IssueTracker

Issue 37105245 had a fix for the DNS issues in c63059c8a7423b13cecc8b65885d54c12aae0d10, so you might not be seeing the exact same bug.

It might help to give a little more detail in the repro steps; for example a Nexus 6 running 7.1.2 (shamu-userdebug N2G05) fits the description but while connected to any of several different VPNs on Wifi or 4G it is still able to download things from Play Store without problem.

Specifically could you help narrow down the steps with:
 * What exact build numbers and devices can you confirm this reproduced on?
 * Which VPN apps can you confirm this reproduced on?
 * What fields does the VpnService.Builder have set when creating the connection? (ie. is DNS explicitly set to 8.8.8.8 or fall-through, are any apps excluded from the network, etc.)
 * What kind of network is the phone connected to? Is it ipv4-only?

A bugreport from adb would answer about half of this straight away if you are able to take one.

Working on more info - coming soon.

Same problem with IPv6Droid. The issue might not be related to DNS at all, but could be a bug to detect required connectivity. I.e. an active VPN seems to fool DownloadManager to believe, no WLAN was available.

Regarding your questions: one device is Asus ZenPad, software detais see atachment. Here, Downloads simply seem to stay queued until VPN is switched off.

Another device is Sony Xpera Z3+, Android 7. Here you even get flickering in the notification bar, the Download arrow appearing  for a split second every second or so.

The behaviour is triggered by any application using DownloadManager, so it seems.

Please refer to the code on  https://github.com/pelzvieh/IPv6Droid/blob/1.0_Maintainance/IPv6Droid/src/main/java/de/flyingsnail/ipv6droid/android/VpnThread.java

* What exact build numbers and devices can you confirm this reproduced on?

See attached screenshot.

 * Which VPN apps can you confirm this reproduced on?

Covenant Eyes (https://play.google.com/store/apps/details?id=com.covenanteyes.androidservice&hl=en_US)

An active test account has been made with username: GoogleIssueTest and password: googletest1

 * What fields does the VpnService.Builder have set when creating the connection? (ie. is DNS explicitly set to 8.8.8.8 or fall-through, are any apps excluded from the network, etc.)

We are a tunnel using a patented technology, rather than VPN.

DNS servers in order: 8.8.8.8, 8.8.4.4

Routes in order: 8.8.8.8, 8.8.4.4
Additionally, we obtain net.dns1 and net.dns2 using the system runtime. If either or both are IPv4 and valid, we add them as routes as well.

Since identifying the Android bug, we've already added several packages to the VPN disallow list to prevent issues, however we can't exclude everything.
Disallowed packages: com.android.vending, com.google.android.gms, com.google.android.gms.drive, com.google.android.apps.docs, com.google.android.gm

 * What kind of network is the phone connected to? Is it ipv4-only?

WiFi at the time of bug report capture, but bug occurs on cellular also.

Testing with Google Photos:

- Install Covenant Eyes
- Sign in using test account
- Complete all onboarding steps
- Open Google Photos
- Find a photo that is stored on your online account only
- Download photo to device

Expected:

Photo download is successful to device

Actual:

DownloadManager icon briefly appears and disappears in status bar.
Download fails.



Upon deletion of Covenant Eyes, the DownloadManager usually completes the queued downloads.

Are you able to reproduce the issue on Pixel/Nexus device as well?
If yes, then please share bug report for it as well.

Android bug report
After reproducing the issue, press the volume up, volume down, and power button simultaneously. This will capture a bug report on your device in the “bug reports” directory. Attach the bug report  file to this issue.

Alternate method:
After reproducing the issue, navigate to developer settings, ensure ‘USB debugging’ is enabled, then enable ‘Bug report shortcut’. To take bug report, hold the power button and select the ‘Take bug report’ option.

Please upload the files to Google Drive and share the folder to android-bugreport@google.com, then share the link here.

We have passed this to the development team and will update this issue with more information as it becomes available.

I do not have a Pixel/Nexus on hand and can try to get one if needed.

Otherwise keep us posted.

Thank you.

Any updates on this?

Happens on my pixel 2 connected to WiFi. My work laptop is connected to a VPN (via Lan) on the same network

I use OpenVPN and figured out that if I only enable it for certain apps and use it, then the rest works.

Seems to avoid the Download Manager issue.

I use a pixel 2xl on the latest update and can not download attachments on the Gmail while openvpn is active.

Comment

Remove

This issue is also happening with Checkpoint Capsule VPN Client application.

This issue is also happening with Netskope app, the same exact way, a lot of device impacted in our enterprise:
 - Samsung Galaxy J5 2017
 - Android 8.1

Any update?

From what I've been reading up on this subject, and my tests with Adblock VPN software, as soon as ANY VPN connection is established, ANY downloads made through DownloadManager will fail.

If the app downloads data by itself, like a game updating itself, or (for some odd reason) Google Play updating apps, this issue will not occur.

However, the moment any VPN is connected, no downloads DownloadManager is in charge of will finish, including loading previews and attachments on GMail.

It would be nice to at least have an acknowledgment of the issue, and if/when we can expect updates on it, since it has been over 6 months and not a peep from Google thus far.

I've discovered how to avoid it. At least with OpenVPN but waited long
enough to see if anyone from Android cared to fix it.

When I use OpenVPN I can access my private network and also carry any
operation outside the VPN without being routed through the VPN.

I mean, if I use WhatsApp or Opera browser they work and they perform
directly, they are not going through my private network to the internet.

All but Download Manager.

With OpenVPN one can select to "use it for all apps but.." or "use only for
selected apps"

With the later option I've configured it to be used only work with the
remote terminal, file explorer, browser and SIP client.

Every other app work and it does not interfere with Download Manager.

Regards

David

On Tue, Jan 15, 2019, 13:39 <buganizer-system@google.com wrote:

Seen on a Pixel running Android 9.

First spotted trying to download an attachment via gmail (with an operational VPN service), next confirmed with a minimal test app directly using the DownloadManager. If there is a VpnService running, the DownloadManager fails DNS resolution:
```
2019-01-22 16:46:59.532 6437-9150/? D/DownloadManager: [909] Starting
2019-01-22 16:46:59.598 6437-9150/? W/DownloadManager: [909] Stop requested with status HTTP_DATA_ERROR: Unable to resolve host "unsplash.com": No address associated with hostname
2019-01-22 16:46:59.604 6437-9150/? D/DownloadManager: [909] Finished with status WAITING_TO_RETRY
```

I'm having trouble crafting a test that directly specifies an IP address and bypasses DNS. With an https URL it fails to connect (IIRC I tried a lower level test which complained about the cert not matching). Trying http, it complains `Cleartext HTTP traffic to unsplash.com not permitted`, which is somewhat odd b/c I get that even if I explicitly set `android:usesCleartextTraffic="true"`, and a call to `NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted()` returns true. Which makes me even more suspicious that the DownloadManager is doing something weird.

Looking for a workaround, does anyone knows if it's possible with some device policies (in Google G Suite or any third party MDM/EMM) to configure Android device to avoid VPN for DownloadManager?

Thank you!

You can give apps permission to bypass the VPN by calling `allowBypass()` when creating the VpnService:
https://developer.android.com/reference/android/net/VpnService.Builder.html#allowBypass()

However, this just gives apps the ability to do this. There is no way that I know of to force it.

And specifically, this does **not** solve the problem with the DownloadManager. It's not entirely clear to me if that's because the DownloadManager does not wish to bypass the VPN, or maybe if it would work if this bug were fixed.

Just wrote a proof of concept. The Connectivity Manager seems buggy, the (active) network returned doesn't route packets.

The issue has been fixed and it will be available in a future build.

can you be more specific when you talk about "future build"?

Thank you


On Fri, May 31, 2019, 12:42 PM <buganizer-system@google.com> wrote:

--








This e-mail transmission may contain legally privileged and/or
confidential information. Please do not read it if you are not the intended
recipient(s). Any use, distribution, reproduction or disclosure by any
other person is strictly prohibited. If you have received this e-mail in
error, please notify the sender and destroy the original.
Please consider
the environment before printing this email.

Fraud

This is happening on Android 9.0 as well. And it happens whenever VPN is on, even in full tunnel mode. It can be easily reproduced with any app like TunnelBear, Lookout, Packet Capture etc. that sets up VPN.

STR:
In Play Store settings, set Download over "Wifi Only".
With Wifi On, connect to VPN and try to download any app from Play Store.
It stays in Downloading state.

Clearly, this is because the Connectivity manager returns VPN as the active connection type, which is treated by Play Store as a Non-Wifi type.

The bug is fixed in Android Q. This patch cannot be applied to O or P.

Can you please let us if AndroidQ will also support Man in the Middle, means if we need to decrypt packet and do the analysis.

Is there any known workaround for this on currently affected Android versions (aside from using #addDisallowedApplication(String) for the whole package names one by one)?

Depends. OpenVPN allows to control which apps.

On Fri, Nov 8, 2019, 12:10 <buganizer-system@google.com> wrote:

The question is whether it is possible not to whitelist apps from the VPN, and yet have them working properly.
Many apps serve as a content manager and can download files, many MDMs push apps to devices, Play Store manages downloading and installing apps.
I'd say it is a major bug and asking everyone to update to Android Q which has been released quite recently does not seem viable for many businesses.

I would like to understand what exactly the issue was and how it was fixed, please.

>The bug is fixed in Android Q

That's either not the case, or it has regressed. I see this issue still happening in Android 11 on a Pixel 2.

Not fixed. I experience it on Android 13.