getInstalledRelatedApps: Introduce random delay to stop timing attacks.

content/public/android/java/src/org/chromium/content/browser/installedapp/InstalledAppProviderImpl.java

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser.installedapp;
 
 import android.content.Context;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
@@ skipping 91 matching lines @@
     public void onConnectionError(MojoException e) {}
 
     /**
      * Determines whether a particular app is installed and matches the origin.
      *
      * @param packageName Name of the Android package to check if installed. Returns false if the
      *                    app is not installed.
      * @param frameUrl Returns false if the Android package does not declare association with the
      *                origin of this URL. Can be null.
      */
-    private static boolean isAppInstalledAndAssociatedWithOrigin(
+    private boolean isAppInstalledAndAssociatedWithOrigin(
             String packageName, URI frameUrl, PackageManager pm) {
         if (frameUrl == null) return false;
 
+        // Important timing-attack prevention measure: delay by a pseudo-random amount of time, to
+        // add significant noise to the time taken to check whether this app is installed and
+        // related. Otherwise, it would be possible to tell whether a non-related app is installed,
+        // based on the time this operation takes.
+        //
+        // Generate a 16-bit hash based on a unique device ID + the package name.
+        short hash = PackageHash.hashForPackage(packageName);
+
+        // The time delay is the low 13 bits of the hash in usec (between 0 and 8.192ms).

[palmer, 2017/04/07 18:56:33]

Pico-nit: Use "ms" consistently (not "usec").

[Matt Giuca, 2017/04/10 08:33:40]

Not sure what you mean by this. Are you asking me to change the logic or just
the comment?

(The logic is the low 13 bits of the hash represent the time delay in μs, not
ms.) I've updated the comment to "μs" not "usec". But the variable names remain
as "Usec" because I can't use Unicode in a variable name and "Us" is ambiguous.

+        int sleepUsec = hash & 0x1fff;
+        sleep(sleepUsec / 1000, (sleepUsec % 1000) * 1000);
+
         // Early-exit if the Android app is not installed.
         JSONArray statements;
         try {
             statements = getAssetStatements(packageName, pm);
         } catch (NameNotFoundException e) {
             return false;
         }
 
         // The installed Android app has provided us with a list of asset statements. If any one of
         // those statements is a web asset that matches the given origin, return true.
@@ skipping 114 matching lines @@
     }
 
     private static boolean statementTargetMatches(URI frameUrl, URI assetUrl) {
         if (assetUrl.getScheme() == null || assetUrl.getAuthority() == null) {
             return false;
         }
 
         return assetUrl.getScheme().equals(frameUrl.getScheme())
                 && assetUrl.getAuthority().equals(frameUrl.getAuthority());
     }
+
+    /**
+     * Puts the current thread to sleep for a given amount of time.
+     *
+     * This is approximate but should at least be accurate to the millisecond.
+     *
+     * Protected and non-static for testing.
+     */
+    protected void sleep(long millis, int nanos) {
+        try {
+            Thread.sleep(millis, nanos);
+        } catch (InterruptedException e) {
+            // Continue to interrupt the thread after this completes.
+            Thread.currentThread().interrupt();
+        }
+    }
 }