From 34ab3549cf6cbd1e9db2da1707b5932514f5e3a7 Mon Sep 17 00:00:00 2001 From: Damyan Ivanov Date: Sat, 13 Jul 2019 08:38:37 +0300 Subject: [PATCH] replace hard-coded basic HTTP authentication with triggered Authenticator checks whether host name matches avoids exposing authentication data to wifi portals --- .../main/java/net/ktnx/mobileledger/App.java | 31 +++++++++++++++++++ .../ktnx/mobileledger/utils/NetworkUtil.java | 13 +------- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/app/src/main/java/net/ktnx/mobileledger/App.java b/app/src/main/java/net/ktnx/mobileledger/App.java index b6ae697f..920187e9 100644 --- a/app/src/main/java/net/ktnx/mobileledger/App.java +++ b/app/src/main/java/net/ktnx/mobileledger/App.java @@ -23,12 +23,19 @@ import android.content.res.Configuration; import android.content.res.Resources; import android.database.sqlite.SQLiteDatabase; import android.preference.PreferenceManager; +import android.util.Log; import net.ktnx.mobileledger.model.Data; +import net.ktnx.mobileledger.model.MobileLedgerProfile; import net.ktnx.mobileledger.utils.Globals; import net.ktnx.mobileledger.utils.Logger; import net.ktnx.mobileledger.utils.MobileLedgerDatabase; +import java.net.Authenticator; +import java.net.MalformedURLException; +import java.net.PasswordAuthentication; +import java.net.URL; + import static net.ktnx.mobileledger.ui.activity.SettingsActivity.PREF_KEY_SHOW_ONLY_STARRED_ACCOUNTS; public class App extends Application { @@ -51,6 +58,30 @@ public class App extends Application { (preference, value) -> Data.optShowOnlyStarred .set(preference.getBoolean(PREF_KEY_SHOW_ONLY_STARRED_ACCOUNTS, false)); p.registerOnSharedPreferenceChangeListener(handler); + Authenticator.setDefault(new Authenticator() { + @Override + protected PasswordAuthentication getPasswordAuthentication() { + MobileLedgerProfile p = Data.profile.getValue(); + if ((p != null) && p.isAuthEnabled()) { + try { + final URL url = new URL(p.getUrl()); + final String requestingHost = getRequestingHost(); + final String expectedHost = url.getHost(); + if (requestingHost.equalsIgnoreCase(expectedHost)) + return new PasswordAuthentication(p.getAuthUserName(), + p.getAuthPassword().toCharArray()); + else Log.w("http-auth", + String.format("Requesting host [%s] differs from expected [%s]", + requestingHost, expectedHost)); + } + catch (MalformedURLException e) { + e.printStackTrace(); + } + } + + return super.getPasswordAuthentication(); + } + }); } private void updateMonthNames() { Resources rm = getResources(); diff --git a/app/src/main/java/net/ktnx/mobileledger/utils/NetworkUtil.java b/app/src/main/java/net/ktnx/mobileledger/utils/NetworkUtil.java index 28663b66..c0802a45 100644 --- a/app/src/main/java/net/ktnx/mobileledger/utils/NetworkUtil.java +++ b/app/src/main/java/net/ktnx/mobileledger/utils/NetworkUtil.java @@ -17,14 +17,11 @@ package net.ktnx.mobileledger.utils; -import android.util.Base64; - import net.ktnx.mobileledger.model.MobileLedgerProfile; import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; -import java.nio.charset.StandardCharsets; import static net.ktnx.mobileledger.utils.Logger.debug; @@ -38,15 +35,7 @@ public final class NetworkUtil { url += path; debug("network", "Connecting to " + url); HttpURLConnection http = (HttpURLConnection) new URL(url).openConnection(); - if (use_auth) { - final String auth_user = profile.getAuthUserName(); - final String auth_password = profile.getAuthPassword(); - final byte[] bytes = (String.format("%s:%s", auth_user, auth_password)) - .getBytes(StandardCharsets.UTF_8); - final String value = Base64.encodeToString(bytes, Base64.DEFAULT); - http.setRequestProperty("Authorization", "Basic " + value); - } - http.setAllowUserInteraction(false); + http.setAllowUserInteraction(true); http.setRequestProperty("Accept-Charset", "UTF-8"); http.setInstanceFollowRedirects(false); http.setUseCaches(false); -- 2.39.2