Fix Bug that allowed lockscreen bypass on rooted androids
Auto Tag on Version Change / check-version (push) Successful in 7s
Auto Tag on Version Change / check-version (push) Successful in 7s
This commit is contained in:
@@ -16,6 +16,13 @@ import sh.sar.basedbank.util.CredentialStore
|
||||
|
||||
class BasedBankApp : Application() {
|
||||
|
||||
/**
|
||||
* Set to true only after the user passes LockActivity or completes fresh login.
|
||||
* Resets to false on every process restart so direct ADB/root activity launches
|
||||
* cannot reach HomeActivity without re-authenticating.
|
||||
*/
|
||||
var isUnlocked = false
|
||||
|
||||
// Held in memory after successful login; cleared on logout
|
||||
var accounts: List<BankAccount> = emptyList()
|
||||
var fullName: String = ""
|
||||
|
||||
@@ -21,6 +21,7 @@ import kotlinx.coroutines.withContext
|
||||
import sh.sar.basedbank.databinding.ActivityLockBinding
|
||||
import sh.sar.basedbank.ui.home.HomeActivity
|
||||
import sh.sar.basedbank.util.CredentialStore
|
||||
import sh.sar.basedbank.BasedBankApp
|
||||
import javax.crypto.SecretKeyFactory
|
||||
import javax.crypto.spec.PBEKeySpec
|
||||
|
||||
@@ -259,6 +260,7 @@ class LockActivity : AppCompatActivity() {
|
||||
}
|
||||
|
||||
private fun proceed() {
|
||||
(application as BasedBankApp).isUnlocked = true
|
||||
if (intent.getBooleanExtra(EXTRA_RESUME, false)) {
|
||||
finish()
|
||||
} else {
|
||||
|
||||
@@ -7,11 +7,13 @@ import sh.sar.basedbank.ui.home.HomeActivity
|
||||
import sh.sar.basedbank.ui.login.LoginActivity
|
||||
import sh.sar.basedbank.ui.onboarding.OnboardingActivity
|
||||
import sh.sar.basedbank.util.CredentialStore
|
||||
import sh.sar.basedbank.BasedBankApp
|
||||
|
||||
class MainActivity : AppCompatActivity() {
|
||||
|
||||
override fun onCreate(savedInstanceState: Bundle?) {
|
||||
super.onCreate(savedInstanceState)
|
||||
|
||||
val prefs = getSharedPreferences("prefs", MODE_PRIVATE)
|
||||
val onboardingDone = prefs.getBoolean("onboarding_done", false)
|
||||
val securitySet = prefs.getString("security_method", null) != null
|
||||
@@ -24,6 +26,11 @@ class MainActivity : AppCompatActivity() {
|
||||
securitySet -> LockActivity::class.java // proceed() → HomeActivity
|
||||
else -> HomeActivity::class.java
|
||||
}
|
||||
// No lock screen configured — mark as unlocked so HomeActivity's guard passes
|
||||
if (target == HomeActivity::class.java) {
|
||||
(application as BasedBankApp).isUnlocked = true
|
||||
}
|
||||
|
||||
startActivity(Intent(this, target))
|
||||
finish()
|
||||
}
|
||||
|
||||
@@ -118,6 +118,18 @@ class HomeActivity : AppCompatActivity() {
|
||||
isAppearanceLightStatusBars = isLight
|
||||
isAppearanceLightNavigationBars = isLight
|
||||
}
|
||||
// Auth guard: HomeActivity must only be reachable after LockActivity or fresh login.
|
||||
// Using loadSecurityHash() (EncryptedSharedPreferences) instead of plain prefs so
|
||||
// a rooted device cannot bypass this by editing security_method in plain prefs.
|
||||
val app = application as BasedBankApp
|
||||
if (CredentialStore(this).loadSecurityHash() != null && !app.isUnlocked) {
|
||||
startActivity(
|
||||
android.content.Intent(this, sh.sar.basedbank.LockActivity::class.java)
|
||||
)
|
||||
finish()
|
||||
return
|
||||
}
|
||||
|
||||
setSupportActionBar(binding.toolbar)
|
||||
|
||||
toggle = ActionBarDrawerToggle(
|
||||
@@ -165,7 +177,6 @@ class HomeActivity : AppCompatActivity() {
|
||||
}
|
||||
|
||||
// Load data
|
||||
val app = application as BasedBankApp
|
||||
if (app.mibAccounts.isNotEmpty() || app.bmlAccounts.isNotEmpty() || app.fahipayAccounts.isNotEmpty()) {
|
||||
// Came from fresh manual login — accounts ready, rest fetched in background
|
||||
val merged = app.mibAccounts + app.bmlAccounts + app.fahipayAccounts
|
||||
|
||||
@@ -37,8 +37,10 @@ import kotlinx.coroutines.Dispatchers
|
||||
import kotlinx.coroutines.Job
|
||||
import kotlinx.coroutines.launch
|
||||
import kotlinx.coroutines.withContext
|
||||
import sh.sar.basedbank.BasedBankApp
|
||||
import sh.sar.basedbank.R
|
||||
import sh.sar.basedbank.databinding.ActivityQrScannerBinding
|
||||
import sh.sar.basedbank.util.CredentialStore
|
||||
import java.util.concurrent.Executors
|
||||
|
||||
class QrScannerActivity : AppCompatActivity() {
|
||||
@@ -95,6 +97,14 @@ class QrScannerActivity : AppCompatActivity() {
|
||||
|
||||
override fun onCreate(savedInstanceState: Bundle?) {
|
||||
super.onCreate(savedInstanceState)
|
||||
|
||||
if (CredentialStore(this).loadSecurityHash() != null &&
|
||||
!(application as BasedBankApp).isUnlocked) {
|
||||
startActivity(Intent(this, sh.sar.basedbank.LockActivity::class.java))
|
||||
finish()
|
||||
return
|
||||
}
|
||||
|
||||
WindowCompat.setDecorFitsSystemWindows(window, false)
|
||||
binding = ActivityQrScannerBinding.inflate(layoutInflater)
|
||||
setContentView(binding.root)
|
||||
|
||||
@@ -215,6 +215,7 @@ class CredentialsFragment : Fragment() {
|
||||
app.mibSessions[loginId] = flow.lastSession!!
|
||||
app.mibProfilesMap[loginId] = flow.lastProfiles
|
||||
app.mibLoginFlows[loginId] = flow
|
||||
app.isUnlocked = true
|
||||
val intent = Intent(requireContext(), HomeActivity::class.java)
|
||||
intent.flags = Intent.FLAG_ACTIVITY_CLEAR_TASK or Intent.FLAG_ACTIVITY_NEW_TASK
|
||||
startActivity(intent)
|
||||
@@ -364,6 +365,7 @@ class CredentialsFragment : Fragment() {
|
||||
if (hasBusinessProfiles) {
|
||||
Toast.makeText(requireContext(), "Business profiles can be enabled in Settings → Logins", Toast.LENGTH_LONG).show()
|
||||
}
|
||||
(requireActivity().application as BasedBankApp).isUnlocked = true
|
||||
val intent = Intent(requireContext(), HomeActivity::class.java)
|
||||
intent.flags = Intent.FLAG_ACTIVITY_CLEAR_TASK or Intent.FLAG_ACTIVITY_NEW_TASK
|
||||
startActivity(intent)
|
||||
@@ -496,6 +498,7 @@ class CredentialsFragment : Fragment() {
|
||||
app.fahipaySessions[loginId] = session
|
||||
app.fahipayAccounts = app.fahipayAccounts.filter { it.loginTag != loginTag } + listOf(account)
|
||||
app.accounts = app.accounts.filter { it.loginTag != loginTag } + listOf(account)
|
||||
app.isUnlocked = true
|
||||
val intent = Intent(requireContext(), HomeActivity::class.java)
|
||||
intent.flags = Intent.FLAG_ACTIVITY_CLEAR_TASK or Intent.FLAG_ACTIVITY_NEW_TASK
|
||||
startActivity(intent)
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
package sh.sar.basedbank.ui.login
|
||||
|
||||
import android.content.Intent
|
||||
import android.content.res.Configuration
|
||||
import android.os.Bundle
|
||||
import androidx.appcompat.app.AppCompatActivity
|
||||
import androidx.core.view.WindowCompat
|
||||
import sh.sar.basedbank.BasedBankApp
|
||||
import sh.sar.basedbank.LockActivity
|
||||
import sh.sar.basedbank.databinding.ActivityLoginBinding
|
||||
import sh.sar.basedbank.util.CredentialStore
|
||||
|
||||
class LoginActivity : AppCompatActivity() {
|
||||
|
||||
@@ -12,6 +16,16 @@ class LoginActivity : AppCompatActivity() {
|
||||
|
||||
override fun onCreate(savedInstanceState: Bundle?) {
|
||||
super.onCreate(savedInstanceState)
|
||||
|
||||
// If security is configured and the user hasn't unlocked this session,
|
||||
// they must authenticate first before being able to add more accounts.
|
||||
val app = application as BasedBankApp
|
||||
if (CredentialStore(this).loadSecurityHash() != null && !app.isUnlocked) {
|
||||
startActivity(Intent(this, LockActivity::class.java))
|
||||
finish()
|
||||
return
|
||||
}
|
||||
|
||||
WindowCompat.setDecorFitsSystemWindows(window, false)
|
||||
binding = ActivityLoginBinding.inflate(layoutInflater)
|
||||
setContentView(binding.root)
|
||||
|
||||
@@ -13,9 +13,12 @@ import androidx.core.view.WindowCompat
|
||||
import androidx.core.view.WindowInsetsCompat
|
||||
import androidx.viewpager2.widget.ViewPager2
|
||||
import com.google.android.material.tabs.TabLayoutMediator
|
||||
import sh.sar.basedbank.BasedBankApp
|
||||
import sh.sar.basedbank.LockActivity
|
||||
import sh.sar.basedbank.R
|
||||
import sh.sar.basedbank.databinding.ActivityOnboardingBinding
|
||||
import sh.sar.basedbank.ui.login.LoginActivity
|
||||
import sh.sar.basedbank.util.CredentialStore
|
||||
|
||||
class OnboardingActivity : AppCompatActivity(), SecuritySetupFragment.Callback {
|
||||
|
||||
@@ -25,6 +28,15 @@ class OnboardingActivity : AppCompatActivity(), SecuritySetupFragment.Callback {
|
||||
|
||||
override fun onCreate(savedInstanceState: Bundle?) {
|
||||
super.onCreate(savedInstanceState)
|
||||
|
||||
// If security is already configured, onboarding is complete. Redirect to lock screen
|
||||
// to prevent overwriting an existing PIN/pattern via direct activity launch.
|
||||
if (CredentialStore(this).loadSecurityHash() != null) {
|
||||
startActivity(Intent(this, LockActivity::class.java))
|
||||
finish()
|
||||
return
|
||||
}
|
||||
|
||||
WindowCompat.setDecorFitsSystemWindows(window, false)
|
||||
binding = ActivityOnboardingBinding.inflate(layoutInflater)
|
||||
setContentView(binding.root)
|
||||
|
||||
Reference in New Issue
Block a user