aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt72
1 files changed, 36 insertions, 36 deletions
diff --git a/autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt b/autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt
index 5bef386b..05a425f0 100644
--- a/autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt
+++ b/autofill-parser/src/main/java/com/github/androidpasswordstore/autofillparser/FeatureAndTrustDetection.kt
@@ -14,42 +14,42 @@ import android.provider.Settings
import android.service.autofill.SaveInfo
import androidx.annotation.RequiresApi
-/*
- In order to add a new browser, do the following:
-
- 1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
- phone and use adb pull to get it onto your computer. We will assume that it is called
- browser.apk.
-
- 2. Run
-
- aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
-
- to obtain the package name (actually, the application ID) of the app in the .apk.
-
- 3. Run
-
- apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
-
- to calculate the hash of browser.apk's first signing certificate.
- Note: This will only work if the apk has a single signing certificate. Apps with multiple
- signers are very rare, so there is probably no need to add them.
- Refer to computeCertificatesHash to learn how the hash would be computed in this case.
-
- 4. Verify the package name and the hash, for example by asking other people to repeat the steps
- above.
-
- 5. Add an entry with the browser apps's package name and the hash to
- TRUSTED_BROWSER_CERTIFICATE_HASH.
-
- 6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
- whether a save request to Password Store is triggered when you submit a registration form.
-
- 7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
- check whether it correctly distinguishes web origins even if iframes are present on the page.
- You can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
-*/
-/*
+/**
+ * In order to add a new browser, do the following:
+ *
+ * 1. Obtain the .apk from a trusted source. For example, download it from the Play Store on your
+ * phone and use adb pull to get it onto your computer. We will assume that it is called
+ * browser.apk.
+ *
+ * 2. Run
+ *
+ * aapt dump badging browser.apk | grep package: | grep -Eo " name='[a-zA-Z0-9_\.]*" | cut -c8-
+ *
+ * to obtain the package name (actually, the application ID) of the app in the .apk.
+ *
+ * 3. Run
+ *
+ * apksigner verify --print-certs browser.apk | grep "#1 certificate SHA-256" | grep -Eo
+ * "[a-f0-9]{64}" | tr -d '\n' | xxd -r -p | base64
+ *
+ * to calculate the hash of browser.apk's first signing certificate. Note: This will only work if
+ * the apk has a single signing certificate. Apps with multiple signers are very rare, so there is
+ * probably no need to add them. Refer to computeCertificatesHash to learn how the hash would be
+ * computed in this case.
+ *
+ * 4. Verify the package name and the hash, for example by asking other people to repeat the steps
+ * above.
+ *
+ * 5. Add an entry with the browser apps's package name and the hash to
+ * TRUSTED_BROWSER_CERTIFICATE_HASH.
+ *
+ * 6. Optionally, try adding the browser's package name to BROWSERS_WITH_SAVE_SUPPORT and check
+ * whether a save request to Password Store is triggered when you submit a registration form.
+ *
+ * 7. Optionally, try adding the browser's package name to BROWSERS_WITH_MULTI_ORIGIN_SUPPORT and
+ * check whether it correctly distinguishes web origins even if iframes are present on the page. You
+ * can use https://fabianhenneke.github.io/Android-Password-Store/ as a test form.
+ *
* **Security assumption**: Browsers on this list correctly report the web origin of the top-level
* window as part of their AssistStructure.
*