diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
index 293e7d57..1753fc08 100644
--- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
+++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -204,7 +204,7 @@ class AttestationProtocol {
private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3;
private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4;
private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5;
- private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6;
+ private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete since version 86
private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7;
private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8;
private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9;
@@ -215,7 +215,6 @@ class AttestationProtocol {
OS_ENFORCED_FLAGS_ADB_ENABLED |
OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED |
OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS |
- OS_ENFORCED_FLAGS_DENY_NEW_USB |
OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM |
OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED |
OS_ENFORCED_FLAGS_SYSTEM_USER;
@@ -951,7 +950,7 @@ private static VerificationResult verify(final Context context, final byte[] fin
final boolean accessibility, final boolean deviceAdmin,
final boolean deviceAdminNonSystem, final boolean adbEnabled,
final boolean addUsersWhenLocked, final boolean enrolledBiometrics,
- final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser)
+ final boolean oemUnlockAllowed, final boolean systemUser)
throws GeneralSecurityException, IOException {
final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
@@ -1122,8 +1121,6 @@ private static VerificationResult verify(final Context context, final byte[] fin
toYesNoString(context, adbEnabled)));
osEnforced.append(context.getString(R.string.add_users_when_locked,
toYesNoString(context, addUsersWhenLocked)));
- osEnforced.append(context.getString(R.string.deny_new_usb,
- toYesNoString(context, denyNewUsb)));
osEnforced.append(context.getString(R.string.oem_unlock_allowed,
toYesNoString(context, oemUnlockAllowed)));
osEnforced.append(context.getString(R.string.system_user,
@@ -1219,7 +1216,6 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0;
final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0;
final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0;
- final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0;
final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0;
final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0;
@@ -1237,8 +1233,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
final byte[] challenge = Arrays.copyOfRange(challengeMessage, 1 + RANDOM_TOKEN_LENGTH, 1 + RANDOM_TOKEN_LENGTH * 2);
return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature,
certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
- adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed,
- systemUser);
+ adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser);
}
static class AttestationResult {
@@ -1433,10 +1428,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
final boolean addUsersWhenLocked = Settings.Global.getInt(context.getContentResolver(),
ADD_USERS_WHEN_LOCKED, 0) != 0;
- final String denyNewUsbValue =
- SystemProperties.get("persist.security.deny_new_usb", "disabled");
- final boolean denyNewUsb = !denyNewUsbValue.equals("disabled");
-
final String oemUnlockAllowedValue = SystemProperties.get("sys.oem_unlock_allowed", "0");
final boolean oemUnlockAllowed = oemUnlockAllowedValue.equals("1");
@@ -1487,9 +1478,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
if (enrolledBiometrics) {
osEnforcedFlags |= OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS;
}
- if (denyNewUsb) {
- osEnforcedFlags |= OS_ENFORCED_FLAGS_DENY_NEW_USB;
- }
if (oemUnlockAllowed) {
osEnforcedFlags |= OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED;
}
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
index 9f6b2f49..a7aa8435 100644
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@@ -84,7 +84,6 @@
yes, with non-system apps
Android Debug Bridge enabled: %s\n
Add users from lock screen: %s\n
- Deny new USB peripherals when locked: %s\n
OEM unlocking allowed: %s\n
Main user account: %s\n