Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76722

Add encrypted mobile notifications support

    XMLWordPrintable

Details

    • MOODLE_401_STABLE
    • MOODLE_402_STABLE
    • MDL-76722-master
    • Hide

      Complete testing can't be performed without first setting up a copy of the modified app from MOBILE-4214

      The following testing can be carried out regardless of changes to the MOBILE app.

      Setup

      1. Ensure that your site is available globally (e.g. use ngrok)
      2. Register with the Airnotifier service (https://apps.moodle.com/)
      3. Navigate to Site administration -> Messaging -> Mobile
      4. Put the Airnotifier access key in place
      5. Ensure that you have a course with the following enrolled:
        • Your admin user
        • A student user
      6. Login to the site on the app using a student account
      7. Open the "Messaging" app
      8. Choose the "Settings" cog icon
      9. Ensure that the "Mobile" checkbox is ticked

      Test existing notifications with encryption disabled

      1. Login to the site as an administrator
      2. Navigate to Site administration -> Messaging -> Mobile
      3. Ensure that the setting `message_airnotifier | encryptnotifications` is off
      4. On the site as the admin, send a message to the student account
        1. Confirm the expected notification message arrived on the mobile device as normal

      Test existing notifications with encryption enabled but no device keys

      1. Login to the site as an administrator
      2. Navigate to Site administration -> Messaging -> Mobile
      3. Turn setting `message_airnotifier | encryptnotifications` to on
      4. On the site as the admin, send a message to the student account
        1. Confirm the expected notification message arrived on the mobile device as normal

      Testing encrypted notifications

      1. Open message/output/airnotifier/message_output_airnotifier.php in your editor
      2. Find the send_message function
      3. Add the following just before the call to $curl->post($serverurl, json_encode($params));:

                    // !!! MDL-76722: START OF TESTING HACK !!!
                    file_put_contents(make_temp_directory('mdl76722') . '/payload.json', json_encode($params));
                    // !!! MDL-76722: END OF TESTING HACK !!!
         
                    // JSON POST raw body request.
                    $resp = $curl->post($serverurl, json_encode($params));
        

      4. Grab the mdl76722.php file from this issue and place it into your moodle root
      5. Grab the userid of the student you have been messaging
      6. Run the script to generate a keypair (replace 42 by the actual user id):

        php mdl76722.php -u=42
        

      7. The script will output the public key and then wait
      8. Send another message to the student
        1. Confirm that the notification arrived on the mobile device, but was not decrypted
          NOTE: If you have an updated mobile app with MOBILE-4214 then it still won't work because this script will overwrite the public key with a new one.
          We do not have access to the private key as it is securely stored in the app.
          You will need to have the app generate a new keypair and then use that to encrypt the message after testing completes.
      9. Back in the CLI, press [enter] in the script
        1. Confirm that the message was decrypted
      10. Repeat with a really, really, really long message. It needs to be at least 4,000 bytes of json data.
      11. Back in the CLI, press [enter] in the script
        1. Confirm that the message was decrypted
        2. Confirm that the short message told you to "Tap to view"
        3. Confirm that the full message was empty
          Note: The mobile messaging does not actually put any content in the fullmessagehtml field.

      Testing with the App

      An Android version of the app is already available as an APK which can be manually installed.

      Ping Andrew for access to this with the required configuration.

      Testing with Android

      Note: you must run this test after the previous test, otherwise you'll have to either:

      • Log into the app with a different Moodle user (student)
      • Log out and log back into the app (and possibly clear the user_devices table too)

      Android Emulator

      If you do not have a real Android device, then you can use the Android Emulator from Android Studio.

      1. Download the Studio from https://developer.android.com/studio
      2. Install the Studio (this takes a while, and requires more heavy downloads)
      3. From the "More options" menu, open the "Virtual Device Manager"
      4. Create a virtual device for a recent device, against a recent version of Android OS
      5. Start your virtual device
      6. Drag + Drop the apk into the running device

      Real device + Emulator

      1. Open a connection to your database server
      2. Check for the list of entries in the mdl_user_devices table:

        select * from mdl_user_devices;
        

      3. Open message/output/airnotifier/message_output_airnotifier.php in your editor
      4. Find the send_message function
      5. Replace the payload.json line you added earlier with a simple error_log call dumping the JSON:

        error_log("Sending a payload to {$serverurl} with content " . json_encode($params));
        

      6. Log in to your Moodle site as the student in the app
      7. Check the list of device entries again using the above query
        1. Confirm that there is a new entry for this device
        2. Confirm that the publickey field is populated
      8. In the Web client, message the student
        1. Confirm that a notification appeared on the device
      9. Check your web server error logs and find the log entry for "Sending a payload to ..."
        1. Confirm that the encrypted field is populated
        2. Confirm that the following keys look like garbage (because they're encrypted):
          Note: Not all fields are always present
          1. userfromfullname
          2. userfromid
          3. sitefullname
          4. smallmessage
          5. fullmessage
          6. fullmessagehtml
          7. subject
          8. contexturl
      Show
      Complete testing can't be performed without first setting up a copy of the modified app from MOBILE-4214 The following testing can be carried out regardless of changes to the MOBILE app. Setup Ensure that your site is available globally (e.g. use ngrok) Register with the Airnotifier service ( https://apps.moodle.com/ ) Navigate to Site administration -> Messaging -> Mobile Put the Airnotifier access key in place Ensure that you have a course with the following enrolled: Your admin user A student user Login to the site on the app using a student account Open the "Messaging" app Choose the "Settings" cog icon Ensure that the "Mobile" checkbox is ticked Test existing notifications with encryption disabled Login to the site as an administrator Navigate to Site administration -> Messaging -> Mobile Ensure that the setting `message_airnotifier | encryptnotifications` is off On the site as the admin, send a message to the student account Confirm the expected notification message arrived on the mobile device as normal Test existing notifications with encryption enabled but no device keys Login to the site as an administrator Navigate to Site administration -> Messaging -> Mobile Turn setting `message_airnotifier | encryptnotifications` to on On the site as the admin, send a message to the student account Confirm the expected notification message arrived on the mobile device as normal Testing encrypted notifications Open message/output/airnotifier/message_output_airnotifier.php in your editor Find the send_message function Add the following just before the call to $curl->post($serverurl, json_encode($params)); : // !!! MDL-76722: START OF TESTING HACK !!! file_put_contents(make_temp_directory('mdl76722') . '/payload.json', json_encode($params)); // !!! MDL-76722: END OF TESTING HACK !!!   // JSON POST raw body request. $resp = $curl->post($serverurl, json_encode($params)); Grab the mdl76722.php file from this issue and place it into your moodle root Grab the userid of the student you have been messaging Run the script to generate a keypair (replace 42 by the actual user id): php mdl76722.php -u=42 The script will output the public key and then wait Send another message to the student Confirm that the notification arrived on the mobile device, but was not decrypted NOTE: If you have an updated mobile app with MOBILE-4214 then it still won't work because this script will overwrite the public key with a new one. We do not have access to the private key as it is securely stored in the app. You will need to have the app generate a new keypair and then use that to encrypt the message after testing completes. Back in the CLI, press [enter] in the script Confirm that the message was decrypted Repeat with a really, really, really long message. It needs to be at least 4,000 bytes of json data. Back in the CLI, press [enter] in the script Confirm that the message was decrypted Confirm that the short message told you to "Tap to view" Confirm that the full message was empty Note: The mobile messaging does not actually put any content in the fullmessagehtml field. Testing with the App An Android version of the app is already available as an APK which can be manually installed. Ping Andrew for access to this with the required configuration. Testing with Android Note: you must run this test after the previous test, otherwise you'll have to either: Log into the app with a different Moodle user (student) Log out and log back into the app (and possibly clear the user_devices table too) Android Emulator If you do not have a real Android device, then you can use the Android Emulator from Android Studio. Download the Studio from https://developer.android.com/studio Install the Studio (this takes a while, and requires more heavy downloads) From the "More options" menu, open the "Virtual Device Manager" Create a virtual device for a recent device, against a recent version of Android OS Start your virtual device Drag + Drop the apk into the running device Real device + Emulator Open a connection to your database server Check for the list of entries in the mdl_user_devices table: select * from mdl_user_devices; Open message/output/airnotifier/message_output_airnotifier.php in your editor Find the send_message function Replace the payload.json line you added earlier with a simple error_log call dumping the JSON: error_log("Sending a payload to {$serverurl} with content " . json_encode($params)); Log in to your Moodle site as the student in the app Check the list of device entries again using the above query Confirm that there is a new entry for this device Confirm that the publickey field is populated In the Web client, message the student Confirm that a notification appeared on the device Check your web server error logs and find the log entry for "Sending a payload to ..." Confirm that the encrypted field is populated Confirm that the following keys look like garbage (because they're encrypted): Note: Not all fields are always present userfromfullname userfromid sitefullname smallmessage fullmessage fullmessagehtml subject contexturl

    Description

      Copied from MOBILE-4214

      Encrypt mobile notifications should be encrypted so the AirNotifier server and platform notification service (Firebase/APN) cannot read user data.

      Fields to encrypt:

      • userfromfullname
      • smallmessage,
      • fullmessage
      • fullmessagehtml
      • subject
      • customdata

       

      A key pair should be generated on the device to be stored in the device keychain (Hardware module if possible).
      The public key will be registered against the device in Moodle (user_devices table).
      If the setting `tool_mobile/encryptnotifications` is on the relevant notification fields will be encrypted.
      When the device receives an encrypted notification it will be decrypted using the private key.

      Attachments

        1. encrypted notifications.png
          encrypted notifications.png
          480 kB
        2. encryption disabled~enabled.png
          encryption disabled~enabled.png
          66 kB
        3. mdl76722.php
          6 kB
        4. Moodle-app-debug.apk
          36.15 MB
        5. result_encryted_ios.png
          result_encryted_ios.png
          1.25 MB
        6. result_ios.png
          result_ios.png
          1.12 MB
        7. result_with_large_message_ios.png
          result_with_large_message_ios.png
          1.26 MB
        8. result_with_large_message.png
          result_with_large_message.png
          167 kB
        9. result.png
          result.png
          134 kB
        10. with the App.png
          with the App.png
          948 kB

        Issue Links

          Activity

            People

              alexmorris Alexander Morris
              alexmorris Alexander Morris
              Huong Nguyen Huong Nguyen
              Shamim Rezaie Shamim Rezaie
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              2 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 days, 1 hour, 34 minutes
                  4d 1h 34m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.