3

I'm aware of the Restrictions on starting activities from the background starting from Android API 29, but I'm challenged by some app which is able to present an Activity despite the restrictions. The app does not use the SYSTEM_ALERT_WINDOW permission to draw over other apps. It just presents an activity while having only foreground service running.

The app listens to package added (ACTION_PACKAGE_ADDED) and removed (ACTION_PACKAGE_REMOVED) broadcasts and starts an activity styled as a dialog.

Normally, when I register the receiver (either in manifest or runtime in foreground service) and want to start an activity I get the next log from ActivityTaskManager:

2022-12-25 11:29:57.188   511-855   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.jasperapps.testpackageremoveintent/.TargetActivity} from uid 10146
2022-12-25 11:29:57.190   511-855   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.jasperapps.testpackageremoveintent; callingUid: 10146; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10146; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.jasperapps.testpackageremoveintent/.TargetActivity }; callerApp: ProcessRecord{5224fb8 12583:com.jasperapps.testpackageremoveintent:remote/u0a146}; inVisibleTask: false]
2022-12-25 11:29:57.191   511-855   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10146

Where Abort background activity starts from 10146 means that I'm violating the background restrictions, which is expected.

Instead, when I examined the logcat for ActivityTaskManager for the app which workarounds this I found next:

2022-12-25 11:34:59.196   511-4063  ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.198   511-4063  ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{921ede4 com.bingo.cleaner startActivity}; allowBackgroundActivityStart: false; intent: Intent { cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.199   511-4063  ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.200   511-4063  ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.209   511-857   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.210   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.210   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.285   511-857   ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.287   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: PendingIntentRecord{921ede4 com.bingo.cleaner startActivity (allowlist: d43f3f6:+30s0ms/0/NOTIFICATION_SERVICE/NotificationManagerService)}; allowBackgroundActivityStart: false; intent: Intent { cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.287   511-857   ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              I  START u0 {flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.288   511-857   ActivityTaskManager     pid-511                              W  Background activity start [callingPackage: com.bingo.cleaner; callingUid: 10148; appSwitchAllowed: false; isCallingUidForeground: false; callingUidHasAnyVisibleWindow: false; callingUidProcState: FOREGROUND_SERVICE; isCallingUidPersistentSystemProcess: false; realCallingUid: 10148; isRealCallingUidForeground: false; realCallingUidHasAnyVisibleWindow: false; realCallingUidProcState: FOREGROUND_SERVICE; isRealCallingUidPersistentSystemProcess: false; originatingPendingIntent: null; allowBackgroundActivityStart: false; intent: Intent { flg=0x10000000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }; callerApp: ProcessRecord{c06f774 13034:com.bingo.cleaner/u0a148}; inVisibleTask: false]
2022-12-25 11:34:59.289   511-857   ActivityTaskManager     pid-511                              E  Abort background activity starts from 10148

2022-12-25 11:34:59.522   511-543   ActivityTaskManager     pid-511                              I  START u0 {cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras)} from uid 10148
2022-12-25 11:34:59.522   511-543   ActivityTaskManager     pid-511                              W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { flg=0x800000 cmp=com.bingo.cleaner/.modules.scene.fork.ForkActivityC (has extras) }
2022-12-25 11:34:59.527   511-543   ActivityTaskManager     pid-511                              W  Can't find TaskDisplayArea to determine support for multi window. Task id=27 attached=false
2022-12-25 11:34:59.606   511-852   ActivityTaskManager     pid-511                              W  Tried to set launchTime (0) < mLastActivityLaunchTime (556847)
2022-12-25 11:34:59.914   511-546   ActivityTaskManager     pid-511                              I  Displayed com.bingo.cleaner/.modules.scene.fork.ForkActivityC: +325ms

Note, I intentionally added blank lines to the logcat to make it clearer. So the app tries to launch an activity 3 times and gets rejected by the system. However on the 4th time it somehow succeeds!

Please take a look on the video of my screen recording: https://yura-misc.s3.eu-central-1.amazonaws.com/activity_from_bakcground.mov

P.S. What I have tried (from onReceive of the runtime-registered broadcast receiver):

  1. starting the activity in a loop up to 10 times (to replicate what the sample app is doing)
  2. showing a notification along with starting the activity (I thought the notification could increase priority of my app)
  3. starting another foreground service and launching the activity from it (I thought it could increase priority of my app too)
  4. sending a Pending Intent instead of regular intent to start the activity

I suppose this must be some kind of a hack, which is potentially android system vulnerability. Do you please have any ideas of what could it be or in what direction would I want to look?

YTerle
  • 2,606
  • 6
  • 24
  • 40
  • Based on the startup behavior, it looks like its going through launch permutations to try get around the restrictions on background starts. 1) Tries the base module with non-Activity Context and forcing Intent flg=0x800000 2) Tries START with flg=0x10000000 3) Tries original method but with (allowlist: d43f3f6:+30s0ms/0/NOTIFICATION_SERVICE/NotificationManagerService) 4) Tries original method, but calling [Multi-Window Mode](https://developer.android.com/guide/topics/large-screens/multi-window-support). Suspicion is there's a security hole in Mult-Window Mode. – G. Putnam Dec 28 '22 at 19:35
  • I've also noticed the following apps are able to start a dialog themed activity from the background without requiring any user granted permissions even on android 13: https://m.apkpure.com/max-cleaner/com.omni.cleaner.crane and https://m.apkpure.com/storm-file-manager/com.awesome.boost.junkcleaner. I have decompiled these 2 apps and found out they both use a certain native library (liblazarus.so). And looking at the signatures of the Java native methods that interact with this native library, it looks like it's the one doing all the dirty work. – codeman Mar 14 '23 at 09:49
  • Another interesting thing I noticed is if you use the layout inspector on these two apps you'll notice that when the app is in the background they display a very small white dot. This dot is not visible in the screen so which means it's being displayed in a virtual display. One Java native method which interacts with liblazarus.so takes in DisplayManager as an argument. So I'm guessing this also has something to do with the apps being able to start activity from the background at will. – codeman Mar 14 '23 at 10:26
  • Another this is the "Background activity start [callingPackage:xxx......" log line is not shown in the logcat. So I guess (yeah I know it's a lot of guessing) these apps are being kept whitelisted as being in a foreground state. – codeman Mar 14 '23 at 10:39

1 Answers1

0

I am also facing a similar issue. I have a database where phone number saves time by time, and my application has to call those number even my app is in the background. But when I tried it on the android 12 emulator it works well. works in the background but the call cut on start.. and when I tried it on android 10. it didn't work in the background but works well in the foreground.

I also have a notification on that app, so the process not finish. I don't know, what to do now!

you can see here. you have to get the SYSTEM_ALERT_WINDOW permission by the user. also, here are given multiple conditions. .check, and if yours is solved, please write here. My problem isn't solved. https://developer.android.com/guide/components/activities/background-starts

Mohammad Omar Faruk
  • 1
  • 1