BITAU-99 Expose and Protect AuthenticatorBridgeService

bitwarden · Oct 2, 2024 · 2321aa2 · 2321aa2
1 parent 4fd81ed
commit 2321aa2
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 0 deletions.
diff --git a/app/src/beta/res/values/manifest.xml b/app/src/beta/res/values/manifest.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <!-- For beta variant, we don't have a matching variant of the Bitwarden Authenticator app.
+    Therefore, we leave the known app cert null here so that no clients can connect to
+    AuthenticatorBridgeService in the beta variant. If later another variant of the
+    Bitwarden Authenticator app is added, a SHA-255 digest of that variant's APK can be added here.
+    -->
+    <string name="known_authenticator_app_cert">@null</string>
+</resources>
diff --git a/app/src/debug/res/values/manifest.xml b/app/src/debug/res/values/manifest.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <!-- This is the SHA-256 digest for the Authenticator App debug variant:-->
+    <string name="known_authenticator_app_cert">13144ab52af797a88c2fe292674461ef1715e0e1e4f5f538f63f1c174696f476</string>
+</resources>
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
@@ -16,6 +16,21 @@
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
 
+    <!-- Protect access to AuthenticatorBridgeService using this custom permission.
+
+    Note that each build type uses a different value for knownCerts.
+
+    This in effect means that the only application that can connect to the release variant
+    AuthenticatorBridgeService is the release variant Bitwarden Authenticator app. Furthermore,
+    the only application that can connect to the debug variant of AuthenticatorBridgeService
+    is the debug variant of the BitwardenAuthenticator app. -->
+    <permission
+        android:name="${applicationId}.permission.AUTHENTICATOR_BRIDGE_SERVICE"
+        android:knownCerts="@string/known_authenticator_app_cert"
+        android:label="Bitwarden Bridge"
+        android:protectionLevel="signature|knownSigner"
+        tools:targetApi="s" />
+
     <application
         android:name=".BitwardenApplication"
         android:allowBackup="false"
@@ -277,6 +292,11 @@
             android:name="android.content.APP_RESTRICTIONS"
             android:resource="@xml/app_restrictions" />
 
+        <service
+            android:name="com.x8bit.bitwarden.data.platform.service.AuthenticatorBridgeService"
+            android:exported="true"
+            android:permission="${applicationId}.permission.AUTHENTICATOR_BRIDGE_SERVICE" />
+
     </application>
 
     <queries>

diff --git a/app/src/release/res/values/manifest.xml b/app/src/release/res/values/manifest.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <!-- This is the SHA-256 digest for the Authenticator App Release variant:-->
+    <string name="known_authenticator_app_cert">45bd689eb1493eaef19c346dc1385197ddbb53ddc5d09476db4895df75b9b53b</string>
+</resources>