getInstalledRelatedApps: Introduce random delay to stop timing attacks.

content/public/android/java/src/org/chromium/content/browser/installedapp/InstalledAppProviderImpl.java

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser.installedapp;
 
 import android.content.Context;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.res.Resources;
 import android.os.AsyncTask;
+import android.os.Handler;
 
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
 
 import org.chromium.base.Log;
 import org.chromium.base.VisibleForTesting;
 import org.chromium.installedapp.mojom.InstalledAppProvider;
 import org.chromium.installedapp.mojom.RelatedApplication;
 import org.chromium.mojo.system.MojoException;
 
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.ArrayList;
+import java.util.concurrent.atomic.AtomicInteger;
 
 /**
  * Android implementation of the InstalledAppProvider service defined in
  * installed_app_provider.mojom
  */
 public class InstalledAppProviderImpl implements InstalledAppProvider {
     @VisibleForTesting
     public static final String ASSET_STATEMENTS_KEY = "asset_statements";
     private static final String ASSET_STATEMENT_FIELD_TARGET = "target";
     private static final String ASSET_STATEMENT_FIELD_NAMESPACE = "namespace";
@@ skipping 32 matching lines @@
 
     @Override
     public void filterInstalledApps(
             final RelatedApplication[] relatedApps, final FilterInstalledAppsResponse callback) {
         if (mFrameUrlDelegate.isIncognito()) {
             callback.call(new RelatedApplication[0]);
             return;
         }
 
         final URI frameUrl = mFrameUrlDelegate.getUrl();
+        final AtomicInteger delayMillis = new AtomicInteger();
 
         // Use an AsyncTask to execute the installed/related checks on a background thread (so as
         // not to block the UI thread).
         new AsyncTask<Void, Void, RelatedApplication[]>() {

[Ted C, 2017/04/12 15:53:50]

I "think" it would be slightly cleaner to change the last template var to
Pair<ReleatedApplication[], Integer>.  Then you can pass the values in the same
way.

FWIW, you could also just keep the variable as a member variable within the
async task to avoid having to have it final and outside of the object.

[Matt Giuca, 2017/04/13 00:29:55]

Done. Thanks, a good suggestion.

             @Override
             protected RelatedApplication[] doInBackground(Void... unused) {
-                return filterInstalledAppsOnBackgroundThread(relatedApps, frameUrl);
+                return filterInstalledAppsOnBackgroundThread(relatedApps, frameUrl, delayMillis);
             }
 
             @Override
-            protected void onPostExecute(RelatedApplication[] installedApps) {
-                callback.call(installedApps);
+            protected void onPostExecute(final RelatedApplication[] installedApps) {
+                // Before calling the callback, delay for the amount of time that has been
+                // calculated in |delayMillis|.
+                delayThenRun(new Runnable() {
+                    @Override
+                    public void run() {
+                        callback.call(installedApps);
+                    }
+                }, delayMillis.get());
             }
         }
                 .execute();
     }
 
     @Override
     public void close() {}
 
     @Override
     public void onConnectionError(MojoException e) {}
 
     /**
      * Filters a list of apps, returning those that are both installed and match the origin.
      *
      * This method is expected to be called on a background thread (not the main UI thread).
      *
      * @param relatedApps A list of applications to be filtered.
      * @param frameUrl The URL of the frame this operation was called from.
+     * @param delayMillis (Output) Number that will be incremented by the total amount of time in ms
+     *                    that should be delayed before returning to the user, to mask the installed
+     *                    state of the requested apps.
      * @return A subsequence of applications that meet the criteria.
      */
     private RelatedApplication[] filterInstalledAppsOnBackgroundThread(
-            RelatedApplication[] relatedApps, URI frameUrl) {
+            RelatedApplication[] relatedApps, URI frameUrl, AtomicInteger delayMillis) {
         ArrayList<RelatedApplication> installedApps = new ArrayList<RelatedApplication>();
         PackageManager pm = mContext.getPackageManager();
         for (RelatedApplication app : relatedApps) {
             // If the package is of type "play", it is installed, and the origin is associated with
             // package, add the package to the list of valid packages.
             // NOTE: For security, it must not be possible to distinguish (from the response)
             // between the app not being installed and the origin not being associated with the app
             // (otherwise, arbitrary websites would be able to test whether un-associated apps are
             // installed on the user's device).
-            if (app.platform.equals(RELATED_APP_PLATFORM_ANDROID) && app.id != null
-                    && isAppInstalledAndAssociatedWithOrigin(app.id, frameUrl, pm)) {
-                installedApps.add(app);
+            if (app.platform.equals(RELATED_APP_PLATFORM_ANDROID) && app.id != null) {
+                delayMillis.addAndGet(calculateDelayForPackageMs(app.id));
+                if (isAppInstalledAndAssociatedWithOrigin(app.id, frameUrl, pm)) {
+                    installedApps.add(app);
+                }
             }
         }
 
         RelatedApplication[] installedAppsArray = new RelatedApplication[installedApps.size()];
         installedApps.toArray(installedAppsArray);
         return installedAppsArray;
     }
 
     /**
+     * Determines how long to artifically delay for, for a particular package name.
+     */
+    private int calculateDelayForPackageMs(String packageName) {
+        // Important timing-attack prevention measure: delay by a pseudo-random amount of time, to
+        // add significant noise to the time taken to check whether this app is installed and
+        // related. Otherwise, it would be possible to tell whether a non-related app is installed,
+        // based on the time this operation takes.
+        //
+        // Generate a 16-bit hash based on a unique device ID + the package name.
+        short hash = PackageHash.hashForPackage(packageName);
+
+        // The time delay is the low 10 bits of the hash in 100ths of a ms (between 0 and 10ms).
+        int delayHundredthsOfMs = hash & 0x3ff;
+        return delayHundredthsOfMs / 100;
+    }
+
+    /**
      * Determines whether a particular app is installed and matches the origin.
      *
      * @param packageName Name of the Android package to check if installed. Returns false if the
      *                    app is not installed.
      * @param frameUrl Returns false if the Android package does not declare association with the
      *                origin of this URL. Can be null.
      */
-    private static boolean isAppInstalledAndAssociatedWithOrigin(
+    private boolean isAppInstalledAndAssociatedWithOrigin(
             String packageName, URI frameUrl, PackageManager pm) {
         if (frameUrl == null) return false;
 
         // Early-exit if the Android app is not installed.
         JSONArray statements;
         try {
             statements = getAssetStatements(packageName, pm);
         } catch (NameNotFoundException e) {
             return false;
         }
@@ skipping 117 matching lines @@
     }
 
     private static boolean statementTargetMatches(URI frameUrl, URI assetUrl) {
         if (assetUrl.getScheme() == null || assetUrl.getAuthority() == null) {
             return false;
         }
 
         return assetUrl.getScheme().equals(frameUrl.getScheme())
                 && assetUrl.getAuthority().equals(frameUrl.getAuthority());
     }
+
+    /**
+     * Runs a Runnable task after a given delay.
+     *
+     * Protected and non-static for testing.
+     *
+     * @param r The Runnable that will be executed.
+     * @param delayMillis The delay (in ms) until the Runnable will be executed.
+     * @return True if the Runnable was successfully placed into the message queue.
+     */
+    protected boolean delayThenRun(Runnable r, long delayMillis) {
+        return new Handler().postDelayed(r, delayMillis);

[Ted C, 2017/04/12 15:53:50]

Use can use ThreadUtils.postOnUiThreadDelayed here to avoid creating a new
handler.

[Matt Giuca, 2017/04/13 00:29:55]

Done.

+    }
 }