemptActivities) {
+        mExemptActivities = exemptActivities;
+    }
+
+    public String[] getExemptActivities() {
+        if (mExemptActivities == null) setExemptActivities(new String[0]);
+        return mExemptActivities;
+    }
 
-    /*
-     * There are situations where an activity will start a different application with an intent.  
-     * In these situations call this method right before leaving the app.
-     */
     public void setOneTimeTimeout(int timeout) {
-        this.lockTimeOut = timeout;
+        mLockTimeout = timeout;
+    }
+
+    public int getTimeout() {
+        return mLockTimeout;
     }
 
-    /*
-     * There are situations where we don't want call the AppLock on activities (sharing items to out app for example).  
-     */
-    public void setDisabledActivities( String[] disabledActs ) {
-    	this.appLockDisabledActivities = disabledActs;
+    protected boolean isFingerprintPassword(String password) {
+        return FINGERPRINT_VERIFICATION_BYPASS.equals(password);
     }
-    
+
     public abstract void enable();
     public abstract void disable();
     public abstract void forcePasswordLock();
-    public abstract boolean verifyPassword( String password );
+    public abstract boolean verifyPassword(String password);
     public abstract boolean isPasswordLocked();
     public abstract boolean setPassword(String password);
 }

library/src/org/wordpress/passcodelock/AbstractPasscodeKeyboardActivity.java

@@ -88,6 +88,10 @@ public void onPause() {
         }
     }
 
+    protected AbstractAppLock getAppLock() {
+        return AppLockManager.getInstance().getAppLock();
+    }
+
     private OnClickListener defaultButtonListener = new OnClickListener() {
         @Override
         public void onClick(View arg0) {

library/src/org/wordpress/passcodelock/AppLockManager.java

@@ -3,35 +3,32 @@
 import android.app.Application;
 
 public class AppLockManager {
-
     private static AppLockManager instance;
     private AbstractAppLock currentAppLocker;
-    
+
     public static AppLockManager getInstance() {
         if (instance == null) {
             instance = new AppLockManager();
         }
         return instance;
     }
-        
+
     public void enableDefaultAppLockIfAvailable(Application currentApp) {
-        if (android.os.Build.VERSION.SDK_INT >= 14) {
-            currentAppLocker = new DefaultAppLock(currentApp);
-            currentAppLocker.enable();
-        }
+        if (!DefaultAppLock.isSupportedApi()) return;
+        currentAppLocker = new DefaultAppLock(currentApp);
+        currentAppLocker.enable();
+    }
+
+    public boolean isDefaultLock() {
+        return getAppLock() != null && getAppLock() instanceof DefaultAppLock;
     }
 
     /**
-     * Default App lock is available on Android-v14 or higher.
-     * @return True if the Passcode Lock feature is available on the device
+     * @return true when an App lock is available. It could be either a the Default App lock on
+     * Android-v14 or higher, or a non default App lock
      */
-    public boolean isAppLockFeatureEnabled(){
-    	if( currentAppLocker == null )
-    		return false;
-    	if( currentAppLocker instanceof DefaultAppLock)
-    		return (android.os.Build.VERSION.SDK_INT >= 14);
-    	else 
-    		return true;
+    public boolean isAppLockFeatureEnabled() {
+        return getAppLock() != null && (!isDefaultLock() || DefaultAppLock.isSupportedApi());
     }
 
     public void setCurrentAppLock(AbstractAppLock newAppLocker) {
@@ -41,19 +38,12 @@ public void setCurrentAppLock(AbstractAppLock newAppLocker) {
         currentAppLocker = newAppLocker;
     }
 
-    public AbstractAppLock getCurrentAppLock() {
+    public AbstractAppLock getAppLock() {
         return currentAppLocker;
     }
 
-    /*
-     * Convenience method used to extend the default timeout.
-     * 
-     * There are situations where an activity will start a different application with an intent.  
-     * In these situations call this method right before leaving the app.
-     */
     public void setExtendedTimeout(){
-        if ( currentAppLocker == null )
-            return;
-        currentAppLocker.setOneTimeTimeout(AbstractAppLock.EXTENDED_TIMEOUT);
+        if (getAppLock() == null) return;
+        getAppLock().setOneTimeTimeout(AbstractAppLock.EXTENDED_TIMEOUT_S);
     }
 }