Okhttp: Use SSLEngine.setApplicationProtocols() and SSLSocket.getApplicationProtocol() for Android Q

First two: https://issuetracker.google.com/issues/78796431

For CloseGuard, we probably want to just delete the Android-specific overrides. We don’t particularly benefit from using CloseGuard instead of java.util.logging.Logger for configuration.

@zjupure which version of OkHttp were you running? I couldn’t find the reflective call to TrustManagerImpl;-><init> in the current source tree.

the same problem hit me

@swankjesse okhttp version in our app is 3.8.1

Strict mode now allows to have a stacktrace

StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder()
                .detectNonSdkApiUsage()
                .penaltyLog()
                .build());

06-06 19:52:56.935 8671-8671/? D/StrictMode: StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation: Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard;
        at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
        at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
        at java.lang.Class.getDeclaredMethodInternal(Native Method)
        at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
        at java.lang.Class.getMethod(Class.java:2063)
        at java.lang.Class.getMethod(Class.java:1690)
        at io.intercom.okhttp3.internal.platform.AndroidPlatform$CloseGuard.get(AndroidPlatform.java:367)
        at io.intercom.okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.java:55)
        at io.intercom.okhttp3.internal.platform.AndroidPlatform.buildIfSupported(AndroidPlatform.java:257)
        at io.intercom.okhttp3.internal.platform.Platform.findPlatform(Platform.java:184)
        at io.intercom.okhttp3.internal.platform.Platform.<clinit>(Platform.java:74)
        at io.intercom.okhttp3.internal.platform.Platform.get(Platform.java:80)
        at io.intercom.okhttp3.internal.tls.CertificateChainCleaner.get(CertificateChainCleaner.java:41)
        at io.intercom.okhttp3.OkHttpClient.<init>(OkHttpClient.java:254)
        at io.intercom.okhttp3.OkHttpClient$Builder.build(OkHttpClient.java:914)
        at io.intercom.android.sdk.Injector.getNexusClient(Injector.java:153)
        at io.intercom.android.sdk.RealIntercom.create(RealIntercom.java:77)
        at io.intercom.android.sdk.Intercom.initialize(Intercom.java:68)
        at com.aproplan.aproplan.AproPlanApplication.onCreate(AproPlanApplication.java:113)
        at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1154)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5858)
        at android.app.ActivityThread.access$1000(ActivityThread.java:197)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1634)
        at android.os.Handler.dispatchMessage(Handler.java:106)
        at android.os.Looper.loop(Looper.java:193)
        at android.app.ActivityThread.main(ActivityThread.java:6642)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)

CloseGuard: https://issuetracker.google.com/issues/111149038

Nothing actionable here for now.

Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (light greylist, reflection)
Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (light greylist, reflection)

I have these messages too. Google have filed an internal bug, so there will ~probably~ hopefully be public APIs in the next Android release.

There is same problem .Any solution?

D/NetworkSecurityConfig: No Network Security Config specified, using platform default
W/android.dc.dem: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (light greylist, reflection)
Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (light greylist, reflection)
Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (light greylist, reflection)

This is causing my app to hang about 900ms for the first https request, even though my call is made on a background thread. Is this normal?
Is there a way to avoid the hang?

Are there any updates with ALPN methods?
Still have warnings:
Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (light greylist, reflection)
Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (light greylist, reflection)

Are they going to be fixed? or don't? What is their status?

Thanks!

Google "deferred this issue for consideration in a future release" at Aug 10, 2018.

I noticed the issue lately on Google Play's devices tests as part of the Beta channel Pre-launch report for a Google Pixel 2, Android 9.

StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation: 
    Ldalvik/system/CloseGuard;->warnIfOpen()V
    at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
    at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
    at java.lang.Class.getDeclaredMethodInternal(Native Method)
    at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
    at java.lang.Class.getMethod(Class.java:2063)
    at java.lang.Class.getMethod(Class.java:1690)
    at okhttp3.internal.platform.AndroidPlatform$CloseGuard.get(AndroidPlatform.java:372)
    at okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.java:58)
    at okhttp3.internal.platform.AndroidPlatform.buildIfSupported(AndroidPlatform.java:260)
    at okhttp3.internal.platform.Platform.findPlatform(Platform.java:201)
    at okhttp3.internal.platform.Platform.<clinit>(Platform.java:78)
    at okhttp3.internal.platform.Platform.get(Platform.java:84)
    at okhttp3.internal.tls.CertificateChainCleaner.get(CertificateChainCleaner.java:41)
    at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:694)

From the issue:

We've added ALPN public APIs in AOSP, they should make it into a future major Android release. Thanks.

And it looks like they’re here:
https://android-review.googlesource.com/c/platform/libcore/+/813756

Google "deferred this issue for consideration in a future release" at Aug 10, 2018.

I noticed the issue lately on Google Play's devices tests as part of the Beta channel Pre-launch report for a Google Pixel 2, Android 9.

StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation: 
    Ldalvik/system/CloseGuard;->warnIfOpen()V
  at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
  at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
  at java.lang.Class.getDeclaredMethodInternal(Native Method)
  at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
  at java.lang.Class.getMethod(Class.java:2063)
  at java.lang.Class.getMethod(Class.java:1690)
  at okhttp3.internal.platform.AndroidPlatform$CloseGuard.get(AndroidPlatform.java:372)
  at okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.java:58)
  at okhttp3.internal.platform.AndroidPlatform.buildIfSupported(AndroidPlatform.java:260)
  at okhttp3.internal.platform.Platform.findPlatform(Platform.java:201)
  at okhttp3.internal.platform.Platform.<clinit>(Platform.java:78)
  at okhttp3.internal.platform.Platform.get(Platform.java:84)
  at okhttp3.internal.tls.CertificateChainCleaner.get(CertificateChainCleaner.java:41)
  at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:694)

Any solution for this

I suggest we close this ticket. We can adopt this for Android Q behind a version check, but it doesn't address all grey listed methods. Specifically we can't avoid OpenSSLSocketImpl.setUseSessionTickets and setHostname.

n.b. We could make sure we are clean when users adopt either the Google Play Provider or Conscrypt. But that seems overkill and not likely to be adopted.

09-03 14:41:03.945 14214 16213 W droid.test.tes: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setUseSessionTickets(Z)V (greylist,core-platform-api, reflection, allowed)
09-03 14:41:03.950 14214 16213 W droid.test.tes: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)
09-03 14:41:03.962 14214 16213 W droid.test.tes: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (greylist,core-platform-api, reflection, allowed)
09-03 14:41:03.967 14214 16213 W droid.test.tes: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (greylist,core-platform-api, reflection, allowed)
09-03 14:41:04.150 14214 16213 W droid.test.tes: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (greylist,core-platform-api, reflection, allowed)
09-03 14:41:04.152 14214 16213 W droid.test.tes: Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)
09-03 14:41:04.156 14214 16213 W droid.test.tes: Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (greylist,core-platform-api, reflection, allowed)

I’d like to avoid reflection on Android devices that have public APIs for ALPN.

And I’d like to keep this open but in the icebox for the closeguard stuff.

Implications

• Build against JDK9 APIs - build target 1.8
• Build against Android APIs (for isCleartextTrafficPermitted)
• support two codepaths based on version we find ourselves running on. Now possible via socket adapters.
• add a test against https://www.howsmyssl.com/a/check to android-test

https://developer.android.com/reference/android/net/SSLCertificateSocketFactory

To verify hostnames, pass "HTTPS" to SSLParameters.setEndpointIdentificationAlgorithm(String). To enable ALPN, use SSLParameters.setApplicationProtocols(String[]). To enable SNI, use SSLParameters.setServerNames(java.util.List).

https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLParameters.html

• SNI defaulted on (IIUC) - delete
• ALPN (available in JDK9)
• CloseGuard - potentially run in dev builds only?

Plus calls to isCleartextTrafficPermitted variants based on Android version.

I'm mostly confused about session tickets. Need to find an API here.

thought experiment here https://github.com/square/okhttp/pull/5429/files

Builds and passes Android device unit tests

My rough plan would be to build an external module, targetted at JDK8 bytecode, but using Android (robolectric android-all JAR?) + JDK11 APIs (build JVM) with isAvailable methods etc.

package okhttp.internal.javax.net.ssl

val SSLParameters.isApplicationProtocolsAvailable: Boolean
  get() {
    // call appropriate runtime safe version checks etc 
    return true
  }

var SSLParameters.applicationProtocolsX: Array<String>
  get() {
    return this.applicationProtocols
  }
  set(protocols) {
    this.applicationProtocols = protocols
  }

Strictly use this for all future APIs, such that okhttp can build and test against JDK8, but run with optional compiled functionality against Android Q etc.

This is causing my app to hang about 900ms for the first https request, even though my call is made on a background thread. Is this normal?
Is there a way to avoid the hang?

Did anyone find a solution for this?

No short term plan if the usage of gray listed Android API is causing the delay. You should look into why there is a delay on those devices. You may want to make sure it's reported on the Google AOSP tickets, we can't fix those.

I'm working on an approach to avoid most reflection, maybe for 4.3 or 4.4. But it won't avoid all calls

https://github.com/square/okhttp/pull/5429

Specifically we will always have OpenSSLSocketImpl.setUseSessionTickets done via reflection. The CloseGuard might be something we can make optional based on build mode.

I cant believe that up until this day people who were making react-native apps were experiencing same problems on Android 9, or there are only 3 ppl worldwide who are still making react-native apps. There should be a way to bypass this issue somehow.

If you are seeing the 900ms delay can you get some stacktraces or profiling of what it’s running during this time?

It may be something we can trigger at better times (earlier before first active request) or we can avoid in other ways.

I found out that my issue with

2019-09-14 07:20:53.197 11887-11971/com.ecmsk W/com.ecmsk: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (light greylist, reflection)
2019-09-14 07:20:53.338 11887-11971/com.ecmsk W/com.ecmsk: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (light greylist, reflection)

errors was just a coincidence, right when I started testing my api endpoint Russian government decided to block my domain's CloudFlare proxy for no apparent reason.

Regarding the methods of OpenSSLSocketImpl (including the ones @yschimke mentions), the plan apparently is to restrict them even further for Android 11. This page list those methods, but does also list alternatives to them: https://developer.android.com/preview/non-sdk-11

So some actions might need to be done before the final release for Android 11 (planned to be Q3 2020)?

We should already be in a good spot for this. We now have clean code paths for Android, Conscrypt or the play provider.

https://github.com/square/okhttp/blob/master/okhttp/src/main/java/okhttp3/internal/platform/android/Android10SocketAdapter.kt

We can test ahead of the release and if needed introduce new version specific behaviour.

https://github.com/square/okhttp/issues/5816

@yschimke I see this issue is closed but I am still seeing these warnings. Do you have an update as to where this landed?

I cant believe that up until this day people who were making react-native apps were experiencing same problems on Android 9, or there are only 3 ppl worldwide who are still making react-native apps. There should be a way to bypass this issue somehow.

I am also trying to figure out what this can be. Using react-native 0.62.2.

This should be fixed in OkHttp 3.12.12 and 3.14.9

There is same problem .Any solution?

D/NetworkSecurityConfig: No Network Security Config specified, using platform default
W/android.dc.dem: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (light greylist, reflection)
Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (light greylist, reflection)
Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (light greylist, reflection)

Same Problem

@rajnish824 that's a benign warning that you can safely ignore.

I have this problem , when I use retrofit and run app on Android 10
compileSdkVersion 30 buildToolsVersion "30.0.2"

defaultConfig {
    minSdkVersion 24
    targetSdkVersion 30

Accessing hidden method Ljava/lang/invoke/MethodHandles$Lookup;->(Ljava/lang/Class;I)V (greylist, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setUseSessionTickets(Z)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (greylist,core-platform-api, reflection, allowed)
24808-24808 D/NetworkSecurityConfig: No Network Security Config specified, using platform default

I have this problem , when I use retrofit and run app on Android 10

compileSdkVersion 30
   buildToolsVersion "30.0.2"

defaultConfig {
    minSdkVersion 24
    targetSdkVersion 30

Accessing hidden method Ljava/lang/invoke/MethodHandles$Lookup;->(Ljava/lang/Class;I)V (greylist, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setUseSessionTickets(Z)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (greylist,core-platform-api, reflection, allowed)
24808-24808 D/NetworkSecurityConfig: No Network Security Config specified, using platform default

am getting the same issue while using 'com.squareup.retrofit2:retrofit:2.9.0'

I have this problem , when I use retrofit and run app on Android 10

compileSdkVersion 30
   buildToolsVersion "30.0.2"

defaultConfig {
    minSdkVersion 24
    targetSdkVersion 30

Accessing hidden method Ljava/lang/invoke/MethodHandles$Lookup;->(Ljava/lang/Class;I)V (greylist, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setUseSessionTickets(Z)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (greylist,core-platform-api, reflection, allowed)

24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->open(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed)
24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->warnIfOpen()V (greylist,core-platform-api, reflection, allowed)
24808-24808 D/NetworkSecurityConfig: No Network Security Config specified, using platform default

am getting the same issue while using 'com.squareup.retrofit2:retrofit:2.9.0'

Those are warnings that are unavoidable, Android changes their policies over time and we build to support a wide range of Android versions. Nothing to do here.

actually it is kind of Error not warning, It doesn't work on android 10 or above.

stackoverflow.com

I have no problem with Android api 26. I think it is comes form Non SDK libs.

@Mohammad2416 are you running with 3.12.12 or 4.9.0? If not please upgrade, it does work with these versions so likely a problem or an old version.

@yschimke thank you for follow up this Issue ,

the versions which i used are here :

implementation 'com.squareup.retrofit2:retrofit:2.9.0'
implementation 'com.squareup.retrofit2:converter-gson:2.9.0'
implementation("com.squareup.okhttp3:okhttp:4.9.0")
implementation("com.squareup.okhttp3:logging-interceptor:4.9.0")

Let's continue the discussion on stackoverflow