search

android / privacy-sandbox-samples

Apache License 2.0
130 stars 52 forks source link

Attribution API fails on MeasurementSampleApp - Caller is not authorized #75

Closed davidae closed 1 year ago

davidae commented 1 year ago

This is the same issue as described in #56. It fails in my app, but the same error also appears in the Measurement Sample App (in this repo) - which are the error logs described below

Android Studio Version: Hedgehog | 2023.1.1 Canary 10

On fresh 'main' branch using the following commands

avdmanager create avd --name measurement --package "system-images;android-TiramisuPrivacySandbox;google_apis_playstore;x86_64" --device "Nexus 5" --sdcard 512M --force

Setting up the device with the following adservices shell commands

adb shell settings put global development_settings_enabled 1
adb shell device_config put adservices fledge_js_isolate_enforce_max_heap_size false
adb shell device_config put adservices disable_fledge_enrollment_check true
adb shell setprop debug.adservices.disable_fledge_enrollment_check true
adb shell device_config put adservices adservice_system_service_enabled true
adb shell device_config put adservices disable_sdk_sandbox false
adb shell device_config put adservices adservice_enabled true
adb shell device_config put adservices global_kill_switch false
adb shell device_config put adservices ppapi_app_allow_list \"*\"
adb shell device_config put adservices adid_kill_switch false
adb shell device_config put adservices measurement_kill_switch false
adb shell device_config put adservices adservice_enable_status true
adb shell device_config put adservices fledge_custom_audience_service_kill_switch false
adb shell device_config put adservices fledge_select_ads_kill_switch false
adb shell device_config put adservices ppapi_app_signature_allow_list \"*\"
adb shell am start -n com.google.android.adservices.api/com.android.adservices.ui.settings.activities.AdServicesSettingsMainActivity

I get the following error and log snippets when try to register a source attribution via "Register Click Event"

2023-07-11 14:46:19.051  4790-4790  adservices              com.example.measurement.sampleapp    D  registerSource
2023-07-11 14:46:19.102  3242-6123  adservices              com.google.android.adservices.api    E  Failed to find resolveInfo for adServices service. Intent action: android.adservices.adid.AdIdProviderService
2023-07-11 14:46:19.102  3242-6123  adservices              com.google.android.adservices.api    E  Failed to find AdServices service
2023-07-11 14:46:19.103  4790-4790  Compatibil...geReporter com.example.measurement.sampleapp    D  Compat change id reported: 147798919; UID 10159; state: ENABLED
2023-07-11 14:46:19.188  3242-6127  adservices              com.google.android.adservices.api    E  Caller is not authorized.
2023-07-11 14:46:19.353  4790-4850  EGL_emulation           com.example.measurement.sampleapp    D  app_time_stats: avg=2072.12ms min=12.43ms max=14188.60ms count=7
2023-07-11 14:46:20.131  1055-1055  CarrierSvcBindHelper    com.android.phone                    D  onPackageModified: com.google.android.adservices.api
2023-07-11 14:46:20.140  1055-1055  ImsResolver             com.android.phone                    D  maybeAddedImsService, packageName: com.google.android.adservices.api
2023-07-11 14:46:24.730   570-596   SystemServerTimingAsync system_server                        D  ssm.onUnlockedUser-0_com.android.server.adservices.AdServicesManagerService$Lifecycle
2023-07-11 14:46:29.747   570-7267  SystemServerTimingAsync system_server                        D  ssm.onCompletedEventUser-0_{|Unlocked|}_com.android.server.adservices.AdServicesManagerService$Lifecycle
2023-07-11 14:46:29.792   570-629   SettingsTo...tiesMapper system_server                        E  adservices/disable_sdk_sandbox,adservices/enforce_broadcast_receiver_restrictions,adservices/fledge_ad_selection_enforce_foreground_status_custom_audience,adservices/fledge_custom_audience_max_count,adservices/fledge_custom_audience_max_num_ads,adservices/fledge_custom_audience_max_owner_count,adservices/fledge_custom_audience_per_app_max_count,adservices/fledge_js_isolate_enforce_max_heap_size,adservices/fledge_js_isolate_max_heap_size_bytes,adservices/sdk_request_permits_per_second,adservices/sdksandbox_customized_sdk_context_enabled,configuration/namespace_to_package_mapping,constrain_display_apis/always_constrain_display_apis,constrain_display_apis/never_constrain_display_apis,constrain_display_apis/never_constrain_display_apis_all_packages,device_policy_manager/disable_resources_updatability,flipendo/default_savings_mode_launch,flipendo/essential_apps,flipendo/flipendo_enabled_launch,flipendo/grayscale_enabled_launch,flipendo/lever_ble_scanning_enabled_launch,flipendo/lever_hotspot_enabled_launch,flipendo/lever_work_profile_enabled_launch,flipendo/resuspend_delay_minutes,namespace/key,namespace1/key1,namespace1/key2,namespace2/key1,namespace2/key2,package_manager_service/incfs_default_timeouts,package_manager_service/known_digesters_list,privacy/location_access_check_periodic_interval_millis,rollback/enable_rollback_timeout,rollback/watchdog_explicit_health_check_enabled,rollback/watchdog_request_timeout_millis,rollback/watchdog_trigger_failure_count,rollback/watchdog_trigger_failure_duration_millis,rollback_boot/rollback_lifetime_in_millis,systemui/nas_generate_actions,systemui/nas_generate_replies,systemui/nas_max_messages_to_extract,systemui/nas_max_suggestions,testspace/another,testspace/flagname,textclassifier/config_updater_model_enabled,textclassifier/key,textclassifier/key2,textclassifier/manifest_url_annotator_en,textclassifier/manifest_url_annotator_ru,textclassifier/model_download_backoff_delay_in_millis,textclassifier/model_download_manager_enabled,textclassifier/multi_language_support_enabled,textclassifier/testing_locale_list_override,textclassifier/textclassifier_service_package_override,window_manager/enable_default_rescind_bal_privileges_from_pending_intent_sender,wrong/nas_generate_replies, exceeds system property max length.
2023-07-11 14:46:29.806   570-1660  RescueParty             system_server                        I  Starting to observe: [com.google.android.adservices.api, android], updated namespace: adservices
2023-07-11 14:46:29.806   570-595   PackageWatchdog         system_server                        D  rescue-party-observer added the following packages to monitor [com.google.android.adservices.api, android]
2023-07-11 14:46:29.808   570-570   PackageWatchdog         system_server                        I  Syncing health check requests for packages: {com.google.android.adservices.api}
2023-07-11 14:46:29.815   570-570   PackageWatchdog         system_server                        I  Syncing health check requests for packages: {com.google.android.adservices.api}
2023-07-11 14:46:29.818   570-1660  PackageWatchdog         system_server                        I  Updated health check state for package com.google.android.adservices.api: INACTIVE -> PASSED
2023-07-11 14:46:29.841  3242-4338  Compatibil...geReporter com.google.android.adservices.api    D  Compat change id reported: 150939131; UID 10145; state: ENABLED

On fresh 'dev-preview-main' branch using the following commands

avdmanager create avd --name measurementUpsideDown --package "system-images;android-UpsideDownCakePrivacySandbox;google_apis_playstore;x86_64" --device "Nexus 5" --sdcard 512M --force

Setting up the device with the following adservices shell commands

adb shell settings put global development_settings_enabled 1
adb shell device_config put adservices fledge_js_isolate_enforce_max_heap_size false
adb shell device_config put adservices disable_fledge_enrollment_check true
adb shell setprop debug.adservices.disable_fledge_enrollment_check true
adb shell device_config put adservices adservice_system_service_enabled true
adb shell device_config put adservices disable_sdk_sandbox false
adb shell device_config put adservices adservice_enabled true
adb shell device_config put adservices global_kill_switch false
adb shell device_config put adservices ppapi_app_allow_list \"*\"
adb shell device_config put adservices adid_kill_switch false
adb shell device_config put adservices measurement_kill_switch false
adb shell device_config put adservices adservice_enable_status true
adb shell device_config put adservices fledge_custom_audience_service_kill_switch false
adb shell device_config put adservices fledge_select_ads_kill_switch false
adb shell device_config put adservices ppapi_app_signature_allow_list \"*\"
adb shell am start -n com.google.android.adservices.api/com.android.adservices.ui.settings.activities.AdServicesSettingsMainActivity

I get the following error and log snippets when try to register a source attribution via "Register Click Event"

2023-07-11 14:52:28.350  6455-6455  adservices              com.example.measurement.sampleapp    D  registerSource
2023-07-11 14:52:28.643  6455-6455  Compatibil...geReporter com.example.measurement.sampleapp    D  Compat change id reported: 147798919; UID 10172; state: ENABLED
2023-07-11 14:52:28.813  4436-6560  adservices              com.google.android.adservices.api    E  Caller is not authorized.
2023-07-11 14:52:29.219  6455-6488  EGL_emulation           com.example.measurement.sampleapp    D  app_time_stats: avg=538.94ms min=16.90ms max=3171.52ms count=8
2023-07-11 14:52:29.634  1039-1039  CarrierSvcBindHelper    com.android.phone                    D  onPackageModified: com.google.android.adservices.api
2023-07-11 14:52:30.034  1039-1039  ImsResolver             com.android.phone                    D  maybeAddedImsService, packageName: com.google.android.adservices.api
2023-07-11 14:52:30.827  1666-1666  AiAiEcho                com.google.android.as                I  AppFetcherImpl onPackageChanged com.google.android.adservices.api.
2023-07-11 14:52:30.884  1666-3921  AiAiEcho                com.google.android.as                I  AppIndexer Package:[com.google.android.adservices.api] UserProfile:[0] Enabled:[true].
2023-07-11 14:52:30.884  1666-3921  AiAiEcho                com.google.android.as                I  AppFetcherImplV2 updateApps package:[com.google.android.adservices.api], userId:[0], reason:[package is updated.].
2023-07-11 14:52:44.178   481-544   SettingsTo...tiesMapper system_server                        E  key=persist.device_config.configuration.AdbWritableFlags__adb_writable_flags_list value=adservices/disable_sdk_sandbox,adservices/enforce_broadcast_receiver_restrictions,adservices/fledge_ad_selection_enforce_foreground_status_custom_audience,adservices/fledge_custom_audience_max_count,adservices/fledge_custom_audience_max_num_ads,adservices/fledge_custom_audience_max_owner_count,adservices/fledge_custom_audience_per_app_max_count,adservices/fledge_js_isolate_enforce_max_heap_size,adservices/fledge_js_isolate_max_heap_size_bytes,adservices/sdk_request_permits_per_second,adservices/sdksandbox_customized_sdk_context_enabled,configuration/namespace_to_package_mapping,constrain_display_apis/always_constrain_display_apis,constrain_display_apis/never_constrain_display_apis,constrain_display_apis/never_constrain_display_apis_all_packages,device_policy_manager/disable_resources_updatability,flipendo/default_savings_mode_launch,flipendo/essential_apps,flipendo/flipendo_enabled_launch,flipendo/grayscale_enabled_launch,flipendo/lever_ble_scanning_enabled_launch,flipendo/lever_hotspot_enabled_launch,flipendo/lever_work_profile_enabled_launch,flipendo/resuspend_delay_minutes,namespace/key,namespace1/key1,namespace1/key2,namespace2/key1,namespace2/key2,package_manager_service/incfs_default_timeouts,package_manager_service/known_digesters_list,privacy/location_access_check_periodic_interval_millis,rollback/enable_rollback_timeout,rollback/watchdog_explicit_health_check_enabled,rollback/watchdog_request_timeout_millis,rollback/watchdog_trigger_failure_count,rollback/watchdog_trigger_failure_duration_millis,rollback_boot/rollback_lifetime_in_millis,systemui/nas_generate_actions,systemui/nas_generate_replies,systemui/nas_max_messages_to_extract,systemui/nas_max_suggestions,testspace/another,testspace/flagname,textclassifier/config_updater_model_enabled,textclassifier/key,textclassifier/key2,textclassifier/manifest_url_annotator_en,textclassifier/manifest_url_annotator_ru,textclassifier/model_download_backoff_delay_in_millis,textclassifier/model_download_manager_enabled,textclassifier/multi_language_support_enabled,textclassifier/testing_locale_list_override,textclassifier/textclassifier_service_package_override,window_manager/enable_default_rescind_bal_privileges_from_pending_intent_sender,wrong/nas_generate_replies, exceeds system property max length.
2023-07-11 14:52:44.390   481-570   RescueParty             system_server                        I  Starting to observe: [com.google.android.adservices.api, android, com.android.systemui], updated namespace: adservices
2023-07-11 14:52:44.528   481-508   PackageWatchdog         system_server                        D  rescue-party-observer added the following packages to monitor [com.google.android.adservices.api, android, com.android.systemui]
2023-07-11 14:52:44.597   481-481   PackageWatchdog         system_server                        I  Syncing health check requests for packages: {com.google.android.adservices.api}
2023-07-11 14:52:44.628   481-481   PackageWatchdog         system_server                        I  Syncing health check requests for packages: {com.google.android.adservices.api}
2023-07-11 14:52:44.637   481-494   PackageWatchdog         system_server                        I  Updated health check state for package com.google.android.adservices.api: INACTIVE -> PASSED
2023-07-11 14:52:48.447   481-544   SettingsTo...tiesMapper system_server                        E  key=persist.device_config.configuration.AdbWritableFlags__adb_writable_flags_list value=adservices/disable_sdk_sandbox,adservices/enforce_broadcast_receiver_restrictions,adservices/fledge_ad_selection_enforce_foreground_status_custom_audience,adservices/fledge_custom_audience_max_count,adservices/fledge_custom_audience_max_num_ads,adservices/fledge_custom_audience_max_owner_count,adservices/fledge_custom_audience_per_app_max_count,adservices/fledge_js_isolate_enforce_max_heap_size,adservices/fledge_js_isolate_max_heap_size_bytes,adservices/sdk_request_permits_per_second,adservices/sdksandbox_customized_sdk_context_enabled,configuration/namespace_to_package_mapping,constrain_display_apis/always_constrain_display_apis,constrain_display_apis/never_constrain_display_apis,constrain_display_apis/never_constrain_display_apis_all_packages,device_policy_manager/disable_resources_updatability,flipendo/default_savings_mode_launch,flipendo/essential_apps,flipendo/flipendo_enabled_launch,flipendo/grayscale_enabled_launch,flipendo/lever_ble_scanning_enabled_launch,flipendo/lever_hotspot_enabled_launch,flipendo/lever_work_profile_enabled_launch,flipendo/resuspend_delay_minutes,namespace/key,namespace1/key1,namespace1/key2,namespace2/key1,namespace2/key2,package_manager_service/incfs_default_timeouts,package_manager_service/known_digesters_list,privacy/location_access_check_periodic_interval_millis,rollback/enable_rollback_timeout,rollback/watchdog_explicit_health_check_enabled,rollback/watchdog_request_timeout_millis,rollback/watchdog_trigger_failure_count,rollback/watchdog_trigger_failure_duration_millis,rollback_boot/rollback_lifetime_in_millis,systemui/nas_generate_actions,systemui/nas_generate_replies,systemui/nas_max_messages_to_extract,systemui/nas_max_suggestions,testspace/another,testspace/flagname,textclassifier/config_updater_model_enabled,textclassifier/key,textclassifier/key2,textclassifier/manifest_url_annotator_en,textclassifier/manifest_url_annotator_ru,textclassifier/model_download_backoff_delay_in_millis,textclassifier/model_download_manager_enabled,textclassifier/multi_language_support_enabled,textclassifier/testing_locale_list_override,textclassifier/textclassifier_service_package_override,window_manager/enable_default_rescind_bal_privileges_from_pending_intent_sender,wrong/nas_generate_replies, exceeds system property max length.
yuvalcar commented 1 year ago

Hey, We're experiencing the same regression issue (worked in the past with API v34 and Canary 7).

Logs we're seeing (for the sample measurement app, which has the right permissions in the manifest file) - 

com.example.measurement.sampleapp    D  registerSource
com.google.android.adservices.api    E  Unauthorized caller. Caller is not allowed.
com.example.measurement.sampleapp    W  To enable debug api, include ACCESS_ADSERVICES_AD_ID permission and enable advertising ID under device settings
com.google.android.adservices.api    E  Package com.example.measurement.sampleapp is not allowed to call the API.

I'm using:

erintwalsh commented 1 year ago

Hi @davidae and @yuvalcar,

Are you using a Developer Preview or Beta version of the Privacy Sandbox? If you could provide the build number in Settings > About Phone > Build Number, that would be helpful!

Sometimes the device config pulls updates and settings can get reset. Even though you listed these values earlier, to eliminate possible variables I'd start by verifying that your app package name (or *) is in the allowlist with adb shell device_config get adservices ppapi_app_allow_list and adb shell device_config get adservices ppapi_app_signature_allow_list

If the allowlists look correct, I would go through the enrollment process again, including downloading the enrollment file on your device.

If those two steps don't help, I would double check your enrollment information and make sure the URLs are correct and enrolled. One possible cause of this error is the app using a URL like "example.com/source" when the enrolled URL is "example.com/register_source"

To help with testing, you can disable config updates on your device by running adb shell device_config set_sync_disabled_for_tests persistent. To re-enable them, there is adb shell device_config set_sync_disabled_for_tests none

davidae commented 1 year ago

Hi @erintwalsh, thank you for the tips. But, unfortunately, the problem remains the same.

Are you using a Developer Preview or Beta version of the Privacy Sandbox?

The build number on the emulated device is URA8.230510.004.

To help with testing, you can disable config updates on your device by running adb shell device_config set_sync_disabled_for_tests persistent.

Thank you for sharing this command. adb shell device_config get adservices ppapi_app_allow_list and adb shell device_config get adservices ppapi_app_signature_allow_list now remains with the * value for the whole life-time of the emulated device.

I would double check your enrollment information and make sure the URLs are correct and enrolled.

Done this

If the allowlists look correct, I would go through the enrollment process again, including downloading the enrollment file on your device.

Done this. But a question here too, with the new enrollment form and process, I was informed this would no longer be required, is this correct?

typerat commented 1 year ago

Hi @erintwalsh, I've followed the guide using Hedgehog | 2023.1.1 Canary 15 and got the same results. Is there anything else we can try?

erintwalsh commented 1 year ago

Hi @davidae and @typerat, is there a chance you're starting adb directly instead of using bash or other shells? If that's the case, try not escaping the quotes: 

adb shell device_config put adservices ppapi_app_allow_list "\*"
adb shell device_config put adservices ppapi_app_signature_allow_list "\*"

"Caller is not allowed" indicates an issue with the allowlist, so if those values are correct we need to dig deeper into the error. Is it possible to reproduce and attach a full bugreport? (You can do so by running adb bugreport).

If you have contacts at Google, if you ask them to put us in touch, I'd be happy to setup a video call to live debug.

erintwalsh commented 1 year ago

Also, if you're using the com.example.measurement.sampleapp package name, that is included in the allowlist by default

typerat commented 1 year ago

Thanks @erintwalsh for the live debugging session. As discussed, the issue has to do with our enrollment and not with the app.