1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 package android.service.autofill; 17 18 import static android.service.autofill.Flags.FLAG_AUTOFILL_SESSION_DESTROYED; 19 20 import static com.android.internal.util.function.pooled.PooledLambda.obtainMessage; 21 22 import android.annotation.CallSuper; 23 import android.annotation.FlaggedApi; 24 import android.annotation.NonNull; 25 import android.annotation.Nullable; 26 import android.annotation.SdkConstant; 27 import android.app.Service; 28 import android.content.Intent; 29 import android.os.BaseBundle; 30 import android.os.CancellationSignal; 31 import android.os.Handler; 32 import android.os.IBinder; 33 import android.os.ICancellationSignal; 34 import android.os.Looper; 35 import android.os.RemoteException; 36 import android.provider.Settings; 37 import android.util.Log; 38 import android.view.View; 39 import android.view.ViewStructure; 40 import android.view.autofill.AutofillId; 41 import android.view.autofill.AutofillManager; 42 import android.view.autofill.AutofillValue; 43 44 import com.android.internal.os.IResultReceiver; 45 46 /** 47 * An {@code AutofillService} is a service used to automatically fill the contents of the screen 48 * on behalf of a given user - for more information about autofill, read 49 * <a href="{@docRoot}preview/features/autofill.html">Autofill Framework</a>. 50 * 51 * <p>An {@code AutofillService} is only bound to the Android System for autofill purposes if: 52 * <ol> 53 * <li>It requires the {@code android.permission.BIND_AUTOFILL_SERVICE} permission in its 54 * manifest. 55 * <li>The user explicitly enables it using Android Settings (the 56 * {@link Settings#ACTION_REQUEST_SET_AUTOFILL_SERVICE} intent can be used to launch such 57 * Settings screen). 58 * </ol> 59 * 60 * <a name="BasicUsage"></a> 61 * <h3>Basic usage</h3> 62 * 63 * <p>The basic autofill process is defined by the workflow below: 64 * <ol> 65 * <li>User focus an editable {@link View}. 66 * <li>View calls {@link AutofillManager#notifyViewEntered(android.view.View)}. 67 * <li>A {@link ViewStructure} representing all views in the screen is created. 68 * <li>The Android System binds to the service and calls {@link #onConnected()}. 69 * <li>The service receives the view structure through the 70 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)}. 71 * <li>The service replies through {@link FillCallback#onSuccess(FillResponse)}. 72 * <li>The Android System calls {@link #onDisconnected()} and unbinds from the 73 * {@code AutofillService}. 74 * <li>The Android System displays an autofill UI with the options sent by the service. 75 * <li>The user picks an option. 76 * <li>The proper views are autofilled. 77 * </ol> 78 * 79 * <p>This workflow was designed to minimize the time the Android System is bound to the service; 80 * for each call, it: binds to service, waits for the reply, and unbinds right away. Furthermore, 81 * those calls are considered stateless: if the service needs to keep state between calls, it must 82 * do its own state management (keeping in mind that the service's process might be killed by the 83 * Android System when unbound; for example, if the device is running low in memory). 84 * 85 * <p>Typically, the 86 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} will: 87 * <ol> 88 * <li>Parse the view structure looking for autofillable views (for example, using 89 * {@link android.app.assist.AssistStructure.ViewNode#getAutofillHints()}. 90 * <li>Match the autofillable views with the user's data. 91 * <li>Create a {@link Dataset} for each set of user's data that match those fields. 92 * <li>Fill the dataset(s) with the proper {@link AutofillId}s and {@link AutofillValue}s. 93 * <li>Add the dataset(s) to the {@link FillResponse} passed to 94 * {@link FillCallback#onSuccess(FillResponse)}. 95 * </ol> 96 * 97 * <p>For example, for a login screen with username and password views where the user only has one 98 * account in the service, the response could be: 99 * 100 * <pre class="prettyprint"> 101 * new FillResponse.Builder() 102 * .addDataset(new Dataset.Builder() 103 * .setValue(id1, AutofillValue.forText("homer"), createPresentation("homer")) 104 * .setValue(id2, AutofillValue.forText("D'OH!"), createPresentation("password for homer")) 105 * .build()) 106 * .build(); 107 * </pre> 108 * 109 * <p>But if the user had 2 accounts instead, the response could be: 110 * 111 * <pre class="prettyprint"> 112 * new FillResponse.Builder() 113 * .addDataset(new Dataset.Builder() 114 * .setValue(id1, AutofillValue.forText("homer"), createPresentation("homer")) 115 * .setValue(id2, AutofillValue.forText("D'OH!"), createPresentation("password for homer")) 116 * .build()) 117 * .addDataset(new Dataset.Builder() 118 * .setValue(id1, AutofillValue.forText("flanders"), createPresentation("flanders")) 119 * .setValue(id2, AutofillValue.forText("OkelyDokelyDo"), createPresentation("password for flanders")) 120 * .build()) 121 * .build(); 122 * </pre> 123 * 124 * <p>If the service does not find any autofillable view in the view structure, it should pass 125 * {@code null} to {@link FillCallback#onSuccess(FillResponse)}; if the service encountered an error 126 * processing the request, it should call {@link FillCallback#onFailure(CharSequence)}. For 127 * performance reasons, it's paramount that the service calls either 128 * {@link FillCallback#onSuccess(FillResponse)} or {@link FillCallback#onFailure(CharSequence)} for 129 * each {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} received - if it 130 * doesn't, the request will eventually time out and be discarded by the Android System. 131 * 132 * <a name="SavingUserData"></a> 133 * <h3>Saving user data</h3> 134 * 135 * <p>If the service is also interested on saving the data filled by the user, it must set a 136 * {@link SaveInfo} object in the {@link FillResponse}. See {@link SaveInfo} for more details and 137 * examples. 138 * 139 * <a name="UserAuthentication"></a> 140 * <h3>User authentication</h3> 141 * 142 * <p>The service can provide an extra degree of security by requiring the user to authenticate 143 * before an app can be autofilled. The authentication is typically required in 2 scenarios: 144 * <ul> 145 * <li>To unlock the user data (for example, using a main password or fingerprint 146 * authentication) - see 147 * {@link FillResponse.Builder#setAuthentication(AutofillId[], android.content.IntentSender, android.widget.RemoteViews)}. 148 * <li>To unlock a specific dataset (for example, by providing a CVC for a credit card) - see 149 * {@link Dataset.Builder#setAuthentication(android.content.IntentSender)}. 150 * </ul> 151 * 152 * <p>When using authentication, it is recommended to encrypt only the sensitive data and leave 153 * labels unencrypted, so they can be used on presentation views. For example, if the user has a 154 * home and a work address, the {@code Home} and {@code Work} labels should be stored unencrypted 155 * (since they don't have any sensitive data) while the address data per se could be stored in an 156 * encrypted storage. Then when the user chooses the {@code Home} dataset, the platform starts 157 * the authentication flow, and the service can decrypt the sensitive data. 158 * 159 * <p>The authentication mechanism can also be used in scenarios where the service needs multiple 160 * steps to determine the datasets that can fill a screen. For example, when autofilling a financial 161 * app where the user has accounts for multiple banks, the workflow could be: 162 * 163 * <ol> 164 * <li>The first {@link FillResponse} contains datasets with the credentials for the financial 165 * app, plus a "fake" dataset whose presentation says "Tap here for banking apps credentials". 166 * <li>When the user selects the fake dataset, the service displays a dialog with available 167 * banking apps. 168 * <li>When the user select a banking app, the service replies with a new {@link FillResponse} 169 * containing the datasets for that bank. 170 * </ol> 171 * 172 * <p>Another example of multiple-steps dataset selection is when the service stores the user 173 * credentials in "vaults": the first response would contain fake datasets with the vault names, 174 * and the subsequent response would contain the app credentials stored in that vault. 175 * 176 * <a name="DataPartioning"></a> 177 * <h3>Data partitioning</h3> 178 * 179 * <p>The autofillable views in a screen should be grouped in logical groups called "partitions". 180 * Typical partitions are: 181 * <ul> 182 * <li>Credentials (username/email address, password). 183 * <li>Address (street, city, state, zip code, etc). 184 * <li>Payment info (credit card number, expiration date, and verification code). 185 * </ul> 186 * <p>For security reasons, when a screen has more than one partition, it's paramount that the 187 * contents of a dataset do not spawn multiple partitions, specially when one of the partitions 188 * contains data that is not specific to the application being autofilled. For example, a dataset 189 * should not contain fields for username, password, and credit card information. The reason for 190 * this rule is that a malicious app could draft a view structure where the credit card fields 191 * are not visible, so when the user selects a dataset from the username UI, the credit card info is 192 * released to the application without the user knowledge. Similarly, it's recommended to always 193 * protect a dataset that contains sensitive information by requiring dataset authentication 194 * (see {@link Dataset.Builder#setAuthentication(android.content.IntentSender)}), and to include 195 * info about the "primary" field of the partition in the custom presentation for "secondary" 196 * fields—that would prevent a malicious app from getting the "primary" fields without the 197 * user realizing they're being released (for example, a malicious app could have fields for a 198 * credit card number, verification code, and expiration date crafted in a way that just the latter 199 * is visible; by explicitly indicating the expiration date is related to a given credit card 200 * number, the service would be providing a visual clue for the users to check what would be 201 * released upon selecting that field). 202 * 203 * <p>When the service detects that a screen has multiple partitions, it should return a 204 * {@link FillResponse} with just the datasets for the partition that originated the request (i.e., 205 * the partition that has the {@link android.app.assist.AssistStructure.ViewNode} whose 206 * {@link android.app.assist.AssistStructure.ViewNode#isFocused()} returns {@code true}); then if 207 * the user selects a field from a different partition, the Android System will make another 208 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} call for that partition, 209 * and so on. 210 * 211 * <p>Notice that when the user autofill a partition with the data provided by the service and the 212 * user did not change these fields, the autofilled value is sent back to the service in the 213 * subsequent calls (and can be obtained by calling 214 * {@link android.app.assist.AssistStructure.ViewNode#getAutofillValue()}). This is useful in the 215 * cases where the service must create datasets for a partition based on the choice made in a 216 * previous partition. For example, the 1st response for a screen that have credentials and address 217 * partitions could be: 218 * 219 * <pre class="prettyprint"> 220 * new FillResponse.Builder() 221 * .addDataset(new Dataset.Builder() // partition 1 (credentials) 222 * .setValue(id1, AutofillValue.forText("homer"), createPresentation("homer")) 223 * .setValue(id2, AutofillValue.forText("D'OH!"), createPresentation("password for homer")) 224 * .build()) 225 * .addDataset(new Dataset.Builder() // partition 1 (credentials) 226 * .setValue(id1, AutofillValue.forText("flanders"), createPresentation("flanders")) 227 * .setValue(id2, AutofillValue.forText("OkelyDokelyDo"), createPresentation("password for flanders")) 228 * .build()) 229 * .setSaveInfo(new SaveInfo.Builder(SaveInfo.SAVE_DATA_TYPE_PASSWORD, 230 * new AutofillId[] { id1, id2 }) 231 * .build()) 232 * .build(); 233 * </pre> 234 * 235 * <p>Then if the user selected {@code flanders}, the service would get a new 236 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} call, with the values of 237 * the fields {@code id1} and {@code id2} prepopulated, so the service could then fetch the address 238 * for the Flanders account and return the following {@link FillResponse} for the address partition: 239 * 240 * <pre class="prettyprint"> 241 * new FillResponse.Builder() 242 * .addDataset(new Dataset.Builder() // partition 2 (address) 243 * .setValue(id3, AutofillValue.forText("744 Evergreen Terrace"), createPresentation("744 Evergreen Terrace")) // street 244 * .setValue(id4, AutofillValue.forText("Springfield"), createPresentation("Springfield")) // city 245 * .build()) 246 * .setSaveInfo(new SaveInfo.Builder(SaveInfo.SAVE_DATA_TYPE_PASSWORD | SaveInfo.SAVE_DATA_TYPE_ADDRESS, 247 * new AutofillId[] { id1, id2 }) // username and password 248 * .setOptionalIds(new AutofillId[] { id3, id4 }) // state and zipcode 249 * .build()) 250 * .build(); 251 * </pre> 252 * 253 * <p>When the service returns multiple {@link FillResponse}, the last one overrides the previous; 254 * that's why the {@link SaveInfo} in the 2nd request above has the info for both partitions. 255 * 256 * <a name="PackageVerification"></a> 257 * <h3>Package verification</h3> 258 * 259 * <p>When autofilling app-specific data (like username and password), the service must verify 260 * the authenticity of the request by obtaining all signing certificates of the app being 261 * autofilled, and only fulfilling the request when they match the values that were 262 * obtained when the data was first saved — such verification is necessary to avoid phishing 263 * attempts by apps that were sideloaded in the device with the same package name of another app. 264 * Here's an example on how to achieve that by hashing the signing certificates: 265 * 266 * <pre class="prettyprint"> 267 * private String getCertificatesHash(String packageName) throws Exception { 268 * PackageManager pm = mContext.getPackageManager(); 269 * PackageInfo info = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES); 270 * ArrayList<String> hashes = new ArrayList<>(info.signatures.length); 271 * for (Signature sig : info.signatures) { 272 * byte[] cert = sig.toByteArray(); 273 * MessageDigest md = MessageDigest.getInstance("SHA-256"); 274 * md.update(cert); 275 * hashes.add(toHexString(md.digest())); 276 * } 277 * Collections.sort(hashes); 278 * StringBuilder hash = new StringBuilder(); 279 * for (int i = 0; i < hashes.size(); i++) { 280 * hash.append(hashes.get(i)); 281 * } 282 * return hash.toString(); 283 * } 284 * </pre> 285 * 286 * <p>If the service did not store the signing certificates data the first time the data was saved 287 * — for example, because the data was created by a previous version of the app that did not 288 * use the Autofill Framework — the service should warn the user that the authenticity of the 289 * app cannot be confirmed (see an example on how to show such warning in the 290 * <a href="#WebSecurityDisclaimer">Web security</a> section below), and if the user agrees, 291 * then the service could save the data from the signing ceriticates for future use. 292 * 293 * <a name="IgnoringViews"></a> 294 * <h3>Ignoring views</h3> 295 * 296 * <p>If the service find views that cannot be autofilled (for example, a text field representing 297 * the response to a Captcha challenge), it should mark those views as ignored by 298 * calling {@link FillResponse.Builder#setIgnoredIds(AutofillId...)} so the system does not trigger 299 * a new {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} when these views are 300 * focused. 301 * 302 * <a name="WebSecurity"></a> 303 * <h3>Web security</h3> 304 * 305 * <p>When handling autofill requests that represent web pages (typically 306 * view structures whose root's {@link android.app.assist.AssistStructure.ViewNode#getClassName()} 307 * is a {@link android.webkit.WebView}), the service should take the following steps to verify if 308 * the structure can be autofilled with the data associated with the app requesting it: 309 * 310 * <ol> 311 * <li>Use the {@link android.app.assist.AssistStructure.ViewNode#getWebDomain()} to get the 312 * source of the document. 313 * <li>Get the canonical domain using the 314 * <a href="https://publicsuffix.org/">Public Suffix List</a> (see example below). 315 * <li>Use <a href="https://developers.google.com/digital-asset-links/">Digital Asset Links</a> 316 * to obtain the package name and certificate fingerprint of the package corresponding to 317 * the canonical domain. 318 * <li>Make sure the certificate fingerprint matches the value returned by Package Manager 319 * (see "Package verification" section above). 320 * </ol> 321 * 322 * <p>Here's an example on how to get the canonical domain using 323 * <a href="https://github.com/google/guava">Guava</a>: 324 * 325 * <pre class="prettyprint"> 326 * private static String getCanonicalDomain(String domain) { 327 * InternetDomainName idn = InternetDomainName.from(domain); 328 * while (idn != null && !idn.isTopPrivateDomain()) { 329 * idn = idn.parent(); 330 * } 331 * return idn == null ? null : idn.toString(); 332 * } 333 * </pre> 334 * 335 * <a name="WebSecurityDisclaimer"></a> 336 * <p>If the association between the web domain and app package cannot be verified through the steps 337 * above, but the service thinks that it is appropriate to fill persisted credentials that are 338 * stored for the web domain, the service should warn the user about the potential data 339 * leakage first, and ask for the user to confirm. For example, the service could: 340 * 341 * <ol> 342 * <li>Create a dataset that requires 343 * {@link Dataset.Builder#setAuthentication(android.content.IntentSender) authentication} to 344 * unlock. 345 * <li>Include the web domain in the custom presentation for the 346 * {@link Dataset.Builder#setValue(AutofillId, AutofillValue, android.widget.RemoteViews) 347 * dataset value}. 348 * <li>When the user selects that dataset, show a disclaimer dialog explaining that the app is 349 * requesting credentials for a web domain, but the service could not verify if the app owns 350 * that domain. If the user agrees, then the service can unlock the dataset. 351 * <li>Similarly, when adding a {@link SaveInfo} object for the request, the service should 352 * include the above disclaimer in the {@link SaveInfo.Builder#setDescription(CharSequence)}. 353 * </ol> 354 * 355 * <p>This same procedure could also be used when the autofillable data is contained inside an 356 * {@code IFRAME}, in which case the WebView generates a new autofill context when a node inside 357 * the {@code IFRAME} is focused, with the root node containing the {@code IFRAME}'s {@code src} 358 * attribute on {@link android.app.assist.AssistStructure.ViewNode#getWebDomain()}. A typical and 359 * legitimate use case for this scenario is a financial app that allows the user 360 * to login on different bank accounts. For example, a financial app {@code my_financial_app} could 361 * use a WebView that loads contents from {@code banklogin.my_financial_app.com}, which contains an 362 * {@code IFRAME} node whose {@code src} attribute is {@code login.some_bank.com}. When fulfilling 363 * that request, the service could add an 364 * {@link Dataset.Builder#setAuthentication(android.content.IntentSender) authenticated dataset} 365 * whose presentation displays "Username for some_bank.com" and 366 * "Password for some_bank.com". Then when the user taps one of these options, the service 367 * shows the disclaimer dialog explaining that selecting that option would release the 368 * {@code login.some_bank.com} credentials to the {@code my_financial_app}; if the user agrees, 369 * then the service returns an unlocked dataset with the {@code some_bank.com} credentials. 370 * 371 * <p><b>Note:</b> The autofill service could also add well-known browser apps into an allowlist and 372 * skip the verifications above, as long as the service can verify the authenticity of the browser 373 * app by checking its signing certificate. 374 * 375 * <a name="MultipleStepsSave"></a> 376 * <h3>Saving when data is split in multiple screens</h3> 377 * 378 * Apps often split the user data in multiple screens in the same activity, specially in 379 * activities used to create a new user account. For example, the first screen asks for a username, 380 * and if the username is available, it moves to a second screen, which asks for a password. 381 * 382 * <p>It's tricky to handle save for autofill in these situations, because the autofill service must 383 * wait until the user enters both fields before the autofill save UI can be shown. But it can be 384 * done by following the steps below: 385 * 386 * <ol> 387 * <li>In the first 388 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback) fill request}, the service 389 * adds a {@link FillResponse.Builder#setClientState(android.os.Bundle) client state bundle} in 390 * the response, containing the autofill ids of the partial fields present in the screen. 391 * <li>In the second 392 * {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback) fill request}, the service 393 * retrieves the {@link FillRequest#getClientState() client state bundle}, gets the autofill ids 394 * set in the previous request from the client state, and adds these ids and the 395 * {@link SaveInfo#FLAG_SAVE_ON_ALL_VIEWS_INVISIBLE} to the {@link SaveInfo} used in the second 396 * response. 397 * <li>In the {@link #onSaveRequest(SaveRequest, SaveCallback) save request}, the service uses the 398 * proper {@link FillContext fill contexts} to get the value of each field (there is one fill 399 * context per fill request). 400 * </ol> 401 * 402 * <p>For example, in an app that uses 2 steps for the username and password fields, the workflow 403 * would be: 404 * <pre class="prettyprint"> 405 * // On first fill request 406 * AutofillId usernameId = // parse from AssistStructure; 407 * Bundle clientState = new Bundle(); 408 * clientState.putParcelable("usernameId", usernameId); 409 * fillCallback.onSuccess( 410 * new FillResponse.Builder() 411 * .setClientState(clientState) 412 * .setSaveInfo(new SaveInfo 413 * .Builder(SaveInfo.SAVE_DATA_TYPE_USERNAME, new AutofillId[] {usernameId}) 414 * .build()) 415 * .build()); 416 * 417 * // On second fill request 418 * Bundle clientState = fillRequest.getClientState(); 419 * AutofillId usernameId = clientState.getParcelable("usernameId"); 420 * AutofillId passwordId = // parse from AssistStructure 421 * clientState.putParcelable("passwordId", passwordId); 422 * fillCallback.onSuccess( 423 * new FillResponse.Builder() 424 * .setClientState(clientState) 425 * .setSaveInfo(new SaveInfo 426 * .Builder(SaveInfo.SAVE_DATA_TYPE_USERNAME | SaveInfo.SAVE_DATA_TYPE_PASSWORD, 427 * new AutofillId[] {usernameId, passwordId}) 428 * .setFlags(SaveInfo.FLAG_SAVE_ON_ALL_VIEWS_INVISIBLE) 429 * .build()) 430 * .build()); 431 * 432 * // On save request 433 * Bundle clientState = saveRequest.getClientState(); 434 * AutofillId usernameId = clientState.getParcelable("usernameId"); 435 * AutofillId passwordId = clientState.getParcelable("passwordId"); 436 * List<FillContext> fillContexts = saveRequest.getFillContexts(); 437 * 438 * FillContext usernameContext = fillContexts.get(0); 439 * ViewNode usernameNode = findNodeByAutofillId(usernameContext.getStructure(), usernameId); 440 * AutofillValue username = usernameNode.getAutofillValue().getTextValue().toString(); 441 * 442 * FillContext passwordContext = fillContexts.get(1); 443 * ViewNode passwordNode = findNodeByAutofillId(passwordContext.getStructure(), passwordId); 444 * AutofillValue password = passwordNode.getAutofillValue().getTextValue().toString(); 445 * 446 * save(username, password); 447 * </pre> 448 * 449 * <a name="Privacy"></a> 450 * <h3>Privacy</h3> 451 * 452 * <p>The {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} method is called 453 * without the user content. The Android system strips some properties of the 454 * {@link android.app.assist.AssistStructure.ViewNode view nodes} passed to this call, but not all 455 * of them. For example, the data provided in the {@link android.view.ViewStructure.HtmlInfo} 456 * objects set by {@link android.webkit.WebView} is never stripped out. 457 * 458 * <p>Because this data could contain PII (Personally Identifiable Information, such as username or 459 * email address), the service should only use it locally (i.e., in the app's process) for 460 * heuristics purposes, but it should not be sent to external servers. 461 * 462 * <a name="FieldClassification"></a> 463 * <h3>Metrics and field classification</h3> 464 * 465 * <p>The service can call {@link #getFillEventHistory()} to get metrics representing the user 466 * actions, and then use these metrics to improve its heuristics. 467 * 468 * <p>Prior to Android {@link android.os.Build.VERSION_CODES#P}, the metrics covered just the 469 * scenarios where the service knew how to autofill an activity, but Android 470 * {@link android.os.Build.VERSION_CODES#P} introduced a new mechanism called field classification, 471 * which allows the service to dynamically classify the meaning of fields based on the existing user 472 * data known by the service. 473 * 474 * <p>Typically, field classification can be used to detect fields that can be autofilled with 475 * user data that is not associated with a specific app—such as email and physical 476 * address. Once the service identifies that a such field was manually filled by the user, the 477 * service could use this signal to improve its heuristics on subsequent requests (for example, by 478 * infering which resource ids are associated with known fields). 479 * 480 * <p>The field classification workflow involves 4 steps: 481 * 482 * <ol> 483 * <li>Set the user data through {@link AutofillManager#setUserData(UserData)}. This data is 484 * cached until the system restarts (or the service is disabled), so it doesn't need to be set for 485 * all requests. 486 * <li>Identify which fields should be analysed by calling 487 * {@link FillResponse.Builder#setFieldClassificationIds(AutofillId...)}. 488 * <li>Verify the results through {@link FillEventHistory.Event#getFieldsClassification()}. 489 * <li>Use the results to dynamically create {@link Dataset} or {@link SaveInfo} objects in 490 * subsequent requests. 491 * </ol> 492 * 493 * <p>The field classification is an expensive operation and should be used carefully, otherwise it 494 * can reach its rate limit and get blocked by the Android System. Ideally, it should be used just 495 * in cases where the service could not determine how an activity can be autofilled, but it has a 496 * strong suspicious that it could. For example, if an activity has four or more fields and one of 497 * them is a list, chances are that these are address fields (like address, city, state, and 498 * zip code). 499 * 500 * <a name="CompatibilityMode"></a> 501 * <h3>Compatibility mode</h3> 502 * 503 * <p>Apps that use standard Android widgets support autofill out-of-the-box and need to do 504 * very little to improve their user experience (annotating autofillable views and providing 505 * autofill hints). However, some apps (typically browsers) do their own rendering and the rendered 506 * content may contain semantic structure that needs to be surfaced to the autofill framework. The 507 * platform exposes APIs to achieve this, however it could take some time until these apps implement 508 * autofill support. 509 * 510 * <p>To enable autofill for such apps the platform provides a compatibility mode in which the 511 * platform would fall back to the accessibility APIs to generate the state reported to autofill 512 * services and fill data. This mode needs to be explicitly requested for a given package up 513 * to a specified max version code allowing clean migration path when the target app begins to 514 * support autofill natively. Note that enabling compatibility may degrade performance for the 515 * target package and should be used with caution. The platform supports creating an allowlist for 516 * including which packages can be targeted in compatibility mode to ensure this mode is used only 517 * when needed and as long as needed. 518 * 519 * <p>You can request compatibility mode for packages of interest in the meta-data resource 520 * associated with your service. Below is a sample service declaration: 521 * 522 * <pre> <service android:name=".MyAutofillService" 523 * android:permission="android.permission.BIND_AUTOFILL_SERVICE"> 524 * <intent-filter> 525 * <action android:name="android.service.autofill.AutofillService" /> 526 * </intent-filter> 527 * <meta-data android:name="android.autofill" android:resource="@xml/autofillservice" /> 528 * </service></pre> 529 * 530 * <p>In the XML file you can specify one or more packages for which to enable compatibility 531 * mode. Below is a sample meta-data declaration: 532 * 533 * <pre> <autofill-service xmlns:android="http://schemas.android.com/apk/res/android"> 534 * <compatibility-package android:name="foo.bar.baz" android:maxLongVersionCode="1000000000"/> 535 * </autofill-service></pre> 536 * 537 * <p>Notice that compatibility mode has limitations such as: 538 * <ul> 539 * <li>No manual autofill requests. Hence, the {@link FillRequest} 540 * {@link FillRequest#getFlags() flags} never have the {@link FillRequest#FLAG_MANUAL_REQUEST} flag. 541 * <li>The value of password fields are most likely masked—for example, {@code ****} instead 542 * of {@code 1234}. Hence, you must be careful when using these values to avoid updating the user 543 * data with invalid input. For example, when you parse the {@link FillRequest} and detect a 544 * password field, you could check if its 545 * {@link android.app.assist.AssistStructure.ViewNode#getInputType() 546 * input type} has password flags and if so, don't add it to the {@link SaveInfo} object. 547 * <li>The autofill context is not always {@link AutofillManager#commit() committed} when an HTML 548 * form is submitted. Hence, you must use other mechanisms to trigger save, such as setting the 549 * {@link SaveInfo#FLAG_SAVE_ON_ALL_VIEWS_INVISIBLE} flag on {@link SaveInfo.Builder#setFlags(int)} 550 * or using {@link SaveInfo.Builder#setTriggerId(AutofillId)}. 551 * <li>Browsers often provide their own autofill management system. When both the browser and 552 * the platform render an autofill dialog at the same time, the result can be confusing to the user. 553 * Such browsers typically offer an option for users to disable autofill, so your service should 554 * also allow users to disable compatiblity mode for specific apps. That way, it is up to the user 555 * to decide which autofill mechanism—the browser's or the platform's—should be used. 556 * </ul> 557 */ 558 public abstract class AutofillService extends Service { 559 private static final String TAG = "AutofillService"; 560 561 /** 562 * The {@link Intent} that must be declared as handled by the service. 563 * To be supported, the service must also require the 564 * {@link android.Manifest.permission#BIND_AUTOFILL_SERVICE} permission so 565 * that other applications can not abuse it. 566 */ 567 @SdkConstant(SdkConstant.SdkConstantType.SERVICE_ACTION) 568 public static final String SERVICE_INTERFACE = "android.service.autofill.AutofillService"; 569 570 /** 571 * Name under which a AutoFillService component publishes information about itself. 572 * This meta-data should reference an XML resource containing a 573 * <code><{@link 574 * android.R.styleable#AutofillService autofill-service}></code> tag. 575 * This is a a sample XML file configuring an AutoFillService: 576 * <pre> <autofill-service 577 * android:settingsActivity="foo.bar.SettingsActivity" 578 * . . . 579 * /></pre> 580 */ 581 public static final String SERVICE_META_DATA = "android.autofill"; 582 583 /** 584 * Name of the {@link FillResponse} extra used to return a delayed fill response. 585 * 586 * <p>Please see {@link FillRequest#getDelayedFillIntentSender()} on how to send a delayed 587 * fill response to framework.</p> 588 */ 589 public static final String EXTRA_FILL_RESPONSE = "android.service.autofill.extra.FILL_RESPONSE"; 590 591 /** 592 * Name of the {@link IResultReceiver} extra used to return the primary result of a request. 593 * 594 * @hide 595 */ 596 public static final String EXTRA_RESULT = "result"; 597 598 /** 599 * Name of the {@link IResultReceiver} extra used to return the error reason of a request. 600 * 601 * @hide 602 */ 603 public static final String EXTRA_ERROR = "error"; 604 605 /** 606 * Name of the key used to mark whether the fill response is for a webview. 607 * 608 * @hide 609 */ 610 public static final String WEBVIEW_REQUESTED_CREDENTIAL_KEY = "webview_requested_credential"; 611 612 613 private final IAutoFillService mInterface = new IAutoFillService.Stub() { 614 @Override 615 public void onConnectedStateChanged(boolean connected) { 616 mHandler.sendMessage(obtainMessage( 617 connected ? AutofillService::onConnected : AutofillService::onDisconnected, 618 AutofillService.this)); 619 } 620 621 @Override 622 public void onFillRequest(FillRequest request, IFillCallback callback) { 623 ICancellationSignal transport = CancellationSignal.createTransport(); 624 try { 625 callback.onCancellable(transport); 626 } catch (RemoteException e) { 627 e.rethrowFromSystemServer(); 628 } 629 mHandler.sendMessage(obtainMessage( 630 AutofillService::onFillRequest, 631 AutofillService.this, request, CancellationSignal.fromTransport(transport), 632 new FillCallback(callback, request.getId()))); 633 } 634 635 @Override 636 public void onConvertCredentialRequest( 637 @NonNull ConvertCredentialRequest convertCredentialRequest, 638 @NonNull IConvertCredentialCallback convertCredentialCallback) { 639 mHandler.sendMessage(obtainMessage( 640 AutofillService::onConvertCredentialRequest, 641 AutofillService.this, convertCredentialRequest, 642 new ConvertCredentialCallback(convertCredentialCallback))); 643 } 644 645 @Override 646 public void onFillCredentialRequest(FillRequest request, IFillCallback callback, 647 IBinder autofillClientCallback) { 648 ICancellationSignal transport = CancellationSignal.createTransport(); 649 try { 650 callback.onCancellable(transport); 651 } catch (RemoteException e) { 652 e.rethrowFromSystemServer(); 653 } 654 mHandler.sendMessage(obtainMessage( 655 AutofillService::onFillCredentialRequest, 656 AutofillService.this, request, CancellationSignal.fromTransport(transport), 657 new FillCallback(callback, request.getId()), 658 autofillClientCallback)); 659 } 660 661 @Override 662 public void onSaveRequest(SaveRequest request, ISaveCallback callback) { 663 mHandler.sendMessage(obtainMessage( 664 AutofillService::onSaveRequest, 665 AutofillService.this, request, new SaveCallback(callback))); 666 } 667 668 @Override 669 public void onSavedPasswordCountRequest(IResultReceiver receiver) { 670 mHandler.sendMessage(obtainMessage( 671 AutofillService::onSavedDatasetsInfoRequest, 672 AutofillService.this, 673 new SavedDatasetsInfoCallbackImpl(receiver, SavedDatasetsInfo.TYPE_PASSWORDS))); 674 } 675 676 @Override 677 public void onSessionDestroyed(@Nullable FillEventHistory history) { 678 mHandler.sendMessage(obtainMessage( 679 AutofillService::onSessionDestroyed, 680 AutofillService.this, 681 history)); 682 } 683 }; 684 685 private Handler mHandler; 686 687 @CallSuper 688 @Override onCreate()689 public void onCreate() { 690 super.onCreate(); 691 mHandler = new Handler(Looper.getMainLooper(), null, true); 692 BaseBundle.setShouldDefuse(true); 693 } 694 695 @Override onBind(Intent intent)696 public final IBinder onBind(Intent intent) { 697 if (SERVICE_INTERFACE.equals(intent.getAction())) { 698 return mInterface.asBinder(); 699 } 700 Log.w(TAG, "Tried to bind to wrong intent (should be " + SERVICE_INTERFACE + ": " + intent); 701 return null; 702 } 703 704 /** 705 * Called when the Android system connects to service. 706 * 707 * <p>You should generally do initialization here rather than in {@link #onCreate}. 708 */ onConnected()709 public void onConnected() { 710 } 711 712 /** 713 * Called by the Android system do decide if a screen can be autofilled by the service. 714 * 715 * <p>Service must call one of the {@link FillCallback} methods (like 716 * {@link FillCallback#onSuccess(FillResponse)} 717 * or {@link FillCallback#onFailure(CharSequence)}) 718 * to notify the result of the request. 719 * 720 * @param request the {@link FillRequest request} to handle. 721 * See {@link FillResponse} for examples of multiple-sections requests. 722 * @param cancellationSignal signal for observing cancellation requests. The system will use 723 * this to notify you that the fill result is no longer needed and you should stop 724 * handling this fill request in order to save resources. 725 * @param callback object used to notify the result of the request. 726 */ onFillRequest(@onNull FillRequest request, @NonNull CancellationSignal cancellationSignal, @NonNull FillCallback callback)727 public abstract void onFillRequest(@NonNull FillRequest request, 728 @NonNull CancellationSignal cancellationSignal, @NonNull FillCallback callback); 729 730 /** 731 * Variant of onFillRequest for internal credential manager proxy autofill service only. 732 * 733 * @hide 734 */ onFillCredentialRequest(@onNull FillRequest request, @NonNull CancellationSignal cancellationSignal, @NonNull FillCallback callback, @NonNull IBinder autofillClientCallback)735 public void onFillCredentialRequest(@NonNull FillRequest request, 736 @NonNull CancellationSignal cancellationSignal, @NonNull FillCallback callback, 737 @NonNull IBinder autofillClientCallback) {} 738 739 /** 740 * Called by the Android system to convert a credential manager response to a dataset 741 * 742 * @param convertCredentialRequest the request that has the original credential manager response 743 * @param convertCredentialCallback callback used to notify the result of the request. 744 * 745 * @hide 746 */ onConvertCredentialRequest( @onNull ConvertCredentialRequest convertCredentialRequest, @NonNull ConvertCredentialCallback convertCredentialCallback)747 public void onConvertCredentialRequest( 748 @NonNull ConvertCredentialRequest convertCredentialRequest, 749 @NonNull ConvertCredentialCallback convertCredentialCallback){} 750 751 /** 752 * Called when the user requests the service to save the contents of a screen. 753 * 754 * <p>If the service could not handle the request right away—for example, because it must 755 * launch an activity asking the user to authenticate first or because the network is 756 * down—the service could keep the {@link SaveRequest request} and reuse it later, 757 * but the service <b>must always</b> call {@link SaveCallback#onSuccess()} or 758 * {@link SaveCallback#onSuccess(android.content.IntentSender)} right away. 759 * 760 * <p><b>Note:</b> To retrieve the actual value of fields input by the user, the service 761 * should call 762 * {@link android.app.assist.AssistStructure.ViewNode#getAutofillValue()}; if it calls 763 * {@link android.app.assist.AssistStructure.ViewNode#getText()} or other methods, there is no 764 * guarantee such method will return the most recent value of the field. 765 * 766 * @param request the {@link SaveRequest request} to handle. 767 * See {@link FillResponse} for examples of multiple-sections requests. 768 * @param callback object used to notify the result of the request. 769 */ onSaveRequest(@onNull SaveRequest request, @NonNull SaveCallback callback)770 public abstract void onSaveRequest(@NonNull SaveRequest request, 771 @NonNull SaveCallback callback); 772 773 /** 774 * Called from system settings to display information about the datasets the user saved to this 775 * service. 776 * 777 * <p>There is no timeout for the request, but it's recommended to return the result within a 778 * few seconds, or the user may navigate away from the activity that would display the result. 779 * 780 * @param callback callback for responding to the request 781 */ onSavedDatasetsInfoRequest(@onNull SavedDatasetsInfoCallback callback)782 public void onSavedDatasetsInfoRequest(@NonNull SavedDatasetsInfoCallback callback) { 783 callback.onError(SavedDatasetsInfoCallback.ERROR_UNSUPPORTED); 784 } 785 786 /** 787 * Called when the Android system disconnects from the service. 788 * 789 * <p> At this point this service may no longer be an active {@link AutofillService}. 790 * It should not make calls on {@link AutofillManager} that requires the caller to be 791 * the current service. 792 */ onDisconnected()793 public void onDisconnected() { 794 } 795 796 /** 797 * Called when an Autofill context has ended and the Autofill session is finished. This will be 798 * called as the last step of the Autofill lifecycle described in {@link AutofillManager}. 799 * 800 * <p>This will also contain the finished Session's FillEventHistory, so providers do not need 801 * to explicitly call {@link #getFillEventHistory()} 802 * 803 * <p>This will usually happens whenever {@link AutofillManager#commit()} or {@link 804 * AutofillManager#cancel()} is called. 805 */ 806 @FlaggedApi(FLAG_AUTOFILL_SESSION_DESTROYED) onSessionDestroyed(@ullable FillEventHistory history)807 public void onSessionDestroyed(@Nullable FillEventHistory history) {} 808 809 /** 810 * Gets the events that happened after the last {@link 811 * AutofillService#onFillRequest(FillRequest, android.os.CancellationSignal, FillCallback)} 812 * call. 813 * 814 * <p>This method is typically used to keep track of previous user actions to optimize further 815 * requests. For example, the service might return email addresses in alphabetical order by 816 * default, but change that order based on the address the user picked on previous requests. 817 * 818 * <p>The history is not persisted over reboots, and it's cleared every time the service replies 819 * to a {@link #onFillRequest(FillRequest, CancellationSignal, FillCallback)} by calling {@link 820 * FillCallback#onSuccess(FillResponse)} or {@link FillCallback#onFailure(CharSequence)} (if the 821 * service doesn't call any of these methods, the history will clear out after some pre-defined 822 * time). Hence, the service should call {@link #getFillEventHistory()} before finishing the 823 * {@link FillCallback}. 824 * 825 * @return The history or {@code null} if there are no events. 826 * @throws RuntimeException if the event history could not be retrieved. 827 * @deprecated Use {@link #onSessionDestroyed(FillEventHistory) instead} 828 */ 829 @FlaggedApi(FLAG_AUTOFILL_SESSION_DESTROYED) 830 @Deprecated 831 @Nullable getFillEventHistory()832 public final FillEventHistory getFillEventHistory() { 833 final AutofillManager afm = getSystemService(AutofillManager.class); 834 835 if (afm == null) { 836 return null; 837 } else { 838 return afm.getFillEventHistory(); 839 } 840 } 841 } 842