Getting Security exception while trying to fetch networkcapabilities on android 11

Question

I am getting SecurityException followed by RemoteException while trying to access below code. API

val networkCapabilities = connectivityManager.getNetworkCapabilities(connectivityManager.activeNetwork)

Exception getting

Fatal Exception: java.lang.SecurityException: Package android does not belong to 10319
           at android.os.Parcel.createExceptionOrNull(Parcel.java:2385)
           at android.os.Parcel.createException(Parcel.java:2369)
           at android.os.Parcel.readException(Parcel.java:2352)
           at android.os.Parcel.readException(Parcel.java:2294)
           at android.net.IConnectivityManager$Stub$Proxy.getNetworkCapabilities(IConnectivityManager.java:3347)
           at android.net.ConnectivityManager.getNetworkCapabilities(ConnectivityManager.java:1549)

Caused by android.os.RemoteException: Remote stack trace:
        at android.app.AppOpsManager.checkPackage(AppOpsManager.java:7783)
        at com.android.server.ConnectivityService.getNetworkCapabilities(ConnectivityService.java:2297)
        at android.net.IConnectivityManager$Stub.onTransact(IConnectivityManager.java:1357)
        at android.os.Binder.execTransactInternal(Binder.java:1195)
        at android.os.Binder.execTransact(Binder.java:1159)

I have analyzed it and when I dig into the aosp code, I got the flow is going to checkPackage method of from AppOpsManager class shown in attached screenshot and from the code we know whenever check package condition is not equal to MODE_ALLOWED then only we will get Security Excception. But I don't have any. Idea when that condition will fail.

Please help me if anyone has any idea on this , thanks 😊

Answer 1

Google fixed this issue in Android 12: https://android-review.googlesource.com/c/platform/frameworks/base/+/1758029.

The root cause is that in Android 11, android.intent.action.PROXY_CHANGE would obtain a ConnectivityManager instance. Assuming that when receiving the PROXY_CHANGE broadcast, the Application object has just been created, but its attachBaseContext has not finished executing yet, this would cause the ConnectivityManager to be created using the SystemContext (the package name is android). Additionally, because the ConnectivityManager is actually a singleton, the API calls associated with it are actually using the SystemContext, thus triggering a SecurityException.

To fix this issue, it is possible to use reflection in attachBaseContext to modify the mContext field of ConnectivityManager to the correct Context object. It is important to note that the mContext field of ConnectivityManager is in the reflection graylist, so it is necessary to use https://github.com/tiann/FreeReflection to remove the reflection restriction.

The fix code:

@SuppressLint("SoonBlockedPrivateApi")
public static void fixConnectivitySecurityException(Context ctx) {
    if (Build.VERSION.SDK_INT == Build.VERSION_CODES.R) {
        try {
            Reflection.unseal(base);// remove the reflection restriction
            ctx = ctx.getApplicationContext() != null ? ctx.getApplicationContext() : ctx;
            ConnectivityManager cm = (ConnectivityManager) ctx.getSystemService(Context.CONNECTIVITY_SERVICE);
            Field f = cm.getClass().getDeclaredField("mContext");
            f.setAccessible(true);
            Context c = (Context) f.get(cm);
            if (c != null && !ctx.getPackageName().equals(c.getPackageName())) {
                f.set(cm, ctx);
            }
        } catch (Throwable ignored) {
        }
    }
}

Answer 2

Looks like it is a known issue https://issuetracker.google.com/issues/175055271

Dec 10, 2020 11:43AM
We have passed this to the development team and will update this issue with more information as it becomes available.

Sep 14, 2021 12:04AM
Marked as fixed.
The issue has been fixed in Android S and above.

But no fixes for Android below S.