Skip to content

Fix foreground service type for Android 16 compatibility #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MichaelUray wants to merge 1 commit into from
Closed

Fix foreground service type for Android 16 compatibility #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion netbird
Open in desktop
Submodule netbird updated 68 files
+2 −2 .github/workflows/check-license-dependencies.yml
+1 −1 .github/workflows/golangci-lint.yml
+2 −0 .gitignore
+24 −0 .goreleaser.yaml
+1 −1 CONTRIBUTOR_LICENSE_AGREEMENT.md
+16 −0 client/android/client.go
+2 −2 client/cmd/service_params_test.go
+46 −0 client/cmd/service_test.go
+2 −2 client/internal/auth/auth.go
+7 −0 client/internal/connect.go
+73 −0 client/internal/connect_android_default.go
+32 −0 client/internal/connect_android_embed.go
+100 −1 client/internal/engine.go
+31 −1 client/internal/peer/worker_ice.go
+14 −3 client/internal/profilemanager/config.go
+29 −9 client/internal/profilemanager/config_test.go
+11 −0 client/internal/routemanager/manager.go
+10 −1 client/internal/routemanager/mock.go
+36 −21 client/internal/routemanager/notifier/notifier_android.go
+5 −6 client/system/info.go
+6 −0 client/system/info_android.go
+13 −0 client/system/network_addresses.go
+17 −0 client/system/network_addresses_android.go
+1 −1 go.mod
+48 −2 idp/dex/config.go
+47 −0 idp/dex/provider.go
+292 −0 idp/dex/provider_test.go
+5 −2 infrastructure_files/getting-started-with-dex.sh
+5 −2 infrastructure_files/getting-started-with-zitadel.sh
+10 −1 infrastructure_files/getting-started.sh
+56 −8 management/internals/modules/reverseproxy/service/manager/manager.go
+5 −0 management/internals/modules/reverseproxy/service/service.go
+9 −3 management/internals/server/controllers.go
+3 −1 management/internals/server/modules.go
+61 −0 management/server/activity/store/sql_store_idp_migration.go
+161 −0 management/server/activity/store/sql_store_idp_migration_test.go
+14 −9 management/server/auth/manager.go
+4 −4 management/server/auth/manager_test.go
+12 −2 management/server/geolocation/geolocation.go
+2 −2 management/server/http/testing/testing_tools/channel/channel.go
+12 −0 management/server/idp/embedded.go
+235 −0 management/server/idp/migration/migration.go
+828 −0 management/server/idp/migration/migration_test.go
+82 −0 management/server/idp/migration/store.go
+54 −17 management/server/instance/manager.go
+181 −133 management/server/instance/manager_test.go
+7 −1 management/server/posture/network.go
+1 −1 management/server/posture_checks.go
+177 −0 management/server/store/sql_store_idp_migration.go
+23 −1 management/server/user.go
+98 −0 management/server/user_test.go
+8 −0 proxy/cmd/proxy/main.go
+41 −7 shared/auth/jwt/validator.go
+1 −1 shared/management/client/client_test.go
+59 −0 shared/management/client/rest/edr.go
+281 −0 shared/management/http/api/openapi.yml
+120 −0 shared/management/http/api/types.gen.go
+276 −273 shared/management/proto/management.pb.go
+2 −2 shared/management/proto/management.proto
+948 −418 shared/management/proto/proxy_service.pb.go
+2 −2 shared/relay/client/dialer/quic/quic.go
+209 −0 tools/idp-migrate/DEVELOPMENT.md
+661 −0 tools/idp-migrate/LICENSE
+174 −0 tools/idp-migrate/config.go
+449 −0 tools/idp-migrate/main.go
+487 −0 tools/idp-migrate/main_test.go
+39 −8 upload-server/server/local.go
+87 −0 upload-server/server/local_test.go
4 changes: 2 additions & 2 deletions tool/src/main/AndroidManifest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_SPECIAL_USE" />
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Android startForeground FOREGROUND_SERVICE_TYPE_SPECIAL_USE requirement API 34

💡 Result:

On Android 14 / API 34 (i.e., when your app targets 34+), using startForeground(..., FOREGROUND_SERVICE_TYPE_SPECIAL_USE) requires all of the following:

  1. Declare the service type in the manifest (on the <service>):
<service
    android:name=".YourService"
    android:foregroundServiceType="specialUse">
    <property
        android:name="android.app.PROPERTY_SPECIAL_USE_FGS_SUBTYPE"
        android:value="explanation_for_special_use"/>
</service>

The <property> subtype/value is a free-form explanation intended for Google Play Console review when you use specialUse. [1]

  1. Request the permissions in the manifest:
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_SPECIAL_USE" />

Each FGS type has a corresponding permission, and on API 34+ missing the appropriate type permission can cause a SecurityException. [2][3]

  1. Pass the type to startForeground():
    Use FOREGROUND_SERVICE_TYPE_SPECIAL_USE when calling startForeground(). [1]

Note: specialUse has no runtime prerequisites (beyond the permissions + correct declarations above). [1]

Sources
[1] Android Developers — Foreground service types (Special use)
[2] Android Developers — Changes to foreground services (Android 14 / API 34 requirements)
[3] Android Developers — Manifest.permission.FOREGROUND_SERVICE_SPECIAL_USE (API 34)

🏁 Script executed:

find . -type f -name "ForegroundNotification.java" | head -5

Repository: netbirdio/android-client

Length of output: 139

🏁 Script executed:

find . -type f -name "AndroidManifest.xml" | grep -E "tool.*AndroidManifest"

Repository: netbirdio/android-client

Length of output: 103

🏁 Script executed:

cat -n ./tool/src/main/java/io/netbird/client/tool/ForegroundNotification.java

Repository: netbirdio/android-client

Length of output: 2611

🏁 Script executed:

cat -n ./tool/src/main/AndroidManifest.xml

Repository: netbirdio/android-client

Length of output: 1998

Critical: startForeground() must use the 3-parameter overload with the service type.

The manifest correctly declares foregroundServiceType="specialUse" and includes the required permission. However, ForegroundNotification.java line 51 calls the 2-parameter startForeground(NOTIFICATION_ID, notification). Starting with Android 14 (API 34), when a foreground service declares a foregroundServiceType in the manifest, the startForeground() call must use the 3-parameter overload and pass the matching type constant. Failure to do so throws InvalidForegroundServiceTypeException at runtime.

Update ForegroundNotification.java:

Diff 
+ import android.content.pm.ServiceInfo;
+
  class ForegroundNotification {
      // ...
      public void startForeground() {
          // ...
-         service.startForeground(NOTIFICATION_ID, notification);
+         service.startForeground(NOTIFICATION_ID, notification, ServiceInfo.FOREGROUND_SERVICE_TYPE_SPECIAL_USE);
      }
  }

Additionally, the <service> block in AndroidManifest.xml is missing the required <property> element for special use justification. Add this inside the <service> tag (line 15–26):

<property
    android:name="android.app.PROPERTY_SPECIAL_USE_FGS_SUBTYPE"
    android:value="VPN service required for network traffic tunneling"/>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tool/src/main/AndroidManifest.xml` at line 8, ForegroundNotification.java
currently calls the 2-arg startForeground(NOTIFICATION_ID, notification); update
that call to the 3-argument overload and pass the Android 14 service-type
constant (e.g., ServiceInfo.FOREGROUND_SERVICE_TYPE_SPECIAL_USE) so it matches
the manifest's foregroundServiceType="specialUse" and avoids
InvalidForegroundServiceTypeException; also ensure imports/reference to
ServiceInfo (or the equivalent constant) are added and that NOTIFICATION_ID and
notification are passed unchanged as the first two args. Additionally, add the
required <property> element inside the service declaration in
AndroidManifest.xml with
android:name="android.app.PROPERTY_SPECIAL_USE_FGS_SUBTYPE" and an appropriate
android:value describing the special-use justification (e.g., "VPN service
required for network traffic tunneling").

<uses-permission android:name="android.permission.SCHEDULE_EXACT_ALARM" />

<application
Expand All @@ -16,7 +16,7 @@
android:name=".VPNService"
android:permission="android.permission.BIND_VPN_SERVICE"
android:exported="false"
android:foregroundServiceType="systemExempted">
android:foregroundServiceType="specialUse">
<intent-filter>
<action android:name="android.net.VpnService"/>
<action android:name="io.netbird.client.intent.action.START_SERVICE" />
Expand Down