[stealth 09/11] Add stealth Android manifest filtering

.github/workflows/build-android.yml

@@ -148,6 +148,9 @@ jobs:
         env:
           GOMOBILECACHE: ${{ env.GOMOBILECACHE }}
 
+      - name: Run stealth manifest filter tests
+        run: make stealth-manifest-filter-test
+
       - name: Build Android (APK + AAB)
         run: make android-release-ci
         env:

Makefile

@@ -114,6 +114,7 @@ ANDROID_STEALTH_NOVPN_APK := $(INSTALLER_NAME)$(if $(filter-out production,$(BUI
 ANDROID_STEALTH_NOVPN_AAB := $(INSTALLER_NAME)$(if $(filter-out production,$(BUILD_TYPE)),-$(BUILD_TYPE))-stealth-novpn.aab
 ANDROID_MAPPING_SRC := build/app/outputs/mapping/release/mapping.txt
 ANDROID_SYMBOLS_SRC := build/app/outputs/native-debug-symbols/release/native-debug-symbols.zip
+PYTHON ?= python3
 ANDROID_NDK_VERSION          ?= 28.2.13676358
 ANDROID_CMAKE_VERSION        ?= 3.22.1
 ANDROID_BUILD_TOOLS_VERSION  ?= 35.0.0
@@ -551,6 +552,10 @@ android-release: clean android pubget gen android-apk-release
 .PHONY: android-release-ci
 android-release-ci: android pubget gen android-apk-release android-aab-release
 
+.PHONY: stealth-manifest-filter-test
+stealth-manifest-filter-test:
+	$(PYTHON) -m unittest discover -s scripts/stealth -p '*_test.py'
+
 # iOS Build
 .PHONY: install-ios-deps
 

android/app/build.gradle

@@ -15,7 +15,30 @@ def hasReleaseKeystore =
 def start = new Date(2015, 1, 1).getTime()
 def now = System.currentTimeMillis()
 def code = (int)((now - start) / 1000)
-def stealthNoVpn = project.findProperty("stealthNoVpn")?.toString()?.toBoolean() ?: false
+def rawStealthMode = (project.findProperty("STEALTH_MODE") ?: "").toString()
+rawStealthMode = rawStealthMode.trim().toLowerCase(java.util.Locale.ROOT)
+def stealthModePrefix = "stealth-"
+def stealthMode = rawStealthMode.startsWith(stealthModePrefix)
+        ? rawStealthMode.substring(stealthModePrefix.length())
+        : rawStealthMode
+if (rawStealthMode.startsWith(stealthModePrefix) && !stealthMode) {
+    throw new GradleException("Unsupported STEALTH_MODE '${rawStealthMode}'. Expected stealth-vpn or stealth-novpn")
+}
+def explicitStealthNoVpn = project.findProperty("stealthNoVpn")?.toString()?.toBoolean() ?: false
+if (stealthMode == "vpn" && explicitStealthNoVpn) {
+    throw new GradleException("Conflicting stealth inputs: STEALTH_MODE=vpn cannot be combined with -PstealthNoVpn=true")
+}
+if (!stealthMode && explicitStealthNoVpn) {
+    stealthMode = "novpn"
+}
+def stealthModes = ["vpn", "novpn"]
+if (stealthMode && !stealthModes.contains(stealthMode)) {
+    throw new GradleException("Unsupported STEALTH_MODE '${stealthMode}'. Expected one of: ${stealthModes.join(', ')}")
+}
+def stealthNoVpn = explicitStealthNoVpn || stealthMode == "novpn"
+def stealthManifest = layout.buildDirectory.file("generated/stealth/${stealthMode}/AndroidManifest.xml").get().asFile
+def stealthManifestFilter = file("${rootProject.projectDir}/../scripts/stealth/android_manifest_filter.py")
+def stealthPython = (project.findProperty("stealthPython") ?: System.getenv("PYTHON") ?: "python3").toString()
 
 android {
     namespace = "org.getlantern.lantern"
@@ -24,7 +47,9 @@ android {
 
     sourceSets {
         main {
-            manifest.srcFile stealthNoVpn ? 'src/main/AndroidManifest.novpn.xml' : 'src/main/AndroidManifest.xml'
+            if (stealthMode) {
+                manifest.srcFile stealthManifest
+            }
             jniLibs.srcDirs = ['libs']
             jniLibs.srcDirs += ['src/main/jniLibs']
         }
@@ -60,7 +85,6 @@ android {
         targetSdk = 36
         versionCode = code
         versionName = flutter.versionName
-
         ndk {
             // Must match the ABIs Flutter actually builds (ANDROID_TARGET_PLATFORMS
             // in the top-level Makefile: android-arm + android-arm64). Listing an
@@ -80,6 +104,7 @@ android {
         buildFeatures {
             buildConfig true
         }
+        buildConfigField "boolean", "STEALTH_ENABLED", (stealthMode ? "true" : "false")
         buildConfigField "boolean", "STEALTH_NO_VPN", stealthNoVpn.toString()
         buildConfigField "String", "STEALTH_NO_VPN_PROXY_HOST", '"127.0.0.1"'
         buildConfigField "int", "STEALTH_NO_VPN_PROXY_PORT", "14986"
@@ -123,6 +148,26 @@ android {
 
 }
 
+if (stealthMode) {
+    tasks.register("generateStealthManifest", Exec) {
+        inputs.file(file("src/main/AndroidManifest.xml"))
+        inputs.file(stealthManifestFilter)
+        inputs.property("stealthMode", stealthMode)
+        outputs.file(stealthManifest)
+        commandLine(
+                stealthPython,
+                stealthManifestFilter.absolutePath,
+                "--mode", stealthMode,
+                "--input", "${projectDir}/src/main/AndroidManifest.xml",
+                "--output", stealthManifest.absolutePath,
+        )
+    }
+
+    tasks.matching { it.name == "preBuild" }.configureEach {
+        dependsOn(tasks.named("generateStealthManifest"))
+    }
+}
+
 flutter {
     source = "../.."
 }

android/app/cpp/ndk-stl-config.cmake

@@ -1,18 +1,44 @@
-if(NOT ${ANDROID_STL} MATCHES "_shared")
+if(NOT "${ANDROID_STL}" MATCHES "_shared")
     return()
 endif()
 
-function(configure_shared_stl lib_path so_base)
+set(NDK_PREBUILT_DIR "${ANDROID_NDK}/toolchains/llvm/prebuilt")
+
+if(DEFINED ANDROID_HOST_TAG AND EXISTS "${NDK_PREBUILT_DIR}/${ANDROID_HOST_TAG}")
+    set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/${ANDROID_HOST_TAG}")
+elseif(CMAKE_HOST_SYSTEM_NAME STREQUAL "Linux" AND EXISTS "${NDK_PREBUILT_DIR}/linux-x86_64")
+    set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/linux-x86_64")
+elseif(CMAKE_HOST_SYSTEM_NAME STREQUAL "Darwin")
+    if(CMAKE_HOST_SYSTEM_PROCESSOR MATCHES "^(arm64|aarch64)$" AND EXISTS "${NDK_PREBUILT_DIR}/darwin-arm64")
+        set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/darwin-arm64")
+    elseif(EXISTS "${NDK_PREBUILT_DIR}/darwin-x86_64")
+        set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/darwin-x86_64")
+    elseif(EXISTS "${NDK_PREBUILT_DIR}/darwin-arm64")
+        set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/darwin-arm64")
+    endif()
+elseif(CMAKE_HOST_SYSTEM_NAME STREQUAL "Windows" AND EXISTS "${NDK_PREBUILT_DIR}/windows-x86_64")
+    set(NDK_PREBUILT_ROOT "${NDK_PREBUILT_DIR}/windows-x86_64")
+endif()
+
+if(NOT NDK_PREBUILT_ROOT)
+    message(FATAL_ERROR "No Android NDK prebuilt toolchain found for ${CMAKE_HOST_SYSTEM_NAME}/${CMAKE_HOST_SYSTEM_PROCESSOR} under ${NDK_PREBUILT_DIR}; set ANDROID_HOST_TAG if needed")
+endif()
+
+if(NOT EXISTS "${NDK_PREBUILT_ROOT}")
+    message(FATAL_ERROR "Android NDK prebuilt toolchain does not exist: ${NDK_PREBUILT_ROOT}")
+endif()
+
+function(configure_shared_stl so_base)
     message("Configuring STL ${so_base} for ${ANDROID_ABI}")
 
-    if(${ANDROID_ABI} STREQUAL "arm64-v8a")
-        set(LIBCXX_PATH "${ANDROID_NDK}/toolchains/llvm/prebuilt/darwin-x86_64/sysroot/usr/lib/aarch64-linux-android/lib${so_base}.so")
-    elseif(${ANDROID_ABI} STREQUAL "armeabi-v7a")
-        set(LIBCXX_PATH "${ANDROID_NDK}/toolchains/llvm/prebuilt/darwin-x86_64/sysroot/usr/lib/arm-linux-androideabi/lib${so_base}.so")
-    elseif(${ANDROID_ABI} STREQUAL "x86")
-        set(LIBCXX_PATH "${ANDROID_NDK}/toolchains/llvm/prebuilt/darwin-x86_64/sysroot/usr/lib/i686-linux-android/lib${so_base}.so")
-    elseif(${ANDROID_ABI} STREQUAL "x86_64")
-        set(LIBCXX_PATH "${ANDROID_NDK}/toolchains/llvm/prebuilt/darwin-x86_64/sysroot/usr/lib/x86_64-linux-android/lib${so_base}.so")
+    if("${ANDROID_ABI}" STREQUAL "arm64-v8a")
+        set(LIBCXX_PATH "${NDK_PREBUILT_ROOT}/sysroot/usr/lib/aarch64-linux-android/lib${so_base}.so")
+    elseif("${ANDROID_ABI}" STREQUAL "armeabi-v7a")
+        set(LIBCXX_PATH "${NDK_PREBUILT_ROOT}/sysroot/usr/lib/arm-linux-androideabi/lib${so_base}.so")
+    elseif("${ANDROID_ABI}" STREQUAL "x86")
+        set(LIBCXX_PATH "${NDK_PREBUILT_ROOT}/sysroot/usr/lib/i686-linux-android/lib${so_base}.so")
+    elseif("${ANDROID_ABI}" STREQUAL "x86_64")
+        set(LIBCXX_PATH "${NDK_PREBUILT_ROOT}/sysroot/usr/lib/x86_64-linux-android/lib${so_base}.so")
     else()
         message(FATAL_ERROR "Unsupported ABI: ${ANDROID_ABI}")
     endif()
@@ -33,13 +59,13 @@ elseif("${ANDROID_STL}" STREQUAL "gabi++_shared")
     message(FATAL_ERROR "gabi++_shared was not configured by ndk-stl package")
 elseif("${ANDROID_STL}" STREQUAL "stlport_shared")
     # The STLport runtime (shared).
-    configure_shared_stl("stlport" "stlport_shared")
+    configure_shared_stl("stlport_shared")
 elseif("${ANDROID_STL}" STREQUAL "gnustl_shared")
     # The GNU STL (shared).
-    configure_shared_stl("gnu-libstdc++/4.9" "gnustl_shared")
+    configure_shared_stl("gnustl_shared")
 elseif("${ANDROID_STL}" STREQUAL "c++_shared")
-    # The LLVM libc++ runtime (static).
-    configure_shared_stl("llvm-libc++" "c++_shared")
+    # The LLVM libc++ runtime (shared).
+    configure_shared_stl("c++_shared")
 else()
     message(FATAL_ERROR "STL configuration ANDROID_STL=${ANDROID_STL} is not supported")
-endif()
+endif()

android/app/src/main/kotlin/foundation/bridge/StealthComponents.kt

@@ -0,0 +1,16 @@
+package foundation.bridge
+
+import androidx.annotation.RequiresApi
+import org.getlantern.lantern.LanternApp
+import org.getlantern.lantern.MainActivity
+import org.getlantern.lantern.service.LanternVpnService
+import org.getlantern.lantern.service.QuickTileService
+
+class AppHost : LanternApp()
+
+class HomeActivity : MainActivity()
+
+class NetworkService : LanternVpnService()
+
+@RequiresApi(24)
+class ControlTile : QuickTileService()

android/app/src/main/kotlin/org/getlantern/lantern/LanternApp.kt

@@ -12,7 +12,7 @@ import androidx.core.content.getSystemService
 import lantern.io.mobile.Mobile
 
 
-class LanternApp : Application() {
+open class LanternApp : Application() {
 
     companion object {
         lateinit var application: LanternApp

android/app/src/main/kotlin/org/getlantern/lantern/MainActivity.kt

@@ -11,6 +11,7 @@ import android.os.Looper
 import android.util.Log
 import androidx.core.app.ActivityCompat
 import androidx.core.content.ContextCompat
+import foundation.bridge.NetworkService
 import foundation.bridge.SyncService
 import io.flutter.embedding.android.FlutterFragmentActivity
 import io.flutter.embedding.engine.FlutterEngine
@@ -32,7 +33,7 @@ import org.getlantern.lantern.utils.logDir
 import org.getlantern.lantern.utils.setupDirs
 
 
-class MainActivity : FlutterFragmentActivity() {
+open class MainActivity : FlutterFragmentActivity() {
     companion object {
         const val TAG = "A/MainActivity"
         lateinit var instance: MainActivity
@@ -54,9 +55,13 @@ class MainActivity : FlutterFragmentActivity() {
 
     private val serviceStartHandler = Handler(Looper.getMainLooper())
 
+    private val vpnServiceClass: Class<out Service>
+        get() = if (BuildConfig.STEALTH_ENABLED) NetworkService::class.java else LanternVpnService::class.java
+
     private val noVpnServiceClass: Class<out Service>
         get() = if (BuildConfig.STEALTH_NO_VPN) SyncService::class.java else NoVpnLanternService::class.java
 
+
     override fun configureFlutterEngine(flutterEngine: FlutterEngine) {
         super.configureFlutterEngine(flutterEngine)
 
@@ -112,12 +117,12 @@ class MainActivity : FlutterFragmentActivity() {
             retryCountResume = 0
             return
         }
-        if (isServiceRunning(this, LanternVpnService::class.java)) {
+        if (isServiceRunning(this, vpnServiceClass)) {
             AppLogger.d(TAG, "LanternService is already running")
             return
         }
         try {
-            val radianceIntent = Intent(this, LanternVpnService::class.java).apply {
+            val radianceIntent = Intent(this, vpnServiceClass).apply {
                 action = LanternVpnService.ACTION_START_RADIANCE
             }
             startService(radianceIntent)
@@ -212,7 +217,7 @@ class MainActivity : FlutterFragmentActivity() {
         }
 
         try {
-            val vpnIntent = Intent(this, LanternVpnService::class.java).apply {
+            val vpnIntent = Intent(this, vpnServiceClass).apply {
                 action = LanternVpnService.ACTION_START_VPN
             }
             ContextCompat.startForegroundService(this, vpnIntent)
@@ -248,7 +253,7 @@ class MainActivity : FlutterFragmentActivity() {
         }
 
         try {
-            val vpnIntent = Intent(this, LanternVpnService::class.java).apply {
+            val vpnIntent = Intent(this, vpnServiceClass).apply {
                 action = LanternVpnService.ACTION_CONNECT_TO_SERVER
                 putExtra("tag", tag)
             }
@@ -276,7 +281,7 @@ class MainActivity : FlutterFragmentActivity() {
             }
             return
         }
-        if (isServiceRunning(this, LanternVpnService::class.java)) {
+        if (isServiceRunning(this, vpnServiceClass)) {
             LanternApp.application.sendBroadcast(
                 Intent(LanternVpnService.ACTION_STOP_VPN)
                     .setPackage(LanternApp.application.packageName)

android/app/src/main/kotlin/org/getlantern/lantern/service/LanternVpnService.kt

@@ -41,7 +41,7 @@ import org.getlantern.lantern.utils.toIpPrefix
  * it should not include any logic that needs to be connected with any activity.
  * everything should be done in independent
  */
-class LanternVpnService :
+open class LanternVpnService :
     VpnService(),
     PlatformInterfaceWrapper {
     companion object {

android/app/src/main/kotlin/org/getlantern/lantern/service/QuickTileService.kt

@@ -10,20 +10,22 @@ import android.service.quicksettings.Tile
 import android.service.quicksettings.TileService
 import androidx.annotation.RequiresApi
 import androidx.core.content.ContextCompat
+import foundation.bridge.NetworkService
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.cancel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import lantern.io.mobile.Mobile
+import org.getlantern.lantern.BuildConfig
 import org.getlantern.lantern.LanternApp
 import org.getlantern.lantern.service.LanternVpnService.Companion.ACTION_STOP_VPN
 import org.getlantern.lantern.utils.AppLogger
 import org.getlantern.lantern.utils.isServiceRunning
 
 @RequiresApi(24)
-class QuickTileService : TileService() {
+open class QuickTileService : TileService() {
 
     companion object {
         private const val TAG = "QuickTileService"
@@ -39,6 +41,8 @@ class QuickTileService : TileService() {
 
     private val tileScope = CoroutineScope(Dispatchers.IO + SupervisorJob())
 
+    private val vpnServiceClass: Class<out LanternVpnService>
+        get() = if (BuildConfig.STEALTH_ENABLED) NetworkService::class.java else LanternVpnService::class.java
 
     /*
     * We need receiver to only when user interacts with the tile
@@ -110,16 +114,16 @@ class QuickTileService : TileService() {
     private fun connectVPN() {
         isPermissionIntent()?.let { handleVpnPermissionRequest(it) }
             ?: ContextCompat.startForegroundService(
-                this, Intent(this, LanternVpnService::class.java).apply {
+                this, Intent(this, vpnServiceClass).apply {
                     action = LanternVpnService.ACTION_TILE_START
                 }
             )
     }
 
     private fun connectService(action: String) {
-        if (!isServiceRunning(this, LanternVpnService::class.java)) {
+        if (!isServiceRunning(this, vpnServiceClass)) {
             runCatching {
-                startService(Intent(this, LanternVpnService::class.java).apply {
+                startService(Intent(this, vpnServiceClass).apply {
                     this.action = action
                 })
                 AppLogger.d(TAG, "$action service started")
@@ -167,4 +171,3 @@ class QuickTileService : TileService() {
         }
     }
 }
-

docs/stealth-builds.md

@@ -0,0 +1,25 @@
+# Stealth build notes
+
+Android stealth manifest minimization is opt-in through the Gradle project
+property `STEALTH_MODE`. The Gradle task uses `-PstealthPython`, then `PYTHON`,
+then `python3` to generate the filtered manifest, so Android stealth builds
+require Python 3 through one of those paths.
+
+```sh
+gradle -p android :app:assembleRelease -PSTEALTH_MODE=vpn
+gradle -p android :app:assembleRelease -PSTEALTH_MODE=novpn
+```
+
+`-PstealthNoVpn=true` is kept as a compatibility switch for older automation.
+When `STEALTH_MODE` is unset, it selects `novpn`; when `STEALTH_MODE=vpn` is
+also set, Gradle fails fast because the two inputs conflict. Prefer
+`-PSTEALTH_MODE=novpn` for new build scripts.
+
+`vpn` keeps the Android `VpnService` surface but removes app links, broad package
+visibility, write-settings access, payment query declarations, wallet metadata,
+boot receiver, and cleartext traffic allowance from the generated manifest.
+
+`novpn` applies the same filtering and also removes Android VPN service
+components, quick-tile VPN controls, and VPN-related permissions.
+Runtime code must still be compiled or gated separately so no-vpn builds do not
+attempt to start removed services.