[stealth 04/11] Add stealth artifact leakage checks

.github/workflows/build-android.yml

@@ -12,6 +12,11 @@ on:
       installer_base_name:
         required: true
         type: string
+      stealth_leakage_mode:
+        description: "Optional stealth leakage scan mode, for example stealth or stealth-novpn"
+        required: false
+        type: string
+        default: ""
 
 jobs:
   build-android:
@@ -156,6 +161,30 @@ jobs:
           INSTALLER_NAME: ${{ inputs.installer_base_name }}
           GOMOBILECACHE: ${{ env.GOMOBILECACHE }}
 
+      - name: Stealth leakage check
+        id: stealth_leakage_check
+        if: ${{ inputs.stealth_leakage_mode != '' }}
+        shell: bash
+        run: |
+          set -o pipefail
+          : > stealth-leakage-report.txt
+          make stealth-leakage-check 2>&1 | tee stealth-leakage-report.txt
+        env:
+          STEALTH_LEAKAGE_MODE: ${{ inputs.stealth_leakage_mode }}
+          STEALTH_LEAKAGE_MISSING_OK: "0"
+          STEALTH_LEAKAGE_PATHS: >-
+            ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}.apk
+            ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}.aab
+
+      - name: Upload stealth leakage report
+        if: ${{ always() && inputs.stealth_leakage_mode != '' && steps.stealth_leakage_check.outcome != 'skipped' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: stealth-leakage-report
+          path: stealth-leakage-report.txt
+          if-no-files-found: error
+          retention-days: 14
+
       - name: Upload Android APK
         uses: actions/upload-artifact@v4
         with:

.github/workflows/release.yml

@@ -46,6 +46,15 @@ on:
         required: false
         type: boolean
         default: false
+      stealth_leakage_mode:
+        description: "Run Android stealth leakage scanner for manual Android builds"
+        required: false
+        type: choice
+        options:
+          - none
+          - stealth
+          - stealth-novpn
+        default: none
 
 permissions:
   contents: write
@@ -71,6 +80,7 @@ jobs:
       linux_arch: ${{ steps.meta.outputs.linux_arch }}
       is_test_run: ${{ steps.meta.outputs.is_test_run }}
       smoke_enable_ip_check: ${{ steps.meta.outputs.smoke_enable_ip_check }}
+      stealth_leakage_mode: ${{ steps.meta.outputs.stealth_leakage_mode }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -199,6 +209,13 @@ jobs:
           fi
 
           SMOKE_ENABLE_IP_CHECK="false"
+          STEALTH_LEAKAGE_MODE=""
+          if [[ "$EVENT" == "workflow_dispatch" ]]; then
+            requested_stealth_leakage_mode="${{ github.event.inputs.stealth_leakage_mode }}"
+            if [[ "$requested_stealth_leakage_mode" != "none" ]]; then
+              STEALTH_LEAKAGE_MODE="$requested_stealth_leakage_mode"
+            fi
+          fi
 
           echo "build_type=$BUILD_TYPE" >> $GITHUB_OUTPUT
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
@@ -208,6 +225,7 @@ jobs:
           echo "installer_base_name=$INSTALLER_BASE_NAME" >> $GITHUB_OUTPUT
           echo "is_test_run=$IS_TEST_RUN" >> $GITHUB_OUTPUT
           echo "smoke_enable_ip_check=$SMOKE_ENABLE_IP_CHECK" >> $GITHUB_OUTPUT
+          echo "stealth_leakage_mode=$STEALTH_LEAKAGE_MODE" >> $GITHUB_OUTPUT
 
       - name: Update pubspec.yaml version
         shell: bash
@@ -352,6 +370,7 @@ jobs:
       version: ${{ needs.set-metadata.outputs.version }}
       build_type: ${{ needs.set-metadata.outputs.build_type }}
       installer_base_name: ${{ needs.set-metadata.outputs.installer_base_name }}
+      stealth_leakage_mode: ${{ needs.set-metadata.outputs.stealth_leakage_mode }}
 
   release-create:
     needs: set-metadata

Makefile

@@ -112,6 +112,11 @@ ANDROID_RELEASE_APK := $(INSTALLER_NAME)$(if $(filter-out production,$(BUILD_TYP
 ANDROID_RELEASE_AAB := $(INSTALLER_NAME)$(if $(filter-out production,$(BUILD_TYPE)),-$(BUILD_TYPE)).aab
 ANDROID_MAPPING_SRC := build/app/outputs/mapping/release/mapping.txt
 ANDROID_SYMBOLS_SRC := build/app/outputs/native-debug-symbols/release/native-debug-symbols.zip
+PYTHON ?= python3
+STEALTH_LEAKAGE_MODE ?= stealth
+STEALTH_LEAKAGE_CONFIG ?= scripts/stealth/forbidden_tokens.json
+STEALTH_LEAKAGE_PATHS ?= $(ANDROID_RELEASE_APK) $(ANDROID_RELEASE_AAB) $(ANDROID_APK_RELEASE_BUILD) $(ANDROID_AAB_RELEASE_BUILD)
+STEALTH_LEAKAGE_MISSING_OK ?= 1
 ANDROID_NDK_VERSION          ?= 28.2.13676358
 ANDROID_CMAKE_VERSION        ?= 3.22.1
 ANDROID_BUILD_TOOLS_VERSION  ?= 35.0.0
@@ -530,6 +535,17 @@ android-release: clean android pubget gen android-apk-release
 .PHONY: android-release-ci
 android-release-ci: android pubget gen android-apk-release android-aab-release
 
+.PHONY: stealth-leakage-check stealth-novpn-leakage-check
+stealth-leakage-check:
+	$(PYTHON) scripts/stealth/check_leakage.py \
+		--config "$(STEALTH_LEAKAGE_CONFIG)" \
+		--mode "$(STEALTH_LEAKAGE_MODE)" \
+		$(if $(filter 1 true yes,$(STEALTH_LEAKAGE_MISSING_OK)),--missing-ok,) \
+		$(STEALTH_LEAKAGE_PATHS)
+
+stealth-novpn-leakage-check:
+	$(MAKE) stealth-leakage-check STEALTH_LEAKAGE_MODE=stealth-novpn
+
 # iOS Build
 .PHONY: install-ios-deps
 

docs/stealth-leakage-checks.md

@@ -0,0 +1,58 @@
+# Stealth Leakage Checks
+
+`scripts/stealth/check_leakage.py` scans built stealth artifacts for normal
+Lantern identifiers. It accepts APK, AAB, ZIP-like archives, and unpacked build
+directories. Archive entries are scanned recursively, and string matching checks
+UTF-8, UTF-16LE, and UTF-16BE encodings.
+
+Run the default stealth check:
+
+```sh
+make stealth-leakage-check \
+  STEALTH_LEAKAGE_PATHS="path/to/app.apk path/to/app.aab"
+```
+
+Run the stricter no-VPN variant:
+
+```sh
+make stealth-novpn-leakage-check \
+  STEALTH_LEAKAGE_PATHS="path/to/app.apk"
+```
+
+If the configured targets are absent, the Make targets skip successfully. This
+keeps normal builds and ordinary CI runs from failing on stealth-only checks.
+
+## Modes
+
+The forbidden-token config lives at
+`scripts/stealth/forbidden_tokens.json`.
+
+`stealth` checks for:
+
+- normal Lantern package, brand, library, service, and organization identifiers
+- user-facing VPN strings
+- OAuth provider strings and method-channel entry points
+- billing and subscription entry points
+- app-link hosts, custom schemes, and deep-link paths
+- Lantern social/support URLs
+- update feed and release URLs
+
+`stealth-novpn` extends `stealth` and also checks Android VPN/TUN surfaces such
+as `android.net.VpnService`, `BIND_VPN_SERVICE`, `TunOptions`, and VPN quick
+tile/service actions.
+
+## Allowlists
+
+Each mode supports an `allowlist` in the JSON config. Allowlist entries can
+match by `token`, `category`, `location` glob, and `encoding`. Example:
+
+```json
+{
+  "token": "Lantern",
+  "location": "*.SF",
+  "reason": "example only"
+}
+```
+
+Keep allowlist entries narrow and mode-specific so real leaks still fail the
+scan.