Improved PIN security

- Hardware Scheme now encrypts the PIN hash
- PINs are now hashed with Argon2 instead of bCrypt

Author: Wavesonics

app/build.gradle.kts

@@ -114,6 +114,7 @@ dependencies {
 	implementation(libs.androidx.runtime.livedata)
 	implementation(libs.bcrypt)
 	implementation(libs.androidx.work.runtime.ktx)
+	implementation(libs.argon2kt)
 
 	"fullImplementation"(libs.face.detection)
 

app/src/main/kotlin/com/darkrockstudios/app/securecamera/AppModule.kt

@@ -13,6 +13,9 @@ import com.darkrockstudios.app.securecamera.preferences.AppPreferencesDataSource
 import com.darkrockstudios.app.securecamera.security.DeviceInfo
 import com.darkrockstudios.app.securecamera.security.SecurityLevel
 import com.darkrockstudios.app.securecamera.security.SecurityLevelDetector
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository
+import com.darkrockstudios.app.securecamera.security.pin.PinRepositoryHardware
+import com.darkrockstudios.app.securecamera.security.pin.PinRepositorySoftware
 import com.darkrockstudios.app.securecamera.security.schemes.EncryptionScheme
 import com.darkrockstudios.app.securecamera.security.schemes.HardwareBackedEncryptionScheme
 import com.darkrockstudios.app.securecamera.security.schemes.SoftwareEncryptionScheme
@@ -40,6 +43,17 @@ val appModule = module {
 			}
 		}
 	} bind EncryptionScheme::class
+	single<PinRepository> {
+		val detector = get<SecurityLevelDetector>()
+		when (detector.detectSecurityLevel()) {
+			SecurityLevel.SOFTWARE ->
+				PinRepositorySoftware(get())
+
+			SecurityLevel.TEE, SecurityLevel.STRONGBOX -> {
+				PinRepositoryHardware(get(), get())
+			}
+		}
+	} bind PinRepository::class
 	singleOf(::SecurityLevelDetector)
 
 	single { WorkManager.getInstance(get()) }
@@ -52,6 +66,8 @@ val appModule = module {
 	factoryOf(::VerifyPinUseCase)
 	factoryOf(::CreatePinUseCase)
 	factoryOf(::PinSizeUseCase)
+	factoryOf(::RemovePoisonPillIUseCase)
+	factoryOf(::MigratePinHash)
 
 	viewModelOf(::ObfuscatePhotoViewModel)
 	viewModelOf(::ViewPhotoViewModel)

app/src/main/kotlin/com/darkrockstudios/app/securecamera/ReentrantMutex.kt

@@ -0,0 +1,42 @@
+package com.darkrockstudios.app.securecamera
+
+import kotlinx.coroutines.Job
+import kotlinx.coroutines.currentCoroutineContext
+import kotlinx.coroutines.sync.Mutex
+
+class ReentrantMutex {
+	private val mutex = Mutex()
+	private var owner: Any? = null
+	private var recursionCount = 0
+
+	suspend fun lock() {
+		val current = currentCoroutineContext()[Job]
+		if (owner == current) {
+			recursionCount++
+			return
+		}
+		mutex.lock()
+		owner = current
+		recursionCount = 1
+	}
+
+	suspend fun unlock() {
+		if (owner != currentCoroutineContext()[Job]) {
+			throw IllegalStateException("Not the owner of the lock")
+		}
+		recursionCount--
+		if (recursionCount == 0) {
+			owner = null
+			mutex.unlock()
+		}
+	}
+
+	suspend fun <T> withLock(action: suspend () -> T): T {
+		lock()
+		try {
+			return action()
+		} finally {
+			unlock()
+		}
+	}
+}

app/src/main/kotlin/com/darkrockstudios/app/securecamera/auth/AuthorizationRepository.kt

@@ -2,6 +2,7 @@ package com.darkrockstudios.app.securecamera.auth
 
 import com.darkrockstudios.app.securecamera.preferences.AppPreferencesDataSource
 import com.darkrockstudios.app.securecamera.preferences.HashedPin
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository
 import com.darkrockstudios.app.securecamera.security.schemes.EncryptionScheme
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.StateFlow
@@ -13,7 +14,8 @@ import kotlin.math.pow
  * Manages user authorization state, including PIN verification and session expiration.
  */
 class AuthorizationRepository(
-	private val preferencesManager: AppPreferencesDataSource,
+	private val preferences: AppPreferencesDataSource,
+	private val pinRepository: PinRepository,
 	private val encryptionScheme: EncryptionScheme,
 ) {
 	companion object {
@@ -26,27 +28,27 @@ class AuthorizationRepository(
 	private var lastAuthTimeMs: Long = 0
 
 	suspend fun securityFailureReset() {
-		preferencesManager.securityFailureReset()
+		preferences.securityFailureReset()
 	}
 
 	suspend fun activatePoisonPill() {
-		preferencesManager.activatePoisonPill()
+		pinRepository.activatePoisonPill()
 	}
 
 	/**
 	 * Gets the current number of failed PIN attempts
 	 * @return The number of failed attempts
 	 */
 	suspend fun getFailedAttempts(): Int {
-		return preferencesManager.getFailedPinAttempts()
+		return preferences.getFailedPinAttempts()
 	}
 
 	/**
 	 * Sets the number of failed PIN attempts
 	 * @param count The number of failed attempts to set
 	 */
 	suspend fun setFailedAttempts(count: Int) {
-		preferencesManager.setFailedPinAttempts(count)
+		preferences.setFailedPinAttempts(count)
 	}
 
 	/**
@@ -59,7 +61,7 @@ class AuthorizationRepository(
 		setFailedAttempts(newCount)
 
 		// Store the current timestamp as the last failed attempt time
-		preferencesManager.setLastFailedAttemptTimestamp(System.currentTimeMillis())
+		preferences.setLastFailedAttemptTimestamp(System.currentTimeMillis())
 
 		return newCount
 	}
@@ -69,7 +71,7 @@ class AuthorizationRepository(
 	 * @return The timestamp of the last failed attempt
 	 */
 	suspend fun getLastFailedAttemptTimestamp(): Long {
-		return preferencesManager.getLastFailedAttemptTimestamp()
+		return preferences.getLastFailedAttemptTimestamp()
 	}
 
 	/**
@@ -99,7 +101,7 @@ class AuthorizationRepository(
 	 */
 	suspend fun resetFailedAttempts() {
 		setFailedAttempts(0)
-		preferencesManager.setLastFailedAttemptTimestamp(0)
+		preferences.setLastFailedAttemptTimestamp(0)
 	}
 
 	/**
@@ -116,8 +118,8 @@ class AuthorizationRepository(
 	 * @return True if the PIN is correct, false otherwise
 	 */
 	suspend fun verifyPin(pin: String): HashedPin? {
-		val hashedPin = preferencesManager.getHashedPin()
-		val isValid = preferencesManager.verifySecurityPin(pin)
+		val hashedPin = pinRepository.getHashedPin()
+		val isValid = pinRepository.verifySecurityPin(pin)
 		return if (isValid && hashedPin != null) {
 			authorizeSession()
 			// Reset failed attempts counter on successful verification
@@ -145,7 +147,7 @@ class AuthorizationRepository(
 			return@runBlocking false
 		}
 
-		val sessionTimeoutMs = preferencesManager.getSessionTimeout()
+		val sessionTimeoutMs = preferences.getSessionTimeout()
 		val currentTime = System.currentTimeMillis()
 		val sessionValid = (currentTime - lastAuthTimeMs) < sessionTimeoutMs
 

app/src/main/kotlin/com/darkrockstudios/app/securecamera/camera/SecureImageRepository.kt

@@ -10,7 +10,7 @@ import com.ashampoo.kim.common.convertToPhotoMetadata
 import com.ashampoo.kim.model.GpsCoordinates
 import com.ashampoo.kim.model.MetadataUpdate
 import com.ashampoo.kim.model.TiffOrientation
-import com.darkrockstudios.app.securecamera.preferences.AppPreferencesDataSource
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository
 import com.darkrockstudios.app.securecamera.security.schemes.EncryptionScheme
 import java.io.ByteArrayOutputStream
 import java.io.File
@@ -22,7 +22,7 @@ import kotlin.time.toJavaInstant
 
 class SecureImageRepository(
 	private val appContext: Context,
-	private val preferencesManager: AppPreferencesDataSource,
+	private val pinRepository: PinRepository,
 	internal val thumbnailCache: ThumbnailCache,
 	private val encryptionScheme: EncryptionScheme,
 ) {
@@ -441,8 +441,8 @@ class SecureImageRepository(
 			getDecoyDirectory().mkdirs()
 			val decoyFile = getDecoyFile(photoDef)
 
-			val ppp = preferencesManager.getHashedPoisonPillPin() ?: return false
-			val pin = preferencesManager.getPlainPoisonPillPin() ?: return false
+			val ppp = pinRepository.getHashedPoisonPillPin() ?: return false
+			val pin = pinRepository.getPlainPoisonPillPin() ?: return false
 			val ppk = encryptionScheme.deriveKey(plainPin = pin, hashedPin = ppp)
 			encryptionScheme.encryptToFile(
 				plain = jpgBytes,