App crashes when site is flagged by "Google Safe Browsing"

[mx4k]

Home Assistant Android app version(s): 2023.1.1-full

Android version(s): 13

Device model(s): Oppo Find X5 Pro

Home Assistant version: Home Assistant 2023.3.3

Last working Home Assistant release (if known):

Description of problem, include YAML if issue is related to notifications: App crashes because the main domain of my HA is listed at "Google Safe Browsing" as malicious.

Companion App Logs: Please find the logs here: https://justpaste.it/al1di

Screenshot or video of problem:

Additional information:

[dshokouhi]

please don't skip over the traceback section from the template, its going to be very important in helping with this issue.

[mx4k]

My bad. I've reentered the template.

[dshokouhi]

Thanks, we will still need the on device logs containing the crash. As the app is crashing the logs will need to be taken from Logcat. You can use either Android Studio or an app like Logcat Reader. Both of which will require you to use USB on a computer. From there you can reproduce the crash and get the log so we can see where it is failing to correct the problem.

[mx4k]

Logcat output added.

[dshokouhi]

the logs are filtered and as a result are missing the actual traceback, if you try to search for the word "crash" you should see the actual error above or below it. You will need to find the time around when the crash occurred to better pull the actual error.

[mx4k]

Thanks for your patience. I've pasted the unfiltered log here https://justpaste.it/al1di

[dshokouhi]

Well i dont see an actual crash in our code but given that its a safe browsing issue we may need to adjust

https://developer.android.com/develop/ui/views/layout/webapps/managing-webview#safe-browsing

Can you tell me what the behavior is when you launch the app? Are you presented with a pop-up or anything or does it crash as soon as you open the app?

Looking at the above docs you should get some kind of prompt.

When an instance of WebView attempts to load a page that has been classified by Google as a known threat, the WebView by default shows an interstitial that warns users of the known threat. This screen gives users the option to load the URL anyway or return to a previous page that's safe.

a recording of what happens would also be helpful :)

[mx4k]

https://user-images.githubusercontent.com/8719632/224812573-ef9735df-5554-4087-a198-b56e793d379d.mp4

The splash screen appears for about a second and dissappears suddenly. That's it.

By the way, I can reproduce this behavior on an Android Tablet (Xiaomi Pad 5).

[dshokouhi]

Looks like the crash is related to the app getting a segfault for webview, it looks like webview for some reason on this device is not handling the system based pop-up like it should be here.

Personally speaking I am not sure if we should disable the safe browsing check or not

Segfault

``` 03-13 19:59:18.510 19586 19586 F DEBUG : Process name is io.homeassistant.companion.android, not key_process 03-13 19:59:18.510 19586 19586 F DEBUG : keyProcess: 0 03-13 19:59:18.510 19586 19586 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 03-13 19:59:18.510 19586 19586 F DEBUG : Build fingerprint: 'OPPO/CPH2305EEA/OP52D1L1:13/SKQ1.220617.001/S.e68a0d-1-412da:user/release-keys' 03-13 19:59:18.510 19586 19586 F DEBUG : Revision: '0' 03-13 19:59:18.510 19586 19586 F DEBUG : ABI: 'arm64' 03-13 19:59:18.510 19586 19586 F DEBUG : Timestamp: 2023-03-13 19:59:18.307157237+0100 03-13 19:59:18.510 19586 19586 F DEBUG : Process uptime: 152s 03-13 19:59:18.510 19586 19586 F DEBUG : Cmdline: io.homeassistant.companion.android 03-13 19:59:18.510 19586 19586 F DEBUG : pid: 18754, tid: 18754, name: mpanion.android >>> io.homeassistant.companion.android <<< 03-13 19:59:18.510 19586 19586 F DEBUG : uid: 10311 03-13 19:59:18.510 19586 19586 F DEBUG : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE) 03-13 19:59:18.510 19586 19586 F DEBUG : pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY) 03-13 19:59:18.510 19586 19586 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000038 03-13 19:59:18.510 19586 19586 F DEBUG : Cause: null pointer dereference 03-13 19:59:18.510 19586 19586 F DEBUG : x0 0000000000000008 x1 000000708d1908f4 x2 0000006e00197f18 x3 0000000000000010 03-13 19:59:18.510 19586 19586 F DEBUG : x4 0000007fe526cae8 x5 0000000000000001 x6 00000002002406d7 x7 3037783020343233 03-13 19:59:18.510 19586 19586 F DEBUG : x8 0000000000000001 x9 0000000000000002 x10 0000000000000001 x11 0000000000000001 03-13 19:59:18.510 19586 19586 F DEBUG : x12 ffffffffffffffff x13 000000007fffffff x14 00000000001a9fde x15 000000373b3730f8 03-13 19:59:18.510 19586 19586 F DEBUG : x16 000000708fea03c8 x17 000000718f1ca69c x18 00000071a76de000 x19 0000006e00197c30 03-13 19:59:18.510 19586 19586 F DEBUG : x20 0000006e00197f18 x21 0000006e00079b90 x22 0000000000000000 x23 0000000000000019 03-13 19:59:18.510 19586 19586 F DEBUG : x24 0000000200265100 x25 0000000200264f00 x26 0000000000000001 x27 0000000000000000 03-13 19:59:18.510 19586 19586 F DEBUG : x28 0000000200264f18 x29 0000007fe526ca60 03-13 19:59:18.510 19586 19586 F DEBUG : lr 003268f08f8a89a8 sp 0000007fe526ca30 pc 000000708f823480 pst 0000000000001000 03-13 19:59:18.510 19586 19586 F DEBUG : backtrace: 03-13 19:59:18.510 19586 19586 F DEBUG : #00 pc 000000000315c480 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #01 pc 00000000031e19a4 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #02 pc 00000000037d9400 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #03 pc 0000000002607f70 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #04 pc 0000000002609fe4 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #05 pc 0000000002f9e158 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #06 pc 0000000002f9e068 /data/app/~~RM_6XHUZeDFlU9tt04rRqg==/com.google.android.trichromelibrary_556305734-MzUC58pQcZp3wmWQvd2j-w==/base.apk!libmonochrome_64.so (BuildId: 38866f763b5f09ce593f8bf19b6746322404917c) 03-13 19:59:18.510 19586 19586 F DEBUG : #07 pc 0000000000018024 /system/lib64/libutils.so (android::Looper::pollInner(int)+1064) (BuildId: c6b04c835ef7be0565ae9fb9535f8ad7) 03-13 19:59:18.510 19586 19586 F DEBUG : #08 pc 0000000000017b98 /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+116) (BuildId: c6b04c835ef7be0565ae9fb9535f8ad7) 03-13 19:59:18.510 19586 19586 F DEBUG : #09 pc 00000000001655a8 /system/lib64/libandroid_runtime.so (android::android_os_MessageQueue_nativePollOnce(_JNIEnv*, _jobject*, long, int)+48) (BuildId: 28a64de95562179b107bd155314ccdfa) 03-13 19:59:18.510 19586 19586 F DEBUG : #10 pc 0000000000321504 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+116) 03-13 19:59:18.510 19586 19586 F DEBUG : #11 pc 0000000000b9bfd8 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.os.MessageQueue.next+312) 03-13 19:59:18.510 19586 19586 F DEBUG : #12 pc 0000000000b98328 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.os.Looper.loopOnce+104) 03-13 19:59:18.510 19586 19586 F DEBUG : #13 pc 0000000000b98180 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.os.Looper.loop+1232) 03-13 19:59:18.510 19586 19586 F DEBUG : #14 pc 0000000000875adc /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.app.ActivityThread.main+1868) 03-13 19:59:18.510 19586 19586 F DEBUG : #15 pc 0000000000434600 /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+576) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #16 pc 0000000000466d34 /apex/com.android.art/lib64/libart.so (_jobject* art::InvokeMethod<(art::PointerSize)8>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1960) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #17 pc 0000000000466564 /apex/com.android.art/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*) (.__uniq.165753521025965369065708152063621506277)+48) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #18 pc 0000000000327148 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+120) 03-13 19:59:18.510 19586 19586 F DEBUG : #19 pc 0000000000e81f10 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+144) 03-13 19:59:18.510 19586 19586 F DEBUG : #20 pc 0000000000e8fb04 /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (com.android.internal.os.ZygoteInit.main+4564) 03-13 19:59:18.510 19586 19586 F DEBUG : #21 pc 0000000000434600 /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+576) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #22 pc 000000000057e378 /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+900) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #23 pc 00000000005f1d7c /apex/com.android.art/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+160) (BuildId: a49c773ef6221a996ecea990e9753caa) 03-13 19:59:18.510 19586 19586 F DEBUG : #24 pc 00000000000c0c04 /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+124) (BuildId: 28a64de95562179b107bd155314ccdfa) 03-13 19:59:18.510 19586 19586 F DEBUG : #25 pc 00000000000cd228 /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector const&, bool)+936) (BuildId: 28a64de95562179b107bd155314ccdfa) 03-13 19:59:18.510 19586 19586 F DEBUG : #26 pc 0000000000002610 /system/bin/app_process64 (main+1464) (BuildId: 5e37fa79553cb2dbaa68ed8f4d602775) 03-13 19:59:18.510 19586 19586 F DEBUG : #27 pc 0000000000075c7c /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+100) (BuildId: 59222d1015276d9a9031ee1ea28c0bcd) ```

[mx4k]

I've tested the behavior on three different devices now. It's always the same. There is no prompt.

Usually you aren't connected to an HA instance that doesn't belong to you. So maybe Safe Browsing doesn't make a lot of sense in this case?

[jpelgrom]

Which version of the Android System WebView are your devices using (check in Settings > Apps).

Can you login + register without the app crashing? You'll have to delete all data for the app to test this if the issue started appearing after setting up the app in the past.

Usually you aren't connected to an HA instance that doesn't belong to you. So maybe Safe Browsing doesn't make a lot of sense in this case?

This is a slippery slope to disabling all security features "because it your server". The app should promote safe defaults.

[mx4k]

Android System WebView 111.0.5563.57.

After deleting the data of the app I see the frightening red Google Safe Browsing prompt. I can login after skipping it. But later the old behavior seems to appear again.

[jpelgrom]

Trying to replicate this using test pages from https://testsafebrowsing.appspot.com/ and loading them using Chrome remote dev tools, but no crashes so far :(.

[Loic691]

Same issue for me ! Maybe another information : HA companion app service seams working because GPS position and all others information of android device are sent and refreshed to HA. It seams only the launching of HA app and app frontend which is broken with SSL phishing google warning

[jpelgrom]

Tried replicating this again, but this time by loading the test url here, still no crash :(

https://github.com/home-assistant/android/blob/64ee62b8fa5c615b8fc45e6c237b34b6d89389ea/app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt#L1125

The only somewhat relevant issue I can find is related to HTTP basic authentication changes in WebView 110, which seems unlikely to be the cause here.

[vodkaredenvelope]

Just wanted to add my voice to this and +1 the issue.

Android WebView: 114.0.5735.147 HA Android App: 2023.6.0 full Utilise DuckDNS + LetsEncrypt SSL

As of July 1 2023 the same issue occurs for me. I go to the HA Companion app. I am already fully logged in, but as soon as I try and click anything in the app the app crashes. The first time this occurred a pop up from the Android OS appeared and I think it said something like "WebView doesn't work with this app do you want to stop WebView" or something similar.

If I go to my DuckDNS website in my browser I get the Google SSL red warning. I can click through and say disregard and the HA Dashboard loads perfectly fine and is usable in the browser. Just not the app.

I have another Android mobile and Tablet and both have this same issue. As of 1 day ago.

If you need logs please give me some instructions so I can find what you need and I can post it back here.

[vodkaredenvelope]

I submitted my DuckDNS site to Google Search so that they would hopefully white list it to remove the red unsafe warning screen. This thankfully worked and I can now use the Android app without issues. But I think this still needs to be more robustly fixed.

FYI here is the pop up that first appeared when I opened the app the very first time the crash happened. Even after uninstalling this WebView service the issues with the HA app still occurred.

[Krewwell]

I try to describe my problem which seems to be the same as yours. The app was working fine but after updating the certificates it stopped working. I also use duckdns.org, web access works fine (after deleting the cache to update the certificate) but the app crashes after the "Google Safe Broswer" warning. I tried to delete the cache of both the App Companion and WebView but the app crashes immediately after showing the dashboard. I hope someone can find the solution to this problem :(

[Jorcoo]

I try to describe my problem which seems to be the same as yours. The app was working fine but after updating the certificates it stopped working. I also use duckdns.org, web access works fine (after deleting the cache to update the certificate) but the app crashes after the "Google Safe Broswer" warning. I tried to delete the cache of both the App Companion and WebView but the app crashes immediately after showing the dashboard. I hope someone can find the solution to this problem :(

Unfortunately they don't create a workaround for the Android app/devices while this is a common problem.

The only thing you can do is to whitelist the domain with a Google request. In my experience they review the request quite fast.

[Cantabron]

I submitted my DuckDNS site to Google Search so that they would hopefully white list it to remove the red unsafe warning screen. This thankfully worked and I can now use the Android app without issues. But I think this still needs to be more robustly fixed.

FYI here is the pop up that first appeared when I opened the app the very first time the crash happened. Even after uninstalling this WebView service the issues with the HA app still occurred.

Can you step-by-setp describe how to "submit my DuckDNS site to Google Search"? I tried to verify property in the Search Console, but none of the options seems suitable for Duckdns:

1. Upload an html file to my site
2. html label
3. Google analitycs (inserting analytics.js o [gtag.js])
4. Tag Manager
5. Linking a DNS register to Google: Copying a google-provided txt into DNS configuration

As I am not de "real owner" of the site, I can´t use any of these methods. Is there any other way?

Thanks in advance!

[Krewwell]

@Cantabron If you have a domain like xxxx.duckdns.org, you can verify using a TXT record and then update your xxxx.duckdns.org as described https://github.com/home-assistant/home-assistant.io/issues/17509#issuecomment-822000734 So, go on Google Search Console, get your DNS TXT record and then update your duckdns.