Tuesday 27 December 2022

Android Background activity start

I'm aware of the Restrictions on starting activities from the background starting from Android API 29, but I'm challenged by some app which is able to present an Activity despite the restrictions. The app does not use the SYSTEM_ALERT_WINDOW permission to draw over other apps. It just presents an activity while having only foreground service running.

The app listens to package added (ACTION_PACKAGE_ADDED) and removed (ACTION_PACKAGE_REMOVED) broadcasts and starts an activity styled as a dialog.

Normally, when I register the receiver (either in manifest or runtime in foreground service) and want to start an activity I get the next log from ActivityTaskManager:

2022-12-25 11:29:57.188   511-855   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.jasperapps.testpackageremoveintent/.TargetActivity} from uid 10146
2022-12-25 11:29:57.190   511-855   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.jasperapps.testpackageremoveintent; callingUid: 10146; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10146; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.jasperapps.testpackageremoveintent/.TargetActivity }; callerApp: ProcessRecord{5224fb8 12583:com.jasperapps.testpackageremoveintent:remote/u0a146}; inVisibleTask: false]
2022-12-25 11:29:57.191   511-855   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10146

Where Abort background activity starts from 10146 means that I'm violating the background restrictions, which is expected.

Instead, when I examined the logcat for ActivityTaskManager for the app which workarounds this I found next:

2022-12-25 11:34:59.196   511-4063  ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.198   511-4063  ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{921ede4 com.bingo.cleaner startActivity}; allowBackgroundActivityStart: false; intent: Intent { cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.199   511-4063  ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.200   511-4063  ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.209   511-857   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.210   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.210   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.285   511-857   ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.287   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{921ede4 com.bingo.cleaner startActivity (allowlist: d43f3f6:+30s0ms/0/NOTIFICATION_SERVICE/NotificationManagerService)}; allowBackgroundActivityStart: false; intent: Intent { cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.287   511-857   ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.289   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.522   511-543   ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.522   511-543   ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.527   511-543   ActivityTaskManager     pid-511                              W  Can't find TaskDisplayArea to determine support for multi window. Task id=27 attached=false
2022-12-25 11:34:59.606   511-852   ActivityTaskManager     pid-511                              W  Tried to set launchTime (0) < mLastActivityLaunchTime (556847)
2022-12-25 11:34:59.914   511-546   ActivityTaskManager     pid-511                              I  Displayed com.bingo.cleaner/.modules.scene.fork.ForkActivityC: +325ms

Note, I intentionally added blank lines to the logcat to make it clearer. So the app tries to launch an activity 3 times and gets rejected by the system. However on the 4th time it somehow succeeds!

Please take a look on the video of my screen recording: https://yura-misc.s3.eu-central-1.amazonaws.com/activity_from_bakcground.mov

P.S. What I have tried (from onReceive of the runtime-registered broadcast receiver):

  1. starting the activity in a loop up to 10 times (to replicate what the sample app is doing)
  2. showing a notification along with starting the activity (I thought the notification could increase priority of my app)
  3. starting another foreground service and launching the activity from it (I thought it could increase priority of my app too)
  4. sending a Pending Intent instead of regular intent to start the activity

I suppose this must be some kind of a hack, which is potentially android system vulnerability. Do you please have any ideas of what could it be or in what direction would I want to look?



from Android Background activity start
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)