-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strange call to content-autofill.googleapis.com during login #388
Comments
Thank you for sharing this interesting finding with us. It is very weird - to be honest - I'm expecting the Default Keyboard (which usually comes form Google) is making these requests (the domain name kind of makes sense for that as well). We only have very few libraries included in the SSO library which are either from google itself (android framework) or network related (sending / receiving network requests) - none of which should make a request like that. Just to be sure - what kind of emulator did you use? The default Android emulator integrated into Android Studio with an official Google ROM? Might be worth checking if the keyboard is the "google keyboard". @stefan-niedermann Do you have an idea? Would this be possible without the google services? |
The reviewer here. As I just encountered the very same issue with another app (which didn't use ASSO) I'm just reviewing (what a coincidence – lucky it happened so soon, though not happy it happens at all), I got curious and was digging in deeper:
Connects to content-autofill.googleapis.com when tapping on an input field was dealing with the very same problem. Soren came to the conclusion this is a bug in LineageOS (see the very last post in that thread). Quote:
I'm no Android dev, so I have no idea how to work around this. There's no user-facing screen to configure Webview (at least I found none) – but as I know several apps using Webview in a customized way (like enabling ad blocking etc), maybe there's a toggle the developer of an app can switch to say "don't you dare!"? As several apps are affected, concerned users meanwhile should add First things first, if someone has non-LineageOS devices around, it could be cross-checked if it's really just LOS-related… |
Thank you very much Izzy, I see you're going pretty down in the rabbit hole! |
PS: Found the culprit! It's not Webview, but as @David-Development correctly guessed, the default keyboard. I wanted to replace that by Florisboard anyway, so I did that now – and at least with the other app the request to @penguin86 as our posts are just crossing: can you try replacing the keyboard app with e.g. Florisboard and confirm my latest findings? |
Just tried with Florisboard on my LineageOS device, but still finding two content-autofill requests on the list... |
Yuck. And you've made Florisboard the default keyboard? Then there must be more to it here. What about the other "strange connections" – are any of those gone at least? And just in case: can you check your Android settings whether any autofill service is configured there? |
Yes, FB was the default keyboard. |
Thanks Daniele – then there must be more to it. As for the other app I found this with: that was indeed just a very simple webview wrapper (I just double-checked and it is really just wrapping that website), which might make a difference here – though I cannot tell for sure. |
Ok, I investigated the lead of the webview bug. Tl;dr: it is a webview bug occurring only on certain forms when the user fills the fields. I tried installing the first webview-based browser I found and I logged in my Nextcloud instance. I see the two At this point I give up. Not sure if the problem can be fixed changing some webview configuration or forcing the use of the classic Android webview instead of the new Chromium Webview... |
OK, so I got the old Wiko Sunny 3 ready, running stock Android Go 8.1. Took me at least 10..15 minutes to get through the process (just from tapping into an input field until the keyboard shows up it took about 30s each time – no fun running apps beyond the 10 MB size limit on that low-end device, but it's the only "stock" one I have available), but I finally succeeded. Including setting up the account, logging in, granting access and opening one of the bookmarks, none of the suspicious addresses were showing up (despite of the Google keyboard being involved). The only connections observed from Maps (or the Nextcloud app) were those expected: This seems to confirm the culprit is that LineageOS Webview bug. To my experience (see above) it can be possible to alleviate/mitigate using an alternative keyboard app like Florisboard with suggestions disabled, but obviously not on all devices (as per Daniele's experience). |
Note: Security Expert Mike Kuketz was having a look at it around the same time we've stumbled upon the issue. As for him it was initiated by reviewing Privacy Browser he referred to the same report I quoted above (actually, he commented there as "No Name"). Mike agrees with our conclusion the bug must reside with Lineage's Webview implementation. I've also told Mike about Daniele's finding that only "some" form fields are affected. Maybe he'll take another look and finds what attribute might trigger that, and some adjustments to the Nextcloud login form could mitigate the issue until Lineage has fixed it. |
Wow @IzzySoft great! Thanks for posting the links and bug reports! |
Question is whether the bug has already been reported to LineageOS and is being worked on there. I'm not sure if I will get updates on that in timely manner to report back. I couldn't find any mention of |
Thanks, I subscribed to the issue on gitlab 👍 |
Bug was just reported "fixed":
Thanks for all who helped identifying it! |
Hello, first of all, thank you for your work, this library is very convenient!
During the F-Droid review of my app, the reviewer noticed some strange calls to content-autofill.googleapis.com, even if running on an AOSP phone with no Google Services.
It seems that these calls are fired during the login process, and does not happen when selecting an already logged in account from the account chooser.
I've prepared a bare minimum project to replicate the problem, so it is more convenient for you to test.
How to reproduce
I couldn't find that string in Android-SingleSignOn source code, so my understanding is that the call bay be done by one of the libraries.
Thank you for your collaboration!
Let me know if I can help you pinpointing the problem.
The text was updated successfully, but these errors were encountered: