Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove debugging code throwing a runtime exception when INTERNET is revoked for compatibility with GrapheneOS Network toggle #1675

Open
thestinger opened this issue Feb 4, 2022 · 1 comment
Open

remove debugging code throwing a runtime exception when INTERNET is revoked for compatibility with GrapheneOS Network toggle #1675

thestinger opened this issue Feb 4, 2022 · 1 comment

Comments

@thestinger
Copy link

On GrapheneOS, users can revoke the INTERNET permission at runtime. This isn't officially compliant with the Android compatibility requirements but is very useful. GrapheneOS changes the errors for sockets, DownloadManager, etc. to throw an IOException or another error the app already has to handle rather than giving SecurityException.

Please replace the runtime exceptions you're throwing with logging or simply remove them completely because it's not actually useful in practice. It's easy for developers to see INTERNET isn't declared because Android throws SecurityException for the socket API and all the other APIs like DownloadManager which require it.

We've added a workaround for com.microsoft namespace apps since this library is used by many of them. It will still be a problem for apps in different namespaces unless you remove the unnecessary runtime exceptions.

These are the two checks with runtime exceptions:

azure-activedirectory-library-for-android/adal/src/main/java/com/microsoft/aad/adal/AuthenticationContext.java

Line 1449 in c4da016

private void checkInternetPermission() {

https://github.com/AzureAD/microsoft-authentication-library-for-android/blob/699e4ec60673f6d86d09b9866a01cf8f7586a5e7/msal/src/main/java/com/microsoft/identity/client/PublicClientApplication.java#L1811

You could also change the check so that it only throws an exception when INTERNET isn't requested by the app rather than checking for it being revoked. This is the workaround we've added for this behavior which we intend to be temporary:

GrapheneOS/platform_frameworks_base@b230452

You could simply delete the checks and you'll still get clear SecurityExceptions from the OS APIs about it on Android. For sockets it mentions that the cause is likely that INTERNET is broken.
@thestinger
Copy link
Author

If you still want to do these checks, you could modify them to use requested permissions instead of granted permissions:

PackageInfo pi = ctx.getPackageManager().getPackageInfo(ctx.getPackageName(), PackageManager.GET_PERMISSIONS);
// check that pi.requestedPermissions contains the INTERNET permission

This would be compatible with supporting revoking the INTERNET permission on GrapheneOS and other operating systems incorporating our feature such as ProtonAOSP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thestinger