As suggested by the Android docs, we use a global thread pool and handler
to avoid recreating them repeatedly. Four threads should be more than
enough as we only use this to load CA certificates when the app starts
initially and to load user certs when editing a profile.
The lint version used on our GitHub build hosts reported these errors:
Error: Value must be ≥ 0 [Range]
db.update(TABLE_VPNPROFILE, values, KEY_ID + " = " + cursor.getLong(cursor.getColumnIndex(KEY_ID)), null);
That's because get*() expect a valid index >= 0 but getColumnIndex()
can return -1 if the column name doesn't exist.
For apps targeting Android 10, where a method to change this was added, the
default changed so that all VPN connections are marked as metered. This means
certain background operations (e.g. syncing data) are not performed anymore
even when connected to a WiFi. By setting this to false, the metered state
of the VPN connection reflects that of the underlying networks.
The parser is quite picky and e.g. doesn't accept UUIDs without dashes.
Even without a specific error, this at least points the users into the
right direction.
Fixes#3583.
If the activity is not active when the service connection is
established and handleIntent() is called, the activity's state is already
saved and any fragment transaction would result in an illegalStateException
due to state loss. We just ignore this and wait for another initiation
attempt (via onNewIntent()).
With the flag set, we basically ignore the resent intent, which is not
ideal if we have not yet actually started another activity. The information
dialog we show first would disappear when closing and reopening the app
or even just rotating it (we hide all dialogs when receiving an intent),
but since the flag was restored, the dialog was not shown again even
when attempting to start other connections.
This allows users to ignore whether the app is on the device's power
whitelist without a warning. The flag is currently not set
automatically if the user denies the request.
This is necessary so we can actually schedule events accurately in Doze
mode. Otherwise, we'd only get woken in intervals of several minutes (up to
15 according to the docs) after about an hour.
This uses AlarmManager to schedule events in a way that ensures the app
is woken up (requires whitelisting when in Doze mode to be woken up at
the exact time, otherwise there are delays of up to 15 minutes).
XML resources are apparently not supported there. Moving the icon to
the mipmap folders should fix that. Aliases are defined for the icons on
Android < 8.0.
Evidently, onClick() may be called either before onStartListening() or
after onStopListening() has been called, which causes a crash when
trying to load a VpnProfile via mDataSource.
This partially reverts 3716af079e ("android: Avoid crash related to
TileService on Huawei devices").
It was deprecated in API level 28, registerNetworkCallback is available
since API level 21, but ConnectivityManager got some updates with 24
(e.g. default network handling) so we start using it then.
Android 10 will honor the preselection and could, thus, hide some
installed certificates if we only pass "RSA". The dialog will also only
be shown if there are actually certificates installed (i.e. users will
have to do that manually outside of the app or via profile import).
Fixes#3196.
This replaces the drop-down box to select certificate identities with a
text field (in the advanced settings) with auto-completion for SANs
contained in the certificate.
The field is always shown and allows using an IKE identity different from
the username for EAP authentication (e.g. to configure a more complete
identity to select a specific config on the server).
Fixes#3134.
No idea when exactly this happens but on many Huawei devices (and
only on them) it seems that onStartListening is sometimes called after
onDestroy i.e. when the database was already closed. This caused an
InvalidStateException in getProfile via updateTile when retrieving the
current profile. It's possible that it happens during shutdown (there
have been similar reports related to TileService implementations) so
users might not even notice, but it pollutes the Play Console, so this
workaround now makes sure the database is open when updateTile is called.
Some users requests something like that to use different server IPs.
Interestingly, it's actually also possible to configure multiple
hostnames/IPs, separated by commas, as server address in the profile, which
are then tried one after another.
It's also useful when testing stuff to quickly compare the behavior with
some setting changed between two otherwise identical profiles.
It looks like Android 9 incorrectly continues to use the regular DNS
servers after the blocking TUN device is replaced with the actual
interface. Setting DNS servers prevents that (since all traffic is
blocked, which ones doesn't really matter but local/loopback addresses
are rejected).
Interestingly, if the VPN server later does not assign any DNS servers, there
is no fallback to the non-VPN DNS servers for some reason (that's definitely
not as documented). This could potentially be a problem as we don't
offer an option to configure DNS servers in the VPN profile.
Neither issue is seen on older Android versions (only tested on 7.1.1).
Not sure when this happens exactly, in particular because the reported
stack traces look like this
java.lang.NullPointerException:
at org.strongswan.android.ui.VpnTileService.updateTile (VpnTileService.java:220)
at org.strongswan.android.ui.VpnTileService.onStartListening (VpnTileService.java:97)
at android.service.quicksettings.TileService$H.handleMessage (TileService.java:407)
which violates the API documentation for getQsTile(), which states:
This tile is only valid for updates between onStartListening() and
onStopListening().
But apparently that's not always the case. There have been two reports
of such a crash, both on Android 8.0 and on Xiaomi Mi 5/6 devices, so
maybe it's a bug in that particular image.
The previous code lost track of the selected profile IDs, but the
widgets maintained their state (i.e. the list item was still selected and the
edit button still enabled). Clicking the edit button then caused a crash when
trying to get the first item in the set.
Tobias Brunner