Signal-android: Auto-updating APK crashes Signal

• [x] I have searched open and closed issues for duplicates
• [x] I am submitting a bug report for existing functionality that does not work as intended
• [x] I have read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports
• [x] This isn't a feature request or a discussion topic

Bug description

Legacy issue: #7189 (related: #6740)

Auto-update routine crashes Signal. This is reproducible every time when auto-update is triggered (ca. 6h interval).

Steps to reproduce

• Install Signal from the signal.org/android/apk/ (in my case this is Signal-website-release-4.15.5.apk)
• Wait for the next release/update (e.g. Signal-website-release-4.17.5.apk) check also https://updates.signal.org/android/latest.json
• autoupdate fails i.e. there's no notification for the new release, since
  signal crashes right after automatic download - the file is located at file:///storage/emulated/0/Android/data/org.thoughtcrime.securesms/files/signal-update.apk)

Actual result: Signal crashes
Expected result: notification about the update shows up without signal crash

NOTICE:
imo, the relevant part of debug log:
a) first crash:

--------- beginning of crash
04-05 23:01:42.612  6618  6618 E AndroidRuntime: FATAL EXCEPTION: main
04-05 23:01:42.612  6618  6618 E AndroidRuntime: Process: org.thoughtcrime.securesms, PID: 6618
04-05 23:01:42.612  6618  6618 E AndroidRuntime: java.lang.RuntimeException: Unable to start receiver org.thoughtcrime.securesms.service.UpdateApkReadyListener: android.os.FileUriExposedException: file:///storage/emulated/0/Android/data/org.thoughtcrime.securesms/files/signal-update.apk exposed beyond app through Intent.getData()

b) second crash:

04-06 06:23:42.460  9368  9388 W UpdateApkJob: Got descriptor: [350, 4.17.5, https://updates.signal.org/android/Signal-website-release-4.17.5.apk]
04-06 06:23:42.621  9368  9388 W UpdateApkJob: Download status: COMPLETE
04-06 06:23:42.621  9368  9388 W UpdateApkJob: Download status complete, notifying...
04-06 06:23:42.622  9368  9388 W UpdateApkReadyListener: onReceive()
04-06 06:23:42.757  9368  9388 W JobConsumer:
04-06 06:23:42.757  9368  9388 W JobConsumer: android.os.FileUriExposedException: file:///storage/emulated/0/Android/data/org.thoughtcrime.securesms/files/signal-update.apk exposed beyond app through Intent.getData()

Now 'targetSdkVersion' is 25, introduced with Increase targetSdkVersion to 25 (November 27, 2017, Signal v4.13.7)

According to stackoverflow android.os.FileUriExposedException: ... exposed beyond app through Intent.getData():

If your targetSdkVersion >= 24, then we have to use FileProvider class to give access to the particular file or folder to make them accessible for other apps.

but UpdateApkReadyListener.java#L90 uses still "fromFile":

        if (localUri != null) {
          File   localFile = new File(Uri.parse(localUri).getPath());
          return Uri.fromFile(localFile);
}

this should probably be adapted with FileProvider

Screenshots

not relevant

Device info

Device: LG Nexus 5X
Android version: 7.1.2 (LineageOS 14.1)
Signal version: Signal-website-release-4.15.5.apk

Link to debug log

https://gist.github.com/p4nci/d94ebcf898869da3325555cdfb629666