Unable to set lock pin for Android apps requiring it

Bug Reports
61

Happy new year, dear sailors!

My company recently started to use ATOSS Staff Center SaaS and I wanted (like some others here @NettoHikari @m183037) to use the mobile client for time tracking. However, the application requests a password protected device and without that it will not allow you to login. Trying to set an Android PIN didn’t work and so I started messing around…

Finally here comes a workaround :partying_face: for Staff Center that might help with other apps checking for the password security constraint.

This is what needs to be done for Jolla C2 / Xperia devices with the latest appsupport runtime:

# 
# Jolla C2 / Xperia AppSupport PIN Workaround
#

# 1. enable developer mode, open terminal or ssh into your device. Appsupport container must be running.
# 2. become r00t
devel-su
# 3. launch appsupport shell
appsupport-attach /system/bin/sh
# 4. launch gatekeeper HAL process (GK HAL)
/bin/hw/android.hardware.gatekeeper@1.0-service.software &
# 5. kill gatekeeperd (it will be restarted automatically and connection to GK HAL established, oh well, that's about it for process isolation with SE extension running this as root vs. system)
pkill gatekeeperd
# 6. launch Android security settings 
am start -a android.settings.SECURITY_SETTINGS
# 7. now set a PIN using the security settings UI and your're done!
# NOTE: I tested this with ATOSS Staff Center and after a reboot of C2 without connecting the GK HAL I was able use the application.
# 8. older appsupport runtime for Xperia devices allows you to set the PIN
# via shell command "locksettings set-pin 1234". You can remove the lock PIN
# with "locksettings clear --old 1234".

Technically speaking the Android security settings application will talk to gatekeeperd service that will connect with the gatekeeper HAL service. The HAL service will use hardware keystore (TEE) or in case of appsupport a software-based keystore for storing your PIN credential.

The problem in current appsupport is the launch of GK HAL service that’s missing inside the image. There is sadly no init.rc service found to launch the service.

And that’s it for a five years old unfixed bug :roll_eyes: .

Cheers,
Nek

28 Likes