[RESOLVED] VERY disturbing! Hidden network traffic by Corona SDK breaks Jellybean.

37 replies [Last post]
gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

I've posted a few days ago that we received emails from clients with Jellybean installed about app crashes.

The "good" news are we have managed to find the problem.
The BAD news are, we have no way of solving it.

In general anyone that uses apktool/multitool to change the manifest xml file to remove unused permissions will find that their application crashes sporadically when running on Android 4.1.

The reason is a change in the behavior of the OS when an unauthorized request is made. In our case we are targeting toddlers and children and we had to remove all the permissions that were considers as a privacy concern to our clients. Meaning no identity/location/network access what so ever.

We did of course disable the dashboard (with launchPad = false in the config.lua) and then we unpacked our APK and packed it back without all the permissions.
We are not using any extended library like OF, Flurry or even IAP! we are just using the plain graphics library (display.*, etc) we expect ZERO network traffic.

On any Android version before 4.1 we had no issues. But on 4.1 we get a lot of exceptions sent to our developer console. They all share the same stack trace:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
java.lang.SecurityException: Permission denied (missing INTERNET permission?)
at java.net.InetAddress.lookupHostByName(InetAddress.java:418)
at java.net.InetAddress.getAllByNameImpl(InetAddress.java:236)
at java.net.InetAddress.getAllByName(InetAddress.java:214)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:137)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at com.loopj.android.http.AsyncHttpRequest.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
at java.lang.Thread.run(Thread.java:856)
Caused by: libcore.io.GaiException: getaddrinfo failed: EAI_NODATA (No address associated with hostname)
at libcore.io.Posix.getaddrinfo(Native Method)
at libcore.io.ForwardingOs.getaddrinfo(ForwardingOs.java:55)
at java.net.InetAddress.lookupHostByName(InetAddress.java:405)
... 12 more
Caused by: libcore.io.ErrnoException: getaddrinfo failed: EACCES (Permission denied) 

Our conclusion is that versions prior to 4.1 just silently ignored unauthorized internet access while Jellybean throws a hard exception that crashes Corona SDK.
I have NO idea why such traffic is generated! When our clients complained Corona has "spyware" (they found out we are using Corona from the Corona badge on our site) in it we removed all these permissions and replied to them defending Corona and ourselves and they all were happy with the result. Now how can we explain adding back intrusive permissions? :(

Our only solution to this would be to enable the INTERNET permission but we are going to receive a lot of bad client feedback for such a move. Sadly, I don't think we have a choice with the fast deployment of 4.1.

So, Corona PLEASE support us :(
I'm sure this issue is going to affect a LOT of other customers as well (I've learned how to do it on this forum...). If you can on your side "try" and "catch" these exceptions at the java level it should solve this I think.

Replies

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

Why in the world does Corona send anything not authorized by the developer over the net? Need some explanation here from the staff, please.

gtatarkin
User offline. Last seen 3 years 17 weeks ago. Offline
Joined: 16 Dec 2010

+10000000 Hello Corona stuff?!

digitaloranges
User offline. Last seen 3 years 46 weeks ago. Offline
Joined: 31 Aug 2011

Surely it's something to do with the analytics service they provide?

borgb
User offline. Last seen 1 year 15 weeks ago. Offline
Joined: 18 Jan 2011

my guess is that its the dashboard analytics thing. Dont think you can turn that of as far as I know. Hopefully someone from Corona can explain it.

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

If the analytics is a "service", then the developer should be able to turn it off. Unless it's a service for Corona, and not for the developer. Which would be fine, if Corona was a freebee - you expect this kind of thing of freebees. Not of something you pay for.

Look, there are a LOT of paranoiacs out there who are spurred on by all kinds of articles about the nefarious net companies gathering data on them. You and I (well, I and maybe you) know that the data gathered is always aggregate, not personalized, and there are maybe a handful of programs out there that are spyware that act and serve as legit apps, but the CUSTOMERS do not know this. The media has been buzzing into their ears about spyware, and if they see an educational game app that says it needs access to the phone contacts when it installs, that is what they will see it as - spyware. Even worse - spyware that wants to spy on their kid. Which leads to complaints, one-star ratings, and demands for refunds.

Seriously Corona - are you guys this clueless about this? I have been a client-side application developer (in financial markets, not iOS apps, but still) for decades, and any HINT that there is some kind of side-communication going on in your program will decimate your user base. And *especially* with the review system in place like there is for apps where just a few of your users have to put the dreaded s-word ("spyware") in the review, and it will scare off 90% of potential buyers of the app.

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

@mike470, you're spot on!
This is exactly what happened to us. We got featured on Amazon and got 150,000 downloads in one day just to receive tens of reviews by paranoid users that thought we are collecting data on them. This killed our rating and download stats for a few days.. After we removed the permissions it silenced these voices.

But now we are afraid to get into the same situation again and worse! (some users replied to us that they still don't believe us and that they think we'll add these permissions again in the future..)

gtatarkin
User offline. Last seen 3 years 17 weeks ago. Offline
Joined: 16 Dec 2010

@borgb - "my guess is that its the dashboard analytics thing"

Yeah but it use phone and internet permission so lots of users just don't download your app because of this settings. Personally I don't need analytics.

jfb
User offline. Last seen 7 years 19 weeks ago. Offline
Joined: 18 Aug 2011

@gury

Are you saying that

 launchPad = false

does nothing?

What about androidPermissions as in

1
2
3
4
5
6
7
8
9
settings =
{
:    
        androidPermissions =
        {
                "android.permission.ACCESS_FINE_LOCATION",
                "android.permission.INTERNET"
        },
}

Does this not affect permissions?

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

hey @jfb,

The only thing I know launchPad=false does is to remove my app from the site's launchpad. as for network traffic, I was sure it will be removed but now I think at least some traffic is still there, I cant tell what is really being sent.

Not really sure what you meant by the rest of your comment, adding the androidPermissions clause will add them to your androidmanifest.xml
what we were trying to do is remove them...
(As a matter of fact, as far as I know, Corona defaults to have the INTERNET permission on even if you dont add that in your androidPermissions clause..)

Just to make everything clear. no network is being done in our case cause we removed the permissions. but network traffic is trying to happen!! and we only found out about this because in 4.1 when this scenario happens you get a hard exception which crashes Corona SDK.

I hope this helps.
I will also be super happy to admit I was wrong if someone explains to me where...

Gury

jfb
User offline. Last seen 7 years 19 weeks ago. Offline
Joined: 18 Aug 2011

I was thinking androidPermissions=nil but I guess that would be too simple!

rdytmire
User offline. Last seen 35 weeks 4 days ago. Offline
Joined: 11 Apr 2012

I'd like to hear from Corona's reps on this. I have a (4 billion + / year) client I am trying to sell on this API but ANY whiff of network traffic is a total non-starter for them.

Guys, unaccounted for network traffic AUTOMATICALLY fails a security audit. No retailers could use your device as it would fail PCI compliance.

We need an answer / explanation on this one.

Best practice would be NO unauthorized traffic at any time unless explicitly allowed by the developer.

Omnigeek Media
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 18 Jan 2011

Have you filed a bug report with Corona Labs? Posting to a forum is no guarantee of getting their attention.

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

As far as I can tell this is not a bug but a desired behavior Corona intended for. I just want to change it or have an option to do it like many other users.

rdytmire
User offline. Last seen 35 weeks 4 days ago. Offline
Joined: 11 Apr 2012

Sigh... The report a bug function REQUIRES me to submit code to reproduce a bug.

Since I'm just asking for follow up there seems no way to get their attention.

I'll assume we'll see more issues like this as Corona attempts to sell to Enterprise level accounts. The two types of developers are VERY different and Enterprise is very careful who / when they release any proprietary code into the wild.

jfb
User offline. Last seen 7 years 19 weeks ago. Offline
Joined: 18 Aug 2011

Have you tried this?

http://www.ludicroussoftware.com/blog/2012/05/08/remove-unused-libraries-from-corona-apps/

(in principle one could edit the .smali files to remove web traffic)

jfb
User offline. Last seen 7 years 19 weeks ago. Offline
Joined: 18 Aug 2011

@ rdytmire

I think if launchPad = false does not switch of analytics then this IS a bug!

Omnigeek Media
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 18 Jan 2011

Since you know what causes the problem, you should be able to write a small app that demonstrates it. You don't need to submit your entire app.

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

I don't see the point in filing a bug. No one said the traffic is generated by analytics.

The only thing I know is that there is traffic when I'm not expecting it. Analytics is one option that was mentioned here but got no confirmation from any official source.

I also do not think it's any kind of regression, I think it always worked this way and was only caught because of an OS behavior change + us unpacking the APK with an external tool.

This thread was forwarded to the right people by Peach so I will just wait for the official response..

Regardless, I cannot reproduce this myself because I don't have a Jellybean device.

walter
User offline. Last seen 15 weeks 4 days ago. Offline
Staff
Joined: 22 Jun 2009

Looking into this, as what you are saying doesn't makes sense. The launchpad setting in config.lua should override unless you are using a service from one of our launchpad partners, e.g. inneractive.

Just so you know we take privacy very seriously. We even had our lawyers draft up a privacy policy designed for you to use as an app developer (this is distinct from the privacy policy that all web sites post) so you can give something to end users.

When we last looked, this is something no one other app platform is doing:

http://www.coronalabs.com/privacy-policy/privacy-policy-for-app-users/

rdytmire
User offline. Last seen 35 weeks 4 days ago. Offline
Joined: 11 Apr 2012

Thanks for the reply Walter. Although is seems kind of cryptic. What part does not make any sense? They obviously have captured HTTP traffic outbound from the device that the developer did not send. There is no question of this.

I've read your privacy statement and I have some questions:

Your privacy statement explicitly says that Corona Labs IS collecting data about usage.

Are you stating that CoronaLabs API data gathering can be completely shut down? What if we want to access HTTPS on our own back end but we want to be 100% sure no other data is sent anywhere else.

Your end-user security statement if for app-users. Not enterprise customers. Enterprise customers have large I.T. departments that are going to pick up this traffic and raise all kinds of red flags. You'll have a tough time deploying to any kind of P.O.S (Point of sale), financial, or .gov services with an "Always on" data collector. No matter how "passive" it is.

Imagine trying to tell Starbucks that you'll be collecting data on their app's usage...do you think that will fly? Not in a million years. That's marketing data about their customers you're harvesting (even in aggregate) and that's a big no-no.

So the bottom line, if a developer wants your API to do NO communicating outside of something they explicitly write is this possible?

To re-phrase: If I open HTTP access on my app is there a way to prevent Corona API from transmitting ANY data I do not explicitly tell it to?

walter
User offline. Last seen 15 weeks 4 days ago. Offline
Staff
Joined: 22 Jun 2009

@rdtymire, http calls you make explicitly are your own. We would never imagine logging any of that.

The code is structured to do analytics data collection only when launchpad is on. As I mentioned, you can turn it off via a config.lua setting, as long as you don't use a 3rd party launchpad service.

What doesn't make sense is it'd still be happening when launchpad is turned off, which seems to be the claim by @gury.traub --- that's what we're looking into.

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

Thanks Walter for looking into it,
Let me know if I can provide anything else to help your investigation.

No sure it's important to you but two examples of games we have which exhibit the problem are called "What's Different" and "Mix And Match". To be sure analytics is off I checked the app is not appearing in the dashboard on your site.
I can also assure you we are not using any 3rd party tool that would activate the dashboard.

If you really run into a dead end I'm even willing to send you the source code of one of them (as long as you keep it to yourself :) )

Let me know,

Thanks again!

PS, everyone is mentioning launchPad as the source of this traffic and surely I have no clue how your code is arranged, but just to clarify I have no way of knowing what the source is. As far as I know it might just be some isolated http request in Corona SDK's code which has no connection to analytics.

walter
User offline. Last seen 15 weeks 4 days ago. Offline
Staff
Joined: 22 Jun 2009

UPDATE: Good news is that launchpad behaves as expected --- no network traffic when you opt out.

@gury.traub, I was not able to reproduce the issue on the Nexus7 running 4.1.

I took the HelloWorld project, added the launchPad=false, removed the permissions (android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, android.permission.READ_PHONE_STATE) and there was no issue, no crash. I also tried locking the screen and resuming the app without a problem.

I have to assume there are some network calls in your project that are the culprit.

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

I'll recheck all our games

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

Hi all.

Seems we were bashing Corona SDK for NOTHING....

I've investigated more and found that there is an http call hiding in a library we are using (crawlspaceLib) it runs a check to see if there is internet available.

I'm so sorry for your time :(

Thank Walter for your time and again... sorry!

TandG
User offline. Last seen 6 days 11 hours ago. Offline
Joined: 16 Jun 2011

Don't worry about it gtt, i at least found it an interesting read :D

Its nice to know the launchpad setting does actually work as expected!

gtt
User offline. Last seen 1 year 8 weeks ago. Offline
Joined: 2 Aug 2011

Yep, that's good to know :)

But regardless, I should have checked more on my side and not assume from the beginning this is something in Corona. Our judgment was completely wrong, and for that I have nothing but to be sorry for. Corona has been nothing but great for us..

jfb
User offline. Last seen 7 years 19 weeks ago. Offline
Joined: 18 Aug 2011

@Walter, a quick question

You said

"I took the HelloWorld project ... removed the permissions (android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, android.permission.READ_PHONE_STATE)..."

how did you remove the permissions? What is the recommended way to do this?

Many thanks!

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

Supposedly you do this using apktool, although I tried it and was not successful.

The procedure is supposed to be, you take the APK file generated by Corona, decompile it using apktool, edit AndroidManifest.xml to remove those permissions and all other extraneous stuff, then rebuild the APK using apktool again, sign it using jarsigner then run it through zipalign and voila! You have a nice clean APK. Except after I do all that, and try to install the resulting file using app installer, it fails to install. No idea why.

The point is, one shouldn't have to jump through hoops to do that. Corona should allow developers to remove this stuff during the normal build process. Hell, make it a *little* obscure, make it some flag you have to enter in build settings, but make it possible.

Joshua Quick
User offline. Last seen 1 year 45 weeks ago. Offline
Staff
Joined: 31 Jan 2011

jfb, mike,

Those 3 permissions are in the AndroidManifest.xml file for a reason. We can't just simply strip them out because a lot of the existing code in Corona and its 3rd party libraries depend on these permissions. Removing them can cause crashes to occur. We already recognize that many Corona developers would like the option to have these permissions removed and it is on our to-do list, but it involves us putting many safe guards in place to prevent crashes and other unexpected behaviors from occurring.

Also, we can't provide you tech-support once you hack your APK with apktool... or with any 3rd party tool. We will only provide support for APKs built with Corona because that is what we've internally tested with, approved, and provided documentation for. Of course, you are free to do what you want with the APK but you are on your own once you've modified it... and you really *REALLY* need to know what you are doing when modifying that AndroidManifest.xml file because all of those settings are there for a reason.

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

Ok, Joshua, can you explain

1. what "existing code in Corona or 3rd party libraries" needs Internet access if my app doesn't and launchpad is off?

2. why there are 3rd party libraries included if my app doesn't use them and didn't explicitly include them?

Omnigeek Media
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 18 Jan 2011

@mike470 you might not be making the API calls, but I can think of the following API calls that need internet permission:

network.request (and the rest of the network api)
display.loadRemoteImage
system.openURL
native.showPopUp
native.showWebPopUp
native.newWebView
native.newVideo
audio.loadStream
media.playVideo (and potentially other media calls)

and a few more I'm missing. Those are all core libraries that are built in (Not loaded by "require")

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

Robmiracle, as I posted, if i am NOT using ANY Internet-related features like the ones you mentioned, what will removing those permissions break?

I don't like being treated like a little kid who doesn't know what's good for him. If I know that I don't need certain capabilities, allow me to turn them off! It wouldn't be a big deal if it was all fairly silent and transparent, like it is on iOS, but on Android the install announces those permissions in big friendly letters to every client, and awakes the paranoia.

Omnigeek Media
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 18 Jan 2011

You asked what was using it and I pointed out those are in the core library, not something that can be excluded.

In your case, you can edit the APK and remove them, Corona is just covering their bases and letting you know that whacking on an APK is not something they have the resources to support.

Joshua Quick
User offline. Last seen 1 year 45 weeks ago. Offline
Staff
Joined: 31 Jan 2011

Mike,

A Corona APK includes all features and 3rd party libraries that Corona has to offer, whether you use these features or not. Everything is compiled into a single binary and your Corona project files are merely assets within the APK file. With that said, we have to code Corona to assume that every app "might" use every feature. Now, we do have plenty of APIs that already have the permission safe guards in place, such as the camera API which will log/display a warning if the camera or write external storage permissions are missing. That is an example of how we are handling missing permissions the right way.

But there are plenty of areas in our code that blindly assume these 3 permissions are set, such as the APIs that Rob mentioned. Also, almost *all* of our 3rd party libraries such as InMobi, inneractive, and OpenFeint require these 3 permissions as well and may crash without them too. The resulting exception that occurs typically logs something non-intuitive. Typically an OpenGL exception even though the error has nothing to do with OpenGL... other than the fact that the error occurred on the OpenGL thread, which causes a lot of confusion for the Corona developer and our own tech-support group trying to isolate the issue. Bottom line, it can turn into a tech-support nightmare on both sides.

A good example of this, and a real tech-support issue that has happened, is the permission for our vibrate feature. If you forget to set the permission for vibrate, then your app will crash with an OpenGL exception. The error itself doesn't make any sense and makes it difficult to isolate the issue, which in the end is only a 1 line fix in the "build.settings" file. I believe Rob has had experience with this one. This is an example of a part of the code where we need to put some safe guards in place to make it easier to deal with for everyone.

mike470
User offline. Last seen 5 years 12 weeks ago. Offline
Joined: 29 Jun 2012

Joshua, I understand what you're saying - but - it would still be good to allow developers to remove stuff they KNOW they are not using from the manifest without having to go through the rigamarole of apktool. Put an enormous warning up in huge letters when they do it that if they will use these features after removing the permissions, the plagues will descend upon them and their firstborns will be taken away - but still allow it, please.

As it is today, you're forcing people to fiddle with this stuff themselves, without full knowledge of what to leave in and what to take out, causing more problems.

Joshua Quick
User offline. Last seen 1 year 45 weeks ago. Offline
Staff
Joined: 31 Jan 2011

I understand Mike. All I can say is that this is on our to-do list to be addressed later. At the moment, we have other commitments to take care of that a lot of Corona developers are counting on us to complete first.

Viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.