Strange call to content-autofill.googleapis.com during login

[penguin86]

Hello, first of all, thank you for your work, this library is very convenient!
During the F-Droid review of my app, the reviewer noticed some strange calls to content-autofill.googleapis.com, even if running on an AOSP phone with no Google Services.
It seems that these calls are fired during the login process, and does not happen when selecting an already logged in account from the account chooser.
I've prepared a bare minimum project to replicate the problem, so it is more convenient for you to test.

How to reproduce

• Prepare a device or emulator with Nextcloud app and PCAPDroid. In my setup, no google services are present and the apps are both from F-Droid store.
• Clone the project, build it, install it
• Start PCAPDroid capture without per-app filter
• Open the built app and log in to a new account (not one in the account chooser list)
• When the login flow is complete the app closes saying "LOGIN SUCCESSFUL!"
• Stop PCAPDroid capture and inspect its "Connection" tab. Along with the used Nextcloud instances call, you can find two calls to content-autofill.googleapis.com

I couldn't find that string in Android-SingleSignOn source code, so my understanding is that the call bay be done by one of the libraries.

Thank you for your collaboration!
Let me know if I can help you pinpointing the problem.

[David-Development]

Thank you for sharing this interesting finding with us. It is very weird - to be honest - I'm expecting the Default Keyboard (which usually comes form Google) is making these requests (the domain name kind of makes sense for that as well). We only have very few libraries included in the SSO library which are either from google itself (android framework) or network related (sending / receiving network requests) - none of which should make a request like that. Just to be sure - what kind of emulator did you use? The default Android emulator integrated into Android Studio with an official Google ROM? Might be worth checking if the keyboard is the "google keyboard".

@stefan-niedermann Do you have an idea? Would this be possible without the google services?

[IzzySoft]

The reviewer here. As I just encountered the very same issue with another app (which didn't use ASSO) I'm just reviewing (what a coincidence – lucky it happened so soon, though not happy it happens at all), I got curious and was digging in deeper:

• Android Settings have AutoFill Service set to "none"
• the default browser (I'm on LineageOS) has no setting for it
• suspecting Webview, I searched the device once more and it's indeed using AndroidWebview
• using the "search engine of my least distrust", I finally was able to pull something out of that hat:

Connects to content-autofill.googleapis.com when tapping on an input field was dealing with the very same problem. Soren came to the conclusion this is a bug in LineageOS (see the very last post in that thread). Quote:

Based on the information that has been provided so far, it appears that something like the following is happening:

1. A user taps on a field on a webpage in Privacy Browser.
2. WebView asks the Autofill service if it would like to provide autofill information.
3. Autofill sees that the None service is selected. On standard Android, Autofill does nothing. However, on LineageOS Autofill sends a request to content-autofill.googleapis.com with X-Goog-Api-Key: dummytoken.

It is unclear why LineageOS is doing this. It is likely due to some change they have made to the OS that has this unintended consequence.

I'm no Android dev, so I have no idea how to work around this. There's no user-facing screen to configure Webview (at least I found none) – but as I know several apps using Webview in a customized way (like enabling ad blocking etc), maybe there's a toggle the developer of an app can switch to say "don't you dare!"?

As several apps are affected, concerned users meanwhile should add content-autofill.googleapis.com to their DNS filters (AdAway or whatever one is using). Another possible work-around would be registering some dummy AF-provider and enabling that, if such is possible.

First things first, if someone has non-LineageOS devices around, it could be cross-checked if it's really just LOS-related…

[penguin86]

Thank you very much Izzy, I see you're going pretty down in the rabbit hole!
It's not a real device, but I tried with an emulator (without google service, of course) and I can confirm the calls to content-autofill.googleapis.com are not present.
I can also confirm I'm using Lineage on both my physical devices, this explains why I was seeing the network calls.

[IzzySoft]

PS: Found the culprit! It's not Webview, but as @David-Development correctly guessed, the default keyboard. I wanted to replace that by Florisboard anyway, so I did that now – and at least with the other app the request to content-autofill.googleapis.com is gone. So were several other Google connections. I will repeat my review of Nextcloud Maps later (hopefully today, I'm just being called away from the keyboard now) and report back.

@penguin86 as our posts are just crossing: can you try replacing the keyboard app with e.g. Florisboard and confirm my latest findings?

[penguin86]

Just tried with Florisboard on my LineageOS device, but still finding two content-autofill requests on the list...

[IzzySoft]

Yuck. And you've made Florisboard the default keyboard? Then there must be more to it here. What about the other "strange connections" – are any of those gone at least? And just in case: can you check your Android settings whether any autofill service is configured there?

[penguin86]

Yes, FB was the default keyboard.
Just to be sure, I re-tried, but this time I disabled the AOSP keyboard from the App menu (I cannot uninstall it because is a system app and my device is not rooted) and connected a physical keyboard via an USB OTG adapter. The on screen keyboard (in this case Florisboard) was set to not pop up when an usb keyboard is connected.
I confirm I still see the two content-autofill.googleapis.com calls.
As for the other strange connections pointing to Google's IPs, I couldn't reproduce it in the first instance, and they still doesn't appear on the list.

[IzzySoft]

Thanks Daniele – then there must be more to it. As for the other app I found this with: that was indeed just a very simple webview wrapper (I just double-checked and it is really just wrapping that website), which might make a difference here – though I cannot tell for sure.

[penguin86]

Ok, I investigated the lead of the webview bug. Tl;dr: it is a webview bug occurring only on certain forms when the user fills the fields.

I tried installing the first webview-based browser I found and I logged in my Nextcloud instance. I see the two content-autofill.googleapis.com calls! This tells us that is a generic webview bug and is indipendent from the application. So I tried to log in to F-droid forum and in that case I didn't find the two calls. So it seems that it doesn't happen on all forms. Very odd. I repeated the two experiments to be sure, and the results are consistent.

At this point I give up. Not sure if the problem can be fixed changing some webview configuration or forcing the use of the classic Android webview instead of the new Chromium Webview...

[IzzySoft]

OK, so I got the old Wiko Sunny 3 ready, running stock Android Go 8.1. Took me at least 10..15 minutes to get through the process (just from tapping into an input field until the keyboard shows up it took about 30s each time – no fun running apps beyond the 10 MB size limit on that low-end device, but it's the only "stock" one I have available), but I finally succeeded.

Including setting up the account, logging in, granting access and opening one of the bookmarks, none of the suspicious addresses were showing up (despite of the Google keyboard being involved). The only connections observed from Maps (or the Nextcloud app) were those expected: ichibi.eu and several tile servers. No content-autofill.googleapis.com, no other Google addresses.

This seems to confirm the culprit is that LineageOS Webview bug. To my experience (see above) it can be possible to alleviate/mitigate using an alternative keyboard app like Florisboard with suggestions disabled, but obviously not on all devices (as per Daniele's experience).

[IzzySoft]

Note: Security Expert Mike Kuketz was having a look at it around the same time we've stumbled upon the issue. As for him it was initiated by reviewing Privacy Browser he referred to the same report I quoted above (actually, he commented there as "No Name"). Mike agrees with our conclusion the bug must reside with Lineage's Webview implementation.

I've also told Mike about Daniele's finding that only "some" form fields are affected. Maybe he'll take another look and finds what attribute might trigger that, and some adjustments to the Nextcloud login form could mitigate the issue until Lineage has fixed it.

[tobiasKaminsky]

Wow @IzzySoft great!
So it seems that this is not only us, but a more generic problem.

Thanks for posting the links and bug reports!
I will close this, but once you or any other know how we can circumvent this, please reply/open up an issue on server.

[IzzySoft]

Question is whether the bug has already been reported to LineageOS and is being worked on there. I'm not sure if I will get updates on that in timely manner to report back. I couldn't find any mention of content-autofill.googleapis.com in their issue tracker at GitLab, none of the webview related issues seems to match. I've opened this issue with them, so you can follow-up there should you have a GitLab account (be welcome to chime in adding your details).

[tobiasKaminsky]

Thanks, I subscribed to the issue on gitlab 👍

[IzzySoft]

Bug was just reported "fixed":

This should be resolved for all builds dated 20211005 and later.

Thanks for all who helped identifying it!