7
3
Fork
You've already forked android
4

app crashes on latest chromebook os #17

Closed
opened 2025年04月16日 12:10:42 +02:00 by efef · 7 comments
Member
Copy link

Previous OS works fine:132.0.6834.206 in newest OS eduVPN app crashes, OS verison: 134.0.6998.198

Previous OS works fine:132.0.6834.206 in newest OS eduVPN app crashes, OS verison: 134.0.6998.198
Collaborator
Copy link

Obfuscated stack trace:

Exception java.lang.RuntimeException:
 at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3672)
 at android.app.ActivityThread.handleLaunchActivity (ActivityThread.java:3809)
 at android.app.servertransaction.LaunchActivityItem.execute (LaunchActivityItem.java:101)
 at android.app.servertransaction.TransactionExecutor.executeCallbacks (TransactionExecutor.java:135)
 at android.app.servertransaction.TransactionExecutor.execute (TransactionExecutor.java:95)
 at android.app.ActivityThread$H.handleMessage (ActivityThread.java:2304)
 at android.os.Handler.dispatchMessage (Handler.java:106)
 at android.os.Looper.loopOnce (Looper.java:201)
 at android.os.Looper.loop (Looper.java:288)
 at android.app.ActivityThread.main (ActivityThread.java:7950)
 at java.lang.reflect.Method.invoke
 at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:548)
 at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:936)
Caused by java.security.InvalidKeyException: Keystore operation failed
 at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException (KeyStoreCryptoOperationUtils.java:130)
 at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:154)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:339)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:171)
 at javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2985)
 at javax.crypto.Cipher.tryCombinations (Cipher.java:2892)
 at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2797)
 at javax.crypto.Cipher.chooseProvider (Cipher.java:774)
 at javax.crypto.Cipher.init (Cipher.java:1144)
 at javax.crypto.Cipher.init (Cipher.java:1085)
 at X0.b.d (SourceFile:21)
 at X0.b.a (SourceFile:19)
 at X0.c.i (SourceFile:10)
 at X0.c.a (SourceFile:51)
 at X0.a$b.j (SourceFile:8)
 at X0.a$b.f (SourceFile:54)
 at androidx.security.crypto.b.b (SourceFile:51)
 at androidx.security.crypto.b.a (SourceFile:5)
 at w2.h.<init> (SourceFile:54)
 at t2.b.k (SourceFile:13)
 at t2.l.c (SourceFile:1)
 at t2.l.b (SourceFile:19)
 at t2.l.get (SourceFile:1)
 at m1.b.get (SourceFile:14)
 at t2.q$b.w (SourceFile:5)
 at t2.q$b.p (SourceFile:1)
 at t2.q$b.i (SourceFile:1)
 at nl.eduvpn.app.MainActivity.onCreate (SourceFile:12)
 at android.app.Activity.performCreate (Activity.java:8290)
 at android.app.Activity.performCreate (Activity.java:8269)
 at android.app.Instrumentation.callActivityOnCreate (Instrumentation.java:1402)
 at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3653)
Caused by android.security.KeyStoreException: Invalid key blob (internal Keystore code: -33 message: In create_operation: Failed to begin operation.
Caused by:
 0: In KeystoreSecurityLevel::upgrade_keyblob_if_required_with.
 1: Calling km_op
 2: Error::Km(ErrorCode(-33))) (public error code: 10 internal Keystore code: -33)
 at android.security.KeyStore2.getKeyStoreException (KeyStore2.java:369)
 at android.security.KeyStoreSecurityLevel.createOperation (KeyStoreSecurityLevel.java:120)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:334)

I tried to reproduce this on a Desktop AVD emulator, but it works fine there.
As far as I understand the emulators are not full ChromeOS systems, more like Android with desktop features.

I will now try to deobfuscate the stack trace by rebuilding the app from the tagged version, and using the mapping file

Obfuscated stack trace: ``` Exception java.lang.RuntimeException: at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3672) at android.app.ActivityThread.handleLaunchActivity (ActivityThread.java:3809) at android.app.servertransaction.LaunchActivityItem.execute (LaunchActivityItem.java:101) at android.app.servertransaction.TransactionExecutor.executeCallbacks (TransactionExecutor.java:135) at android.app.servertransaction.TransactionExecutor.execute (TransactionExecutor.java:95) at android.app.ActivityThread$H.handleMessage (ActivityThread.java:2304) at android.os.Handler.dispatchMessage (Handler.java:106) at android.os.Looper.loopOnce (Looper.java:201) at android.os.Looper.loop (Looper.java:288) at android.app.ActivityThread.main (ActivityThread.java:7950) at java.lang.reflect.Method.invoke at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:548) at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:936) Caused by java.security.InvalidKeyException: Keystore operation failed at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException (KeyStoreCryptoOperationUtils.java:130) at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:154) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:339) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:171) at javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2985) at javax.crypto.Cipher.tryCombinations (Cipher.java:2892) at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2797) at javax.crypto.Cipher.chooseProvider (Cipher.java:774) at javax.crypto.Cipher.init (Cipher.java:1144) at javax.crypto.Cipher.init (Cipher.java:1085) at X0.b.d (SourceFile:21) at X0.b.a (SourceFile:19) at X0.c.i (SourceFile:10) at X0.c.a (SourceFile:51) at X0.a$b.j (SourceFile:8) at X0.a$b.f (SourceFile:54) at androidx.security.crypto.b.b (SourceFile:51) at androidx.security.crypto.b.a (SourceFile:5) at w2.h.<init> (SourceFile:54) at t2.b.k (SourceFile:13) at t2.l.c (SourceFile:1) at t2.l.b (SourceFile:19) at t2.l.get (SourceFile:1) at m1.b.get (SourceFile:14) at t2.q$b.w (SourceFile:5) at t2.q$b.p (SourceFile:1) at t2.q$b.i (SourceFile:1) at nl.eduvpn.app.MainActivity.onCreate (SourceFile:12) at android.app.Activity.performCreate (Activity.java:8290) at android.app.Activity.performCreate (Activity.java:8269) at android.app.Instrumentation.callActivityOnCreate (Instrumentation.java:1402) at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3653) Caused by android.security.KeyStoreException: Invalid key blob (internal Keystore code: -33 message: In create_operation: Failed to begin operation. Caused by: 0: In KeystoreSecurityLevel::upgrade_keyblob_if_required_with. 1: Calling km_op 2: Error::Km(ErrorCode(-33))) (public error code: 10 internal Keystore code: -33) at android.security.KeyStore2.getKeyStoreException (KeyStore2.java:369) at android.security.KeyStoreSecurityLevel.createOperation (KeyStoreSecurityLevel.java:120) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:334) ``` I tried to reproduce this on a Desktop AVD emulator, but it works fine there. As far as I understand the emulators are not full ChromeOS systems, more like Android with desktop features. I will now try to deobfuscate the stack trace by rebuilding the app from the tagged version, and using the mapping file
Collaborator
Copy link

De-obfuscated stack trace:

Exception java.lang.RuntimeException:
 at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3672)
 at android.app.ActivityThread.handleLaunchActivity (ActivityThread.java:3809)
 at android.app.servertransaction.LaunchActivityItem.execute (LaunchActivityItem.java:101)
 at android.app.servertransaction.TransactionExecutor.executeCallbacks (TransactionExecutor.java:135)
 at android.app.servertransaction.TransactionExecutor.execute (TransactionExecutor.java:95)
 at android.app.ActivityThread$H.handleMessage (ActivityThread.java:2304)
 at android.os.Handler.dispatchMessage (Handler.java:106)
 at android.os.Looper.loopOnce (Looper.java:201)
 at android.os.Looper.loop (Looper.java:288)
 at android.app.ActivityThread.main (ActivityThread.java:7950)
 at java.lang.reflect.Method.invoke
 at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:548)
 at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:936)
Caused by java.security.InvalidKeyException: Keystore operation failed
 at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException (KeyStoreCryptoOperationUtils.java:130)
 at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:154)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:339)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:171)
 at javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2985)
 at javax.crypto.Cipher.tryCombinations (Cipher.java:2892)
 at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2797)
 at javax.crypto.Cipher.chooseProvider (Cipher.java:774)
 at javax.crypto.Cipher.init (Cipher.java:1144)
 at javax.crypto.Cipher.init (Cipher.java:1085)
 at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal (SourceFile:21)
 at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt (SourceFile:19)
 at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead (SourceFile:10)
 at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead (SourceFile:51)
 at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset (SourceFile:8)
 at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build (SourceFile:54)
 at androidx.security.crypto.EncryptedSharedPreferences.create (SourceFile:51)
 at androidx.security.crypto.EncryptedSharedPreferences.create (SourceFile:5)
 at nl.eduvpn.app.service.PreferencesService.<init> (SourceFile:54)
 at nl.eduvpn.app.inject.ApplicationModule.providePreferencesService (SourceFile:13)
 at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.providePreferencesService (SourceFile:1)
 at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.get (SourceFile:19)
 at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.get (SourceFile:1)
 at dagger.internal.DoubleCheck.get (SourceFile:14)
 at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.optionalOfVPNService (SourceFile:5)
 at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.injectMainActivity (SourceFile:1)
 at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.inject (SourceFile:1)
 at nl.eduvpn.app.MainActivity.onCreate (SourceFile:12)
 at android.app.Activity.performCreate (Activity.java:8290)
 at android.app.Activity.performCreate (Activity.java:8269)
 at android.app.Instrumentation.callActivityOnCreate (Instrumentation.java:1402)
 at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3653)
Caused by android.security.KeyStoreException: Invalid key blob (internal Keystore code: -33 message: In create_operation: Failed to begin operation.
Caused by:
 0: In KeystoreSecurityLevel::upgrade_keyblob_if_required_with.
 1: Calling km_op
 2: Error::Km(ErrorCode(-33))) (public error code: 10 internal Keystore code: -33)
 at android.security.KeyStore2.getKeyStoreException (KeyStore2.java:369)
 at android.security.KeyStoreSecurityLevel.createOperation (KeyStoreSecurityLevel.java:120)
 at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:334)

Attached you can find the mapping file.

I will create a workaround, where if the Secure Preferences could not be set up, the app will use the regular preferences as a fallback. This is not a security issue, since Google has also advocated against using secure-preferences, because the system already gives enough security guarantees that using this library doesn't matter much [link]

De-obfuscated stack trace: ``` Exception java.lang.RuntimeException: at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3672) at android.app.ActivityThread.handleLaunchActivity (ActivityThread.java:3809) at android.app.servertransaction.LaunchActivityItem.execute (LaunchActivityItem.java:101) at android.app.servertransaction.TransactionExecutor.executeCallbacks (TransactionExecutor.java:135) at android.app.servertransaction.TransactionExecutor.execute (TransactionExecutor.java:95) at android.app.ActivityThread$H.handleMessage (ActivityThread.java:2304) at android.os.Handler.dispatchMessage (Handler.java:106) at android.os.Looper.loopOnce (Looper.java:201) at android.os.Looper.loop (Looper.java:288) at android.app.ActivityThread.main (ActivityThread.java:7950) at java.lang.reflect.Method.invoke at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:548) at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:936) Caused by java.security.InvalidKeyException: Keystore operation failed at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException (KeyStoreCryptoOperationUtils.java:130) at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:154) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:339) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:171) at javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2985) at javax.crypto.Cipher.tryCombinations (Cipher.java:2892) at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2797) at javax.crypto.Cipher.chooseProvider (Cipher.java:774) at javax.crypto.Cipher.init (Cipher.java:1144) at javax.crypto.Cipher.init (Cipher.java:1085) at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal (SourceFile:21) at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt (SourceFile:19) at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead (SourceFile:10) at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead (SourceFile:51) at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset (SourceFile:8) at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build (SourceFile:54) at androidx.security.crypto.EncryptedSharedPreferences.create (SourceFile:51) at androidx.security.crypto.EncryptedSharedPreferences.create (SourceFile:5) at nl.eduvpn.app.service.PreferencesService.<init> (SourceFile:54) at nl.eduvpn.app.inject.ApplicationModule.providePreferencesService (SourceFile:13) at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.providePreferencesService (SourceFile:1) at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.get (SourceFile:19) at nl.eduvpn.app.inject.ApplicationModule_ProvidePreferencesServiceFactory.get (SourceFile:1) at dagger.internal.DoubleCheck.get (SourceFile:14) at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.optionalOfVPNService (SourceFile:5) at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.injectMainActivity (SourceFile:1) at nl.eduvpn.app.inject.DaggerEduVPNComponent$EduVPNComponentImpl.inject (SourceFile:1) at nl.eduvpn.app.MainActivity.onCreate (SourceFile:12) at android.app.Activity.performCreate (Activity.java:8290) at android.app.Activity.performCreate (Activity.java:8269) at android.app.Instrumentation.callActivityOnCreate (Instrumentation.java:1402) at android.app.ActivityThread.performLaunchActivity (ActivityThread.java:3653) Caused by android.security.KeyStoreException: Invalid key blob (internal Keystore code: -33 message: In create_operation: Failed to begin operation. Caused by: 0: In KeystoreSecurityLevel::upgrade_keyblob_if_required_with. 1: Calling km_op 2: Error::Km(ErrorCode(-33))) (public error code: 10 internal Keystore code: -33) at android.security.KeyStore2.getKeyStoreException (KeyStore2.java:369) at android.security.KeyStoreSecurityLevel.createOperation (KeyStoreSecurityLevel.java:120) at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:334) ``` Attached you can find the mapping file. I will create a workaround, where if the Secure Preferences could not be set up, the app will use the regular preferences as a fallback. This is not a security issue, since Google has also advocated against using secure-preferences, because the system already gives enough security guarantees that using this library doesn't matter much [[link]](https://proandroiddev.com/securing-the-future-navigating-the-deprecation-of-encrypted-shared-preferences-91ce3c20ae8d)

This secure preference thing should have been removed almost 8 years ago, how come it still bites us? 🤯

https://github.com/eduvpn/android/issues/117

This secure preference thing should have been removed almost 8 years ago, how come it still bites us? 🤯 https://github.com/eduvpn/android/issues/117
Collaborator
Copy link

I have edited my comment, because I got confused about that as well.
We have removed the scottyab:secure-preferences library in favor of androidx:secure-preferences, so we replaced a 3rd party library with the official Google one. However, Google has now also deprecated their own library last year, because to their own opinion it doesn't add much more than a false sense of security.
Android already isolates apps from each other, and if a malicious actor has access to the files of our app, then whether we use this library or not, won't really make a difference anymore.
So for now, I fall back to the unsecure version if the secure one can't be initialized, so that should make the app usable again on ChromeOS devices.

I have edited my comment, because I got confused about that as well. We have removed the scottyab:secure-preferences library in favor of androidx:secure-preferences, so we replaced a 3rd party library with the official Google one. However, Google has now also deprecated their own library last year, because to their own opinion it doesn't add much more than a false sense of security. Android already isolates apps from each other, and if a malicious actor has access to the files of our app, then whether we use this library or not, won't really make a difference anymore. So for now, I fall back to the unsecure version if the secure one can't be initialized, so that should make the app usable again on ChromeOS devices.

Thanks for explaining! Every dependency is a liability...

Thanks for explaining! Every dependency is a liability...
dzolnai referenced this issue from a commit 2025年04月25日 13:49:33 +02:00
dzolnai referenced this issue from a commit 2025年05月27日 15:48:54 +02:00

This can be closed, right?

This can be closed, right?
Collaborator
Copy link

It should be fixed in the next version, but we don't know for sure since we were not able to reproduce it. Let's close it, and worst case it will be reopened

It should be fixed in the next version, but we don't know for sure since we were not able to reproduce it. Let's close it, and worst case it will be reopened
Sign in to join this conversation.
No Branch/Tag specified
master
update-wg-submodule
feature/bugfixes
feature/tile_service
feature/mte_crash
feature/update-ics
feature/proxyguard_via_wireguard
feature/include_list
feature/threading_fix
3.5.2
3.5.1
3.5.0
3.4.0
3.3.4
3.3.3
3.3.2
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.1
3.1.0
3.0.1
3.0.0
2.99.0
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.3.2
1.3.1
1.3.0
1.2.3
1.2.2
1.2.1
1.2.0
1.1.1
1.0.1
1.0.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eduVPN/android#17
Reference in a new issue
eduVPN/android
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?