SDKService

Hi RiDP,

We are encountering an issue related to card reader input on Ricoh MFP devices.

Card Reader Information:

• Model: RFIDeas pcProx RDR-80581AKU KBD

• Vendor/Product ID: [0C27:3BFA]

We have configured the card reader using the rf IDEAS Configuration Utility with the following settings:

• Output format: XX:XXXX

• Delimiter : inserted using the “Insert Keystroke” function

Verification:
We have tested the card reader in the Test Area (outside the Ricoh MFP environment), and it correctly outputs the card ID in the desired format with the delimiter (e.g., BE:32CE).
This confirms that the reader is functioning and formatting the data correctly.

Issue on Ricoh MFP:
When plugging the card reader into the Ricoh MFP and scanning a card, the MFP does not receive the formatted output. Instead, it only receives the raw ID without any delimiters, e.g., BE32CE

We are retrieving the card ID using the following method:

BroadcastIntent: jp.co.ricoh.isdk.sdkservice.card.IC_CARD_ATTACHED

byte[] cardId = intent.getByteArrayExtra(ICConstants.KEY_CARD_ID);

The cardId received contains only 6 characters (raw bytes), and does not include the delimiter : as configured.

Questions:

1. Does Ricoh MFP support reading the card ID with formatting and delimiters from keyboard-emulated card readers?

2. Or does Ricoh MFP only capture the raw byte stream from the reader, ignoring any formatting (e.g., delimiters) applied via the configuration utility?

3. Is there any way to configure the MFP or SDK to retrieve the formatted output (with delimiters) instead of the raw card ID?

Looking forward to your response.

Best regards,

Hi We were looking to test the Smart Operation Panel and installing the APK onto the device. For the packaging and signing of the application, the documentation says a Ricoh Development Keystore is required.

jarsigner -verbose -digestalg SHA-256 -sigalg SHA256withRSA -keystore ricohdevelop.keystore PartnerApp.apk ricohtestkey

Is this generated on your side, or do we create this?

Thank you,

Jordan

I’m handling an issue raised by static analysis tools in the Printix Go client code.  The static analysis tool reported the following problem:

"The application must define the Manifest.permission.HIDE_OVERLAY_WINDOWS permission and call Window#setHideOverlayWindows(true) to prevent 3rd party applications from being able to draw over it. Ability to obscure an application view partially or entirely may lead to the end-user being tricked into executing unwanted or dangerous actions."

The problem is that since Printix supports G2 devices which run Android 6, this permission have been defined in Anroid 12.

References : https://developer.android.com/security/fraud-prevention/activities#:~:text=HIDE_OVERLAY_WINDOWS%20is%20a%20permission%20added%20in%20Android%2012,your%20app%20to%20block%20overlays%20from%20third-par….

I have tried to implement a manual mechanism to prevent the overlay window.  I  used Settings.canDrawOverlays, this method returns true if the application can draw overlay window, but it always return true while we have this permission in the manifest android.permission.SYSTEM_ALERT_WINDOW.

When I checked the SDK, I found that “Also, the AuthScreen class displays a screen using WindowManager, so specify the following permission setting for the custom authentication flow application.”
Reference: /SmartSdk_DevKit_R2409/doc/en/app_ml/700-04_2-0230.htm

While we have a custom authentication in our application, then we need to keep this permission.

So, my question is how to handle the overlay issue in Ricoh G2 and above devices?

Hi Ridp, 

We are trying to use permission for an intent sent by the code in the servlet included in Printix Go, to the code in Printix Go app.

Servlet:

intent.setAction("net.printix.capture.servlet.req.PostSettings");

context.sendBroadcast(intent, "net.printix.go.CAPTURE_CONNECTION_PERMISSION");

App: The receiver of the intent requires this permission . This code is in the main Printix Go app

<receiver
    android:name="net.printix.capture.PrintixCaptureBroadcastReceiver"
    android:exported="true"
    android:permission="net.printix.go.CAPTURE_CONNECTION_PERMISSION">
    <intent-filter>
        <action android:name="net.printix.capture.servlet.req.PostSettings" />
...
</receiver>

The app declares the permission to be used in the androidmanifest.xml

    <uses-permission android:name="net.printix.go.CAPTURE_CONNECTION_PERMISSION"/>

However we are getting an error in the device logs

04-02 17:07:41.905  2871  2941 W BroadcastQueue: Permission Denial: broadcasting Intent { act=net.printix.capture.servlet.req.PostSettings flg=0x10 (has extras) } from jp.co.ricoh.advop.serverservice (pid=4978, uid=10042) requires net.printix.go.CAPTURE_CONNECTION_PERMISSION due to receiver net.printix.capture/.PrintixCaptureBroadcastReceiver

Since the servlet is in the app itself we expect the servlet to inherit the permission. But it looks like jp.co.ricoh.advop.serverservice is the one that is sending the intent on behalf of the servlet. Probably it didn't get the permission.

How do I make sure that the intent from the servlet code has the declared permission?

Thanks.

Hi RIDP,

Our security scanning has reported the following issue in the way we receive intents from exported components. All the following is in the SDK code

• com/ricoh/auth/AAAClientAuthenticator.java#62
• com/ricoh/auth/manager/AbstractSmartSDKReceiver.java#27
• jp/co/ricoh/ssdk/sample/framework/common/SsdkEventReceiver.java#75

Issue details

The component android.content.ContextWrapper.registerReceiver is registered in the source code and exported in a way that can make it susceptible to attack through inssuficiently protected BroadcastReceiver
Please use the Context#RECEIVER_NOT_EXPORTED, ContextCompat#RECEIVER_NOT_EXPORTED and/or signature permission. Otherwise the application will be prone to recieving data from any application installed on the end-user device
References: 
CWE (https://cwe.mitre.org/data/definitions/926.html) 
Safer exporting of context-registered receivers (https://developer.android.com/about/versions/13/features#runtime-receivers) 
Signature permissions overview (https://developer.android.com/guide/topics/permissions/overview#signature) 
Context#RECEIVER_NOT_EXPORTED (https://developer.android.com/reference/android/content/Context#RECEIVER_NOT_EXPORTED)

There is another one where the component is statically exported in the manifest without permission

com/ricoh/auth/provider/AAAService.java#1 

Is there any plan to address these?

Similar issues are reported in our code where we register receivers dynamically in our code for intents that SDK service sends. Some of the cases does not mandate a permission and do not specify it while registration. Our tool reports that even mandating a permission in this case is not secure enough, we must use signature based protection (you can see it in the links provided above). I think that means the app that is sending the intent and the one receiving it, must be signed by the same signature. In this case will the SSDK service and signed version of our app will have the same signature?

Thanks.
 

J240 Error on lab Device

Hello!

We are trying to install our application on a new device with two new serial numbers, I read through the documentation and saw the J240 error has to do with a serial number not embedded into the manifest file I recently downloaded including the two new serial numbers.

I was able to see in the .mf file that there are now 5 devices instead of 3, and we are unable to install the zip file onto the machine.

Is there something I'm missing?

Thank You

David Frey

Hi,

We have been using seal maker signatures(Ricoh Europe https://emea.ricoh-developer.com/content/sealmaker) to run dev signed versions of Printix Go and Printix Capture on our native devices. Printix Capture(product ID 1667825666) doesn't seem to work for our device RICOH IM 2500  with serial number "4412R960035"

We checked the RIDP America page at https://www.ricoh-ridp.com/forms/signatureservices/ricoh-smartsdk/development-keys . We don't see the device serial number there either. Also we expected to see our applications Printix Go and Printix Capture in the above page once logged in, but see only one sample app. 

Can you fix/add to the proper list, the above device so that we can install dev signed versions of Printix Go and Printix Capture (Product IDS 1667825665 &1667825666)?

Also please let us know the correct procedure to add our native devices to enable them run dev signed versions of our products.

Thanks,

We are getting a certificate error when we try to access our WebAPI endpoint through the device's web browser.

There is a setting somewhere where we can view the Certificate Authorities that are installed, which seems to fix the issue on our lab devices.  Are we able to install these Certificate Authorities through the WIM, and if so, where would we be able to do this?  Is there a way to view these through the panel's administration settings?

In the device logs, we see the same error:

 12-05 13:55:06.362 22527 24128 E [FSSA]  : Uncaught exception when connecting to WebAPI:No peer certificate

need how to use the SDK Service in the application to make a listener to listen key home pressed, could you help me with this?

We are looking through the steps to get the "Ricoh Compatibility Testing" completed.  I notice on one of the steps it indicates that it needs a PO but I do not see how to get a PO started.  I see the fee schedule (https://ricoh-ridp.com/resources/downloads/ridp-fee-schedule) and such from the main page.  Since I am new to the process (As the previous PM who used to do it is no longer with us), I am wanting to know if there is something I can do to get this process started ahead of time.  This way it does not hold up the process once we are ready to submit.