Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Android] Select the highest priority threat from SafetyNetClient.loo… #26195

Merged
merged 5 commits into from
Oct 25, 2024

Conversation

AlexeyBarabash
Copy link
Contributor

@AlexeyBarabash AlexeyBarabash commented Oct 24, 2024

This PR changes the way how BraveSafeBrowsingApiHandler handles the case when SafetyNet reports more than one threat.
Before: the first one was taken.
Now: the most prioritized is taken, threats are arranged by priorities at SAFETY_NET_THREAT_PRIORITIES array.

SAFETY_NET_THREAT_PRIORITIES can be changed after the review, the test must be updated accordingly then.

The codes returned from https://testsafebrowsing.appspot.com/ are:

  • (1) [A/W/M/L/C] Should show a phishing warning - 5 - SafetyNetJavaThreatType.SOCIAL_ENGINEERING
  • (2) [A/W/M/L/C/D] Should show a malware warning - 4 - SafetyNetJavaThreatType.POTENTIALLY_HARMFUL_APPLICATION
  • (4) [W/M/L/C] Should show a unwanted software warning - 3 - SafetyNetJavaThreatType.UNWANTED_SOFTWARE
  • (6) [A/W/M/L/C] Should show a billing warning - 15 - SafetyNetJavaThreatType.BILLING

Resolves brave/brave-browser#41581

This is a follow-up for #25842.

Submitter Checklist:

  • I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

There is no a strict test plan, because I never saw the website which had more than one threat reported by SafetyNet.

The basic sanity check though is

  1. Open https://testsafebrowsing.appspot.com/
  2. For 1, 2, 4, 6 option the corresponding interstitial page with warning must be displayed.

@AlexeyBarabash AlexeyBarabash self-assigned this Oct 24, 2024
@AlexeyBarabash AlexeyBarabash force-pushed the android_safety_net_threats_priority branch from c7ff526 to 6e7daf6 Compare October 24, 2024 20:06
@AlexeyBarabash AlexeyBarabash marked this pull request as ready for review October 24, 2024 20:08
@github-actions github-actions bot added the chromium-version-mismatch The Chromium version on the PR branch does not match the version on the target branch label Oct 24, 2024
Copy link
Contributor

The security team is monitoring all repositories for certain keywords. This PR includes the word(s) "safebrowsing" and so security team members have been added as reviewers to take a look.

No need to request a full security review at this stage, the security team will take a look shortly and either clear the label or request more information/changes.

Notifications have already been sent, but if this is blocking your merge feel free to reach out directly to the security team on Slack so that we can expedite this check.

AlexeyBarabash and others added 4 commits October 25, 2024 01:11
…nts/safe_browsing/BraveSafeBrowsingApiHandler.java

Co-authored-by: Francois Marier <francois@brave.com>
…nts/safe_browsing/BraveSafeBrowsingUtils.java

Co-authored-by: Francois Marier <francois@brave.com>
@AlexeyBarabash AlexeyBarabash force-pushed the android_safety_net_threats_priority branch from cdb294c to 9a47774 Compare October 24, 2024 22:12
@github-actions github-actions bot removed the chromium-version-mismatch The Chromium version on the PR branch does not match the version on the target branch label Oct 24, 2024
Copy link
Member

@SergeyZhukovsky SergeyZhukovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++

@AlexeyBarabash AlexeyBarabash merged commit 7c79b15 into master Oct 25, 2024
17 checks passed
@AlexeyBarabash AlexeyBarabash deleted the android_safety_net_threats_priority branch October 25, 2024 14:44
@github-actions github-actions bot added this to the 1.73.x - Nightly milestone Oct 25, 2024
@brave-builds
Copy link
Collaborator

Released in v1.73.49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Prioritize threat when more than one from SafetyNet SafeBrowsing
6 participants