7 files changed, 45 insertions, 15 deletions

diff --git a/core/java/android/hardware/face/FaceManager.java b/core/java/android/hardware/face/FaceManager.java
index 6bda46b0b692..3a0660db2b05 100644
--- a/core/java/android/hardware/face/FaceManager.java
+++ b/core/java/android/hardware/face/FaceManager.java
@@ -699,6 +699,9 @@ public class FaceManager implements BiometricAuthenticator, BiometricFaceConstan
                 return context.getString(com.android.internal.R.string.face_error_not_enrolled);
             case FACE_ERROR_HW_NOT_PRESENT:
                 return context.getString(com.android.internal.R.string.face_error_hw_not_present);
+            case BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED:
+                return context.getString(
+                        com.android.internal.R.string.face_error_security_update_required);
             case FACE_ERROR_VENDOR: {
                 String[] msgArray = context.getResources().getStringArray(
                         com.android.internal.R.array.face_error_vendor);
diff --git a/core/java/android/hardware/fingerprint/FingerprintManager.java b/core/java/android/hardware/fingerprint/FingerprintManager.java
index ea576bc569d2..f301a5cddc9c 100644
--- a/core/java/android/hardware/fingerprint/FingerprintManager.java
+++ b/core/java/android/hardware/fingerprint/FingerprintManager.java
@@ -1011,6 +1011,9 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing
             case FINGERPRINT_ERROR_HW_NOT_PRESENT:
                 return context.getString(
                         com.android.internal.R.string.fingerprint_error_hw_not_present);
+            case BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED:
+                return context.getString(
+                        com.android.internal.R.string.fingerprint_error_security_update_required);
             case FINGERPRINT_ERROR_VENDOR: {
                     String[] msgArray = context.getResources().getStringArray(
                             com.android.internal.R.array.fingerprint_error_vendor);
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 39cd00ce1809..1ba832377001 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -1483,6 +1483,8 @@
     <string name="fingerprint_error_no_fingerprints">No fingerprints enrolled.</string>
     <!-- Generic error message shown when the app requests fingerprint authentication on a device without a sensor -->
     <string name="fingerprint_error_hw_not_present">This device does not have a fingerprint sensor.</string>
+    <!-- Generic error message shown when fingerprint is not available due to a security vulnerability. [CHAR LIMIT=50] -->
+    <string name="fingerprint_error_security_update_required">Sensor temporarily disabled.</string>
 
     <!-- Template to be used to name enrolled fingerprints by default. -->
     <string name="fingerprint_name_template">Finger <xliff:g id="fingerId" example="1">%d</xliff:g></string>
@@ -1574,6 +1576,8 @@
     <string name="face_error_not_enrolled">You haven\u2019t set up face unlock.</string>
     <!-- Generic error message shown when the app requests face unlock on a device without a sensor. [CHAR LIMIT=61] -->
     <string name="face_error_hw_not_present">Face unlock is not supported on this device.</string>
+    <!-- Generic error message shown when face unlock is not available due to a security vulnerability. [CHAR LIMIT=50] -->
+    <string name="face_error_security_update_required">Sensor temporarily disabled.</string>
 
     <!-- Template to be used to name enrolled faces by default. [CHAR LIMIT=10] -->
     <string name="face_name_template">Face <xliff:g id="faceId" example="1">%d</xliff:g></string>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index 85810849f899..5aefe1171246 100644
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -2458,6 +2458,7 @@
   <java-symbol type="string" name="fingerprint_authenticated" />
   <java-symbol type="string" name="fingerprint_error_no_fingerprints" />
   <java-symbol type="string" name="fingerprint_error_hw_not_present" />
+  <java-symbol type="string" name="fingerprint_error_security_update_required" />
 
   <!-- Fingerprint config -->
   <java-symbol type="integer" name="config_fingerprintMaxTemplatesPerUser"/>
@@ -2502,6 +2503,7 @@
   <java-symbol type="string" name="face_name_template" />
   <java-symbol type="string" name="face_authenticated_no_confirmation_required" />
   <java-symbol type="string" name="face_authenticated_confirmation_required" />
+  <java-symbol type="string" name="face_error_security_update_required" />
 
   <java-symbol type="array" name="config_biometric_sensors" />
 
diff --git a/services/core/java/com/android/server/biometrics/BiometricService.java b/services/core/java/com/android/server/biometrics/BiometricService.java
index df1b899edea4..3f6e88dfc087 100644
--- a/services/core/java/com/android/server/biometrics/BiometricService.java
+++ b/services/core/java/com/android/server/biometrics/BiometricService.java
@@ -782,6 +782,8 @@ public class BiometricService extends SystemService {
             }
 
             mAuthenticators.add(new AuthenticatorWrapper(id, modality, strength, authenticator));
+
+            mBiometricStrengthController.updateStrengths();
         }
 
         @Override // Binder call
diff --git a/services/core/java/com/android/server/biometrics/BiometricStrengthController.java b/services/core/java/com/android/server/biometrics/BiometricStrengthController.java
index 4e16189e3ad1..ca7ca5b7cbcc 100644
--- a/services/core/java/com/android/server/biometrics/BiometricStrengthController.java
+++ b/services/core/java/com/android/server/biometrics/BiometricStrengthController.java
@@ -29,7 +29,7 @@ import java.util.Map;
  * Class for maintaining and updating the strengths for biometric sensors. Strengths can only
  * be downgraded from the device's default, and never upgraded.
  */
-public class BiometricStrengthController implements DeviceConfig.OnPropertiesChangedListener {
+public class BiometricStrengthController {
     private static final String TAG = "BiometricStrengthController";
 
     private final BiometricService mService;
@@ -41,7 +41,7 @@ public class BiometricStrengthController implements DeviceConfig.OnPropertiesCha
      * "id1:strength1,id2:strength2,id3:strength3"
      *
      * where strength is one of the values defined in
-     * {@link android.hardware.biometrics.Authenticators}
+     * {@link android.hardware.biometrics.BiometricManager.Authenticators}
      *
      * Both id and strength should be int, otherwise Exception will be thrown when parsing and the
      * downgrade will fail.
@@ -53,30 +53,28 @@ public class BiometricStrengthController implements DeviceConfig.OnPropertiesCha
      */
     public static final String DEFAULT_BIOMETRIC_STRENGTHS = null;
 
-    BiometricStrengthController(@NonNull BiometricService service) {
-        mService = service;
-    }
-
-    void startListening() {
-        DeviceConfig.addOnPropertiesChangedListener(DeviceConfig.NAMESPACE_BIOMETRICS,
-                BackgroundThread.getExecutor(), this);
-        updateStrengths();
-    }
-
-    @Override
-    public void onPropertiesChanged(@NonNull DeviceConfig.Properties properties) {
+    private DeviceConfig.OnPropertiesChangedListener mDeviceConfigListener = properties -> {
         for (String name : properties.getKeyset()) {
             if (KEY_BIOMETRIC_STRENGTHS.equals(name)) {
                 updateStrengths();
             }
         }
+    };
+
+    public BiometricStrengthController(@NonNull BiometricService service) {
+        mService = service;
+    }
+
+    public void startListening() {
+        DeviceConfig.addOnPropertiesChangedListener(DeviceConfig.NAMESPACE_BIOMETRICS,
+                BackgroundThread.getExecutor(), mDeviceConfigListener);
     }
 
     /**
      * Updates the strengths of authenticators in BiometricService if a matching ID's configuration
      * has been changed.
      */
-    private void updateStrengths() {
+    public void updateStrengths() {
         final Map<Integer, Integer> idToStrength = getIdToStrengthMap();
         if (idToStrength == null) {
             return;
diff --git a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
index 8a7462c5fb33..164ee3184f5a 100644
--- a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
@@ -1095,6 +1095,24 @@ public class BiometricServiceTest {
     }
 
     @Test
+    public void testRegisterAuthenticator_updatesStrengths() throws Exception {
+        mBiometricService = new BiometricService(mContext, mInjector);
+        mBiometricService.onStart();
+
+        verify(mBiometricService.mBiometricStrengthController).startListening();
+        verify(mBiometricService.mBiometricStrengthController, never()).updateStrengths();
+
+        when(mFingerprintAuthenticator.hasEnrolledTemplates(anyInt(), any()))
+                .thenReturn(true);
+        when(mFingerprintAuthenticator.isHardwareDetected(any())).thenReturn(true);
+        mBiometricService.mImpl.registerAuthenticator(0 /* testId */,
+                BiometricAuthenticator.TYPE_FINGERPRINT, Authenticators.BIOMETRIC_STRONG,
+                mFingerprintAuthenticator);
+
+        verify(mBiometricService.mBiometricStrengthController).updateStrengths();
+    }
+
+    @Test
     public void testWithDowngradedAuthenticator() throws Exception {
         mBiometricService = new BiometricService(mContext, mInjector);
         mBiometricService.onStart();