-
Notifications
You must be signed in to change notification settings - Fork 1.2k
com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero). #504
Comments
Can you show me how you're calling into Tink? |
com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parsePartialFrom (GeneratedMessageLite.java:1566) Sending the above further stack trace. Issue is reproducible only in Pixel 4a, Pixel 4 XL Pixel 4a (5G) CodeSnippet: init { private fun getOrGenerateNewKeysetHandle(): KeysetHandle { |
The root cause is in Android Keystore which has been found to be buggy. A workaround is to disable Android Keystore integration, by not specifying a master key URI:
This means Tink keys are stored in Shared Preferences unencrypted. See this comment for why this is secure enough for most users and devices. |
@thaidn Is tink working on resolving below errors? |
As per below doc, Since Android Keystore is unreliable on certain devices. Tink runs a self-test to detect such problems and disables Android Keystore accordingly, even if a master key URI is set. Let me know if latest library handles such scenarios. |
Was there any update on this issue? I'm having the same issue. |
This exception can be thrown when your app get's restored from a backup. The keystore doesn't have the keys to decrypt the EncryptedSharedPreferences. Our app has set |
@lpappalettera is new update for security from jetpack solve current issue or not? |
I have deleted the app cleared everything nothing worked, until I changed the filename: EncryptedSharedPreferences.create( This might help somebody so I am posting it. |
Nothing new on this issue? Production crashes are piling up because of this issue ... |
I did do some changes to the AndroidKeysetManager lately that should help with this error:
One cause of this error (as mentioned above) is when a backup is restored. Then, you have some encrypted data from your backup but the master-key that was stored in android keystore is not present anymore. There is no way for us to recover from this. You need to be prepared to handle this yourself. For example, by telling the user and deleting the data that can't be read anymore. We will soon make a new release of Tink, and I think also the androidx security will also soon afterwards get a new release. |
I understand you cannot recover from a backup. But someone also mentioned that even with |
There is now a new version 1.8.0 of Tink that fixes some race conditions that might have caused this. See https://github.com/tink-crypto/tink-java/releases/tag/v1.8.0 and https://developer.android.com/jetpack/androidx/releases/security. |
There is now androidx security version 1.1.0-alpha06 that uses Tink 1.8.0 by default. |
I'm closing this now. If there are any other problems, please open a new issue. |
We have been facing below exception in our production app with Tink library version 1.4.0.
Caused by:
com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).
at com.google.crypto.tink.shaded.protobuf.y.C(SourceFile:10)
at com.google.crypto.tink.shaded.protobuf.y.z(SourceFile:2)
Device And OS: Google Pixel 4a, OS Level 30
Note: We are unable to reproduce this issue from our end. It is reproducible for one of the user.
Please let us know if this issue has been fixed in the latest 1.6.0 library version.
The text was updated successfully, but these errors were encountered: