1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.cts.cve_2021_0523;
18 
19 import android.app.Service;
20 import android.content.Intent;
21 import android.content.res.Resources;
22 import android.graphics.Bitmap;
23 import android.graphics.Color;
24 import android.graphics.PixelFormat;
25 import android.os.Build;
26 import android.os.Handler;
27 import android.os.IBinder;
28 import android.provider.Settings;
29 import android.view.Gravity;
30 import android.view.MotionEvent;
31 import android.view.View;
32 import android.view.WindowManager;
33 import android.view.WindowManager.LayoutParams;
34 import android.widget.Button;
35 
36 public class PocService extends Service {
37     public static Button mButton;
38     private WindowManager mWindowManager;
39     private WindowManager.LayoutParams mLayoutParams;
40 
getScreenWidth()41     private static int getScreenWidth() {
42         return Resources.getSystem().getDisplayMetrics().widthPixels;
43     }
44 
getScreenHeight()45     private static int getScreenHeight() {
46         return Resources.getSystem().getDisplayMetrics().heightPixels;
47     }
48 
49     @Override
onCreate()50     public void onCreate() {
51         super.onCreate();
52         mWindowManager = getSystemService(WindowManager.class);
53         mLayoutParams = new WindowManager.LayoutParams();
54         mLayoutParams.type = WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY;
55         mLayoutParams.flags = WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL
56                 | WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE;
57         mLayoutParams.format = PixelFormat.OPAQUE;
58         mLayoutParams.gravity = Gravity.LEFT | Gravity.TOP;
59         mLayoutParams.width = getScreenWidth();
60         mLayoutParams.height = getScreenHeight();
61         mLayoutParams.x = getScreenWidth() / 2;
62         mLayoutParams.y = getScreenHeight() / 2;
63     }
64 
65     @Override
onBind(Intent intent)66     public IBinder onBind(Intent intent) {
67         return null;
68     }
69 
70     @Override
onStartCommand(Intent intent, int flags, int startId)71     public int onStartCommand(Intent intent, int flags, int startId) {
72         showFloatingWindow();
73         return super.onStartCommand(intent, flags, startId);
74     }
75 
76     @Override
onDestroy()77     public void onDestroy() {
78         if (mWindowManager != null && mButton != null) {
79             mWindowManager.removeView(mButton);
80         }
81         super.onDestroy();
82     }
83 
showFloatingWindow()84     private void showFloatingWindow() {
85         if (Settings.canDrawOverlays(this)) {
86             mButton = new Button(getApplicationContext());
87             mButton.setBackgroundColor(Color.parseColor("#BEBEBE")); // R-BE G-BE B-BE
88             mWindowManager.addView(mButton, mLayoutParams);
89             mButton.setOnTouchListener(new FloatingOnTouchListener());
90             new Handler().postDelayed(new Runnable() {
91                 @Override
92                 public void run() {
93                     onDestroy();
94                 }
95             }, 60000); // one minute
96             mButton.setTag(mButton.getVisibility());
97         }
98     }
99 
100     private static class FloatingOnTouchListener implements View.OnTouchListener {
101 
102         @Override
onTouch(View view, MotionEvent event)103         public boolean onTouch(View view, MotionEvent event) {
104             view.setDrawingCacheEnabled(true);
105             view.buildDrawingCache();
106             Bitmap bitmap = view.getDrawingCache();
107             int pixel = bitmap.getPixel(getScreenWidth() / 2, getScreenHeight() / 2);
108             int red = Color.red(pixel);
109             int green = Color.green(pixel);
110             int blue = Color.blue(pixel);
111             view.setDrawingCacheEnabled(false);
112             if ((red == 0xBE) && (green == 0xBE) && (blue == 0xBE)) {
113                 throw new RuntimeException(
114                     "Device is vulnerable to b/174047492 hence any app with " +
115                     "SYSTEM_ALERT_WINDOW can overlay the WifiScanModeActivity screen");
116             }
117             return false;
118         }
119     }
120 }
121