Don't attempt to get device serial on Android Q., instead use Android…

… ID. Also remove reflection access and that will be flagged in non SDK interfaces
scottyab · Aug 30, 2019 · 4c94e1b · 4c94e1b
1 parent 7ae4e5a
commit 4c94e1b
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 31 deletions.
diff --git a/changes.md b/changes.md
@@ -1,5 +1,10 @@
 # Secure Preferences Release Notes: #
 
+## 0.1.8 ##
+* Fix crash in Android 10 / Q due to accessing Device Serial 
+
+WARNING: SecurePreferences will fail to decrypt previously encrypted values if device is upgraded to Android 10/Q. This is due to default Salt using the Device Serial which is no longer accessible. 
+
 ## 0.1.7 ##
 * PR #92 to allow pass own salt 
 

diff --git a/library/src/main/java/com/securepreferences/SecurePreferences.java b/library/src/main/java/com/securepreferences/SecurePreferences.java
@@ -21,7 +21,6 @@
 import android.content.SharedPreferences;
 import android.os.Build;
 import android.preference.PreferenceManager;
-import android.provider.Settings;
 import android.text.TextUtils;
 import android.util.Base64;
 import android.util.Log;
@@ -230,42 +229,15 @@ private String generateAesKeyName(Context context, int iterationCount) throws Ge
         return hashPrefKey(generatedKeyName.toString());
     }
 
-
-    /**
-     * Gets the hardware serial number of this device.
-     *
-     * @return serial number or Settings.Secure.ANDROID_ID if not available.
-     */
-    @SuppressLint("HardwareIds")
-    private static String getDeviceSerialNumber(Context context) {
-        // We're using the Reflection API because Build.SERIAL is only available
-        // since API Level 9 (Gingerbread, Android 2.3).
-        try {
-            String deviceSerial = (String) Build.class.getField("SERIAL").get(
-                    null);
-            if (TextUtils.isEmpty(deviceSerial)) {
-                return Settings.Secure.getString(
-                        context.getContentResolver(),
-                        Settings.Secure.ANDROID_ID);
-            } else {
-                return deviceSerial;
-            }
-        } catch (Exception ignored) {
-            // Fall back  to Android_ID
-            return Settings.Secure.getString(context.getContentResolver(),
-                    Settings.Secure.ANDROID_ID);
-        }
-    }
-
     /**
      * Gets the salt value
      *
-     * @param context used for accessing hardware serial number of this device in case salt is not set
+     * @param context used for accessing hardware serial number (if accessible) or the DeviceId in case salt is not set
      * @return
      */
     private String getSalt(Context context) {
         if (TextUtils.isEmpty(this.salt)) {
-            return getDeviceSerialNumber(context);
+            return Utils.getDefaultSalt(context);
         } else {
             return this.salt;
         }

diff --git a/library/src/main/java/com/securepreferences/Utils.java b/library/src/main/java/com/securepreferences/Utils.java
@@ -0,0 +1,62 @@
+package com.securepreferences;
+
+import android.annotation.SuppressLint;
+import android.content.Context;
+import android.os.Build;
+import android.provider.Settings;
+import android.text.TextUtils;
+
+public class Utils {
+
+    /**
+     * This method is here for backwards compatibility reasons. Recommend supplying your own Salt
+     *
+     * @param context
+     * @return Consistent between app restarts, device restarts, factory resets,
+     * however cannot be guaranteed on OS updates.
+     */
+    @SuppressLint("MissingPermission")
+    static String getDefaultSalt(Context context) {
+
+        //Android Q removes all access to Serial, fallback to Settings.Secure.ANDROID_ID
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.O) {
+            return getSecureDeviceId(context);
+        } else {
+            return getDeviceSerialNumber(context);
+        }
+    }
+
+    @SuppressLint("HardwareIds")
+    private static String getSecureDeviceId(Context context) {
+        return Settings.Secure.getString(
+                context.getContentResolver(),
+                Settings.Secure.ANDROID_ID
+        );
+    }
+
+    /**
+     * Gets the hardware serial number of this device. This only for backwards compatibility
+     *
+     * @return serial number or Settings.Secure.ANDROID_ID if not available.
+     */
+    @SuppressLint("MissingPermission")
+    private static String getDeviceSerialNumber(Context context) {
+        try {
+            String deviceSerial = "";
+            if (Build.VERSION.SDK_INT == Build.VERSION_CODES.O) {
+                deviceSerial = Build.getSerial();
+            } else {
+                deviceSerial = Build.SERIAL;
+            }
+
+            if (TextUtils.isEmpty(deviceSerial)) {
+                return getSecureDeviceId(context);
+            } else {
+                return deviceSerial;
+            }
+        } catch (Exception ignored) {
+            // Fall back to Android_ID
+            return getSecureDeviceId(context);
+        }
+    }
+}
diff --git a/sample/build.gradle b/sample/build.gradle
@@ -75,7 +75,6 @@ android {
 
     dependencies {
         implementation 'com.android.support:appcompat-v7:28.0.0'
-        implementation fileTree(dir: 'libs', include: '*.jar')
 
         //compile 'com.scottyab:secure-preferences-lib:0.1.1'
         //snapshot