commit fd96bde6a4c966eebde5f368e323235f168de6eb
author duki.hong <duki.hong@samsung.com> Wed Jul 22 17:32:19 2020 +0900
committer duki.hong <duki.hong@samsung.com> Wed Jul 22 17:32:19 2020 +0900
tree e92d78d0504b21ab43368a3f4b17831d2d5a995f
parent dc99dba89c49ceeb5332b02c0332407480a101a0

Unprivileged applications can retrieve the ICCID

The phone system service did not properly enforce permissions on its getPhoneAccountHandleForSubscriptionId method.
When called by an unprivileged application, the parceled response contained the ICCID number (Integrated Circuit Card Identifier), a 20-digit number that uniquely identifies a SIM card.
Such identifier should not be accessible to unprivileged applications due to the privacy implications that unique, tied to the SIM card, identifiers have.
The PhoneAccountHandle include ICCID

Test: adb shell run-as <unprivileged_app> service call phone 153

Bug: https://partnerissuetracker.corp.google.com/issues/161860604

Signed-off-by: duki.hong <duki.hong@samsung.com>
Change-Id: Id3b155a9cf4a4fbf3dc326de50f978a12bd5f6cd

src/com/android/phone/PhoneInterfaceManager.java

diff --git a/src/com/android/phone/PhoneInterfaceManager.java b/src/com/android/phone/PhoneInterfaceManager.java
index 2346e32..8ec9a05 100755
--- a/src/com/android/phone/PhoneInterfaceManager.java
+++ b/src/com/android/phone/PhoneInterfaceManager.java
@@ -6514,6 +6514,8 @@
 
     @Override
     public @Nullable PhoneAccountHandle getPhoneAccountHandleForSubscriptionId(int subscriptionId) {
+        enforceReadPrivilegedPermission("getPhoneAccountHandleForSubscriptionId, "
+                + "subscriptionId: " + subscriptionId);
         final long identity = Binder.clearCallingIdentity();
         try {
             Phone phone = getPhone(subscriptionId);