open-keychain
open-keychain copied to clipboard
open-keychain
OpenKeychain will stop working on Android 14
If the client (email) app is targeting SDK level 34, it is no longer possible to call a returned PendingIntent, for example to enter a password, due to this new security restriction:
https://developer.android.com/about/versions/14/behavior-changes-14#safer-intents
Note that this was tested in practice (with FairEmail):
06-14 18:39:03.109 14262 14262 I fairemail: Executing pi=PendingIntent{4e7f9d2: android.os.BinderProxy@f4f8aa3}
06-14 18:39:03.111 1670 3958 E ActivityTaskManager: Without BAL hardening this activity start would be allowed! [callingPackage: org.sufficientlysecure.keychain; callingUid: 10264; appSwitchState: 2; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; balAllowedByPiSender: BackgroundStartPrivileges[allowsBackgroundActivityStarts=false, allowsBackgroundForegroundServiceStarts=true, originatingToken=null]; realCallingPackage: eu.faircode.email.debug; realCallingUid: 10296; realCallingUidHasAnyVisibleWindow: true; realCallingUidProcState: TOP; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{d78099f org.sufficientlysecure.keychain startActivity}; backgroundStartPrivileges: BackgroundStartPrivileges[allowsBackgroundActivityStarts=false, allowsBackgroundForegroundServiceStarts=false, originatingToken=null]; intent: Intent { cmp=org.sufficientlysecure.keychain/.remote.ui.RemotePassphraseDialogActivity (has extras) }; callerApp: null; inVisibleTask: false]
06-14 18:39:03.111 1670 3958 W ActivityTaskManager: **Background activity launch blocked** [callingPackage: org.sufficientlysecure.keychain; callingUid: 10264; appSwitchState: 2; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; balAllowedByPiSender: BackgroundStartPrivileges[allowsBackgroundActivityStarts=false, allowsBackgroundForegroundServiceStarts=true, originatingToken=null]; realCallingPackage: eu.faircode.email.debug; realCallingUid: 10296; realCallingUidHasAnyVisibleWindow: true; realCallingUidProcState: TOP; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{d78099f org.sufficientlysecure.keychain startActivity}; backgroundStartPrivileges: BackgroundStartPrivileges[allowsBackgroundActivityStarts=false, allowsBackgroundForegroundServiceStarts=false, originatingToken=null]; intent: Intent { cmp=org.sufficientlysecure.keychain/.remote.ui.RemotePassphraseDialogActivity (has extras) }; callerApp: null; inVisibleTask: false]
06-14 18:39:03.113 1670 3958 E ActivityTaskManager: Abort background activity starts from 10264
Hey @M66B,
now that I've cleaned up everything for sdk34 in openkeychain, any idea about what to do here? Reading the documentation, it might be enough to set the BIND_ALLOW_ACTIVITY_STARTS flag on the activity launch, have you tried that?
I made a corresponding PR, would be great if you could check if that works for a FairMail build
Please see here:
https://github.com/M66B/FairEmail/blob/master/app/src/main/java/eu/faircode/email/Helper.java#L1938
Meanwhile setPendingIntentBackgroundActivityLaunchAllowed was deprecated in favor of setPendingIntentBackgroundActivityStartMode.
Yes, it does, but ideally, OpenKeychain should set these flags when returning a PendingIntent.
I would be surprised if OpenKeychain itself could set these flags. Since they lift background activity restrictions, this will have to be done by the app calling the pending intent, or not? :thinking: we could do it in the api lib, though
I think you are right because this is a flag for startIntentSenderForResult. So, I guess this needs to be documented only.