getInstalledRelatedApps: Introduce random delay to stop timing attacks.

content/public/android/java/src/org/chromium/content/browser/installedapp/InstalledAppProviderImpl.java

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser.installedapp;
 
 import android.content.Context;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
@@ skipping 91 matching lines @@
     public void onConnectionError(MojoException e) {}
 
     /**
      * Determines whether a particular app is installed and matches the origin.
      *
      * @param packageName Name of the Android package to check if installed. Returns false if the
      *                    app is not installed.
      * @param frameUrl Returns false if the Android package does not declare association with the
      *                origin of this URL. Can be null.
      */
-    private static boolean isAppInstalledAndAssociatedWithOrigin(
+    private boolean isAppInstalledAndAssociatedWithOrigin(
             String packageName, URI frameUrl, PackageManager pm) {
         if (frameUrl == null) return false;
 
+        // Important timing-attack prevention measure: delay by a pseudo-random amount of time, to
+        // add significant noise to the time taken to check whether this app is installed and
+        // related. Otherwise, it would be possible to tell whether a non-related app is installed,
+        // based on the time this operation takes.
+        //
+        // Generate a 16-bit hash based on a unique device ID + the package name.
+        short hash = PackageHash.hashForPackage(packageName);
+
+        // The time delay is the low 13 bits of the hash in μs (between 0 and 8.192ms).
+        int sleepUsec = hash & 0x1fff;
+        sleep(sleepUsec / 1000, (sleepUsec % 1000) * 1000);
+
         // Early-exit if the Android app is not installed.
         JSONArray statements;
         try {
             statements = getAssetStatements(packageName, pm);
         } catch (NameNotFoundException e) {
             return false;
         }
 
         // The installed Android app has provided us with a list of asset statements. If any one of
         // those statements is a web asset that matches the given origin, return true.
@@ skipping 114 matching lines @@
     }
 
     private static boolean statementTargetMatches(URI frameUrl, URI assetUrl) {
         if (assetUrl.getScheme() == null || assetUrl.getAuthority() == null) {
             return false;
         }
 
         return assetUrl.getScheme().equals(frameUrl.getScheme())
                 && assetUrl.getAuthority().equals(frameUrl.getAuthority());
     }
+
+    /**
+     * Puts the current thread to sleep for a given amount of time.
+     *
+     * This is approximate but should at least be accurate to the millisecond.
+     *
+     * Protected and non-static for testing.
+     */
+    protected void sleep(long millis, int nanos) {
+        try {
+            Thread.sleep(millis, nanos);

[Matt Giuca, 2017/04/11 08:34:08]

tedchoc: I think this Thread.sleep might be bad (if I set this to a huge number,
it blocks the main browser UI).

It's not terrible, since it's designed to sleep on the order of 0-8ms which is
about how long the computation will take anyway. But it would be better if we
can post a delayed task instead of just sleeping the thread.

I am not familiar with the JS side of things (in C++ it would be a
PostDelayedTask). Can you recommend how to do it? Or is the Thread.sleep OK?

[Ted C, 2017/04/11 16:01:32]

We definitely shouldn't sleep the UI thread.  That will cause a StrictMode
violation (a red flash showing we're doing bad things).

Can this call be made async?  If you were do do something like:

private [void] isAppInstalledAndAssociatedWithOrigin(
    String packageName, URI frameUrl, PackageManager pm, [final
Callback<Boolean> callback]) {
    new Handler().postDelayed(new Runnable() {
        @Override
        public void run() {
            callback.call(helperMethodThatDoesStuffForRealz(packageName,
frameUrl, pm);
        }
    }, <random delay>);
}

FWIW 8ms is half a render frame, so that is actually not something we should do
lightly.

[Matt Giuca, 2017/04/12 01:05:58]

Oh yeah, I saw that red flash and didn't know what it was.
Thanks, that looks like exactly what I want.
Given that it can take ~8ms (or in extreme cases, double that) to actually
process the JSON, is this something we also should be doing on another thread
instead of doing this operation here on the UI thread? (Which is why I ask above
about whether postDelayed is going to use the UI thread or a worker thread.)

It looks like (from the Handler documentation) that the above code will still
run that helperMethodThatDoesStuffForRealz code on the main thread, and I would
have to do more work to farm it off to a separate thread.

+        } catch (InterruptedException e) {
+            // Continue to interrupt the thread after this completes.
+            Thread.currentThread().interrupt();
+        }
+    }
 }