ANR in com.okta.authfoundation.util.AesEncryptionHandler.decryptString-IoAF18A on Android 12

[maxrimmer]

Describe the bug?

We are seeing a substantial amount of ANR's steming from com.okta.authfoundation.util.AesEncryptionHandler.decryptString-IoAF18A with the following stack trace:
main (timed waiting):tid=1 systid=9157
at java.lang.Thread.sleep(Native method)
at java.lang.Thread.sleep(Thread.java:451)
at java.lang.Thread.sleep(Thread.java:356)
at android.security.KeyStoreSecurityLevel.interruptedPreservingSleep(KeyStoreSecurityLevel.java:206)
at android.security.KeyStoreSecurityLevel.createOperation(KeyStoreSecurityLevel.java:115)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:334)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:234)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2999)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2910)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2815)
at javax.crypto.Cipher.chooseProvider(Cipher.java:792)
at javax.crypto.Cipher.init(Cipher.java:1307)
at javax.crypto.Cipher.init(Cipher.java:1242)
at com.okta.authfoundation.util.AesEncryptionHandler.decryptString-IoAF18A(AesEncryptionHandler.kt:56)
at com.okta.authfoundation.credential.DefaultCredentialIdDataStore.getDefaultCredentialId(DefaultCredentialIdDataStore.kt:45)
at com.okta.authfoundation.credential.DefaultCredentialIdDataStore$getDefaultCredentialId$1.invokeSuspend(DefaultCredentialIdDataStore.kt:11)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:98)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loopOnce(Looper.java:346)
at android.os.Looper.loop(Looper.java:475)
at android.app.ActivityThread.main(ActivityThread.java:7889)
at java.lang.reflect.Method.invoke(Native method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1009)

The ANR is only happening on Android 12 devices. And has been observed on a range of different devices:

• Oneplus (26 % of the ANR's happening on OnePlus Nord), Sony, Xiaomi, HMD Global, Motorola, and a list of other small manufactors.

Please let me know if you need more info to investigate.

What is expected to happen?

No ANR

What is the actual behavior?

ANR

Reproduction Steps?

What we see from our logs. The app starts and on the first attempt to receive an accessToken the ANR is happening, and our process is killed by the system with the reason code ANR

Additional Information?

No response

SDK Version and Artifact(s) used.

2.0.3

Build Information

No response

[rajdeepnanua-okta]

Hi @maxrimmer,

Accessing IO and performing encryption operations on app startup can unfortunately be too expensive for weaker devices. Would it be possible for you to fetch the access token on app start in a CoroutineScope with Dispatchers.IO (either lifecycleScope or viewModelScope) or a non-main thread? This SDK provides an async version of Credential.default, which is Credential.getDefaultAsync(). Running that should offload IO operations to not block the main thread, and this should fix most of the ANRs.