Skip to content

Commit

Permalink
pff: Infrastructure needed for permission spoofing
Browse files Browse the repository at this point in the history 
- Based on the original work by Plamen K. Kosseff
- Initial commit

Conflicts:
	src/java/com/android/internal/telephony/PhoneSubInfo.java
  • Loading branch information
@guhl
guhl authored and guhl committed Mar 31, 2014
1 parent 2508a98 commit c58e759
Showing 1 changed file with 215 additions and 43 deletions.
258 changes: 215 additions & 43 deletions src/java/com/android/internal/telephony/PhoneSubInfo.java
View file
Expand Up @@ -17,6 +17,8 @@

import java.io.FileDescriptor;
import java.io.PrintWriter;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import android.content.Context;
import android.content.pm.PackageManager;
Expand All @@ -30,6 +32,7 @@ public class PhoneSubInfo extends IPhoneSubInfo.Stub {
static final String LOG_TAG = "PhoneSubInfo";
private static final boolean DBG = true;
private static final boolean VDBG = false; // STOPSHIP if true
private static final boolean PFF_DBG = true;

private Phone mPhone;
private Context mContext;
Expand Down Expand Up @@ -64,8 +67,16 @@ protected void finalize() {
*/
@Override
public String getDeviceId() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getDeviceId();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return mPhone.getDeviceId();
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getDeviceId: spoofed");
return createNumericSpoof(mPhone.getDeviceId().length(), 6, 3, null);
default:
return "";
}
}

/**
Expand All @@ -74,17 +85,33 @@ public String getDeviceId() {
*/
@Override
public String getDeviceSvn() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getDeviceSvn();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return mPhone.getDeviceSvn();
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getDeviceSvn: spoofed");
return createNumericSpoof(mPhone.getDeviceSvn().length(), 5, 2, null);
default:
return "";
}
}

/**
* Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.
*/
@Override
public String getSubscriberId() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getSubscriberId();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return mPhone.getSubscriberId();
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getSubscriberId: spoofed");
return createNumericSpoof(mPhone.getSubscriberId().length(), 0, 3, null);
default:
return "";
}
}

/**
Expand All @@ -100,46 +127,107 @@ public String getGroupIdLevel1() {
*/
@Override
public String getIccSerialNumber() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getIccSerialNumber();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return mPhone.getIccSerialNumber();
case PackageManager.PERMISSION_SPOOFED:
String real = mPhone.getIccSerialNumber();
if (PFF_DBG) log("VM: PhoneSubInfo.getIccSerialNumber: spoofed");
return createNumericSpoof(real.length(), 2, 5, null);
default:
return "";
}
}

/**
* Retrieves the phone number string for line 1.
*/
@Override
public String getLine1Number() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getLine1Number();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return mPhone.getLine1Number();
case PackageManager.PERMISSION_SPOOFED:
byte[] data = getMD5Sum();
StringBuilder spoof = new StringBuilder("+11");
for(int i = 0; i < 4; i++) {
spoof.append(0x0f & data[i+4]);
spoof.append(data[i] >> 8);
}
if (PFF_DBG) log("VM: PhoneSubInfo.getLine1Number: spoofed");
return spoof.toString();
default:
return "";
}
}

/**
* Retrieves the alpha identifier for line 1.
*/
@Override
public String getLine1AlphaTag() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getLine1AlphaTag();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
return (String) mPhone.getLine1AlphaTag();
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getLine1AlphaTag: spoofed");
return "Line1";
default:
return "";
}
}

/**
* Retrieves the MSISDN string.
*/
@Override
public String getMsisdn() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getMsisdn();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getMsisdn();
case PackageManager.PERMISSION_SPOOFED:
byte[] data = getMD5Sum();
StringBuilder spoof = new StringBuilder("+11");
for(int i = 0; i < 4; i++) {
spoof.append(0x0f & data[i+4]);
spoof.append(data[i] >> 8);
}
if (PFF_DBG) log("VM: PhoneSubInfo.getMsisdn: spoofed");
return spoof.toString();
default:
return "";
}
}

/**
* Retrieves the voice mail number.
*/
@Override
public String getVoiceMailNumber() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
String number = PhoneNumberUtils.extractNetworkPortion(mPhone.getVoiceMailNumber());
if (VDBG) log("VM: PhoneSubInfo.getVoiceMailNUmber: " + number);
return number;
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
String number = PhoneNumberUtils.extractNetworkPortion(mPhone.getVoiceMailNumber());
if (VDBG) log("VM: PhoneSubInfo.getVoiceMailNUmber: " + number);
return number;
case PackageManager.PERMISSION_SPOOFED:
byte[] data = getMD5Sum();
StringBuilder spoof = new StringBuilder("+11");
for(int i = 0; i < 4; i++) {
spoof.append(0x0f & data[i]);
spoof.append(data[i] >> 8);
}
if (PFF_DBG) log("VM: PhoneSubInfo.getVoiceMailNumber: spoofed");
return spoof.toString();
default:
return "";
}
}

/**
Expand All @@ -149,20 +237,43 @@ public String getVoiceMailNumber() {
*/
@Override
public String getCompleteVoiceMailNumber() {
mContext.enforceCallingOrSelfPermission(CALL_PRIVILEGED,
"Requires CALL_PRIVILEGED");
String number = mPhone.getVoiceMailNumber();
if (VDBG) log("VM: PhoneSubInfo.getCompleteVoiceMailNUmber: " + number);
return number;
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(CALL_PRIVILEGED, "Requires CALL_PRIVILEGED");
String number = mPhone.getVoiceMailNumber();
if (VDBG) log("VM: PhoneSubInfo.getCompleteVoiceMailNUmber: " + number);
return number;
case PackageManager.PERMISSION_SPOOFED:
byte[] data = getMD5Sum();
StringBuilder spoof = new StringBuilder("+11");
for(int i = 0; i < 4; i++) {
spoof.append(0x0f & data[i]);
spoof.append(data[i] >> 8);
}
if (PFF_DBG) log("VM: PhoneSubInfo.getCompleteVoiceMailNumber: spoofed");
return spoof.toString();
default:
return "";
}
}

/**
* Retrieves the alpha identifier associated with the voice mail number.
*/
@Override
public String getVoiceMailAlphaTag() {
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getVoiceMailAlphaTag();
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
return mPhone.getVoiceMailAlphaTag();
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getVoiceMailAlphaTag: spoofed");
return "Voicemail";
default:
return "";
}
}

/**
Expand All @@ -171,12 +282,22 @@ public String getVoiceMailAlphaTag() {
*/
@Override
public String getIsimImpi() {
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimImpi();
} else {
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimImpi();
} else {
return null;
}
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getIsimImpi: spoofed");
// Guhl: TBD change this to spoofing!
return null;
default:
return null;
}
}
Expand All @@ -187,12 +308,22 @@ public String getIsimImpi() {
*/
@Override
public String getIsimDomain() {
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimDomain();
} else {
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimDomain();
} else {
return null;
}
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getIsimDomain: spoofed");
// Guhl: TBD change this to spoofing!
return null;
default:
return null;
}
}
Expand All @@ -204,12 +335,22 @@ public String getIsimDomain() {
*/
@Override
public String[] getIsimImpu() {
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimImpu();
} else {
int res = mContext.pffEnforceCallingOrSelfPermission(READ_PHONE_STATE, "Requires READ_PHONE_STATE");
switch (res) {
case PackageManager.PERMISSION_GRANTED:
mContext.enforceCallingOrSelfPermission(READ_PRIVILEGED_PHONE_STATE,
"Requires READ_PRIVILEGED_PHONE_STATE");
IsimRecords isim = mPhone.getIsimRecords();
if (isim != null) {
return isim.getIsimImpu();
} else {
return null;
}
case PackageManager.PERMISSION_SPOOFED:
if (PFF_DBG) log("VM: PhoneSubInfo.getIsimImpu: spoofed");
// Guhl: TBD change this to spoofing!
return null;
default:
return null;
}
}
Expand All @@ -236,4 +377,35 @@ protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
pw.println(" Phone Type = " + mPhone.getPhoneName());
pw.println(" Device ID = " + mPhone.getDeviceId());
}

private String createNumericSpoof(final int len, int begin, int step, String prefix) {
byte[] data = getMD5Sum();
StringBuilder spoof = new StringBuilder();
if (prefix != null) {
spoof.append(prefix);
}
int j = begin;
while (spoof.length() < len) {
spoof.append(0xff & data[j]);
j += step;
if (j >= data.length) {
j -= data.length;
}
}
spoof.setLength(len);
return spoof.toString();
}

private byte[] getMD5Sum() {
byte[] data = null;
try {
int uid = Binder.getCallingUid();
String name = mContext.getPackageManager().getNameForUid(uid);
MessageDigest md = MessageDigest.getInstance("MD5");
data = md.digest(name.getBytes());
} catch (NoSuchAlgorithmException e) {
}
return data;
}

}

0 comments on commit c58e759

Please sign in to comment.