SecurityException crash in UsageStatsManager.queryUsageStats when PACKAGE_USAGE_STATS not granted #204
Description
Describe the bug
The Talsec SDK crashes with an uncaught SecurityException when calling UsageStatsManager.queryUsageStats on devices where the PACKAGE_USAGE_STATS (a.k.a. GET_USAGE_STATS) permission has not been granted. This permission is a special-access permission that can only be granted by the user through Settings > Apps > Special app access > Usage access — it cannot be requested at runtime via the standard permission flow.
The exception is not caught internally by the Talsec SDK and propagates to the host app's UncaughtExceptionHandler, causing a fatal crash.
Expected behavior
The Talsec SDK should catch the SecurityException internally when PACKAGE_USAGE_STATS is not granted and degrade gracefully (e.g., skip the usage-stats-based check, or report it as an inconclusive signal), rather than letting the exception propagate to the host app.
Screenshots
N/A — this is a backend crash, not a UI issue.
- Device: Motorola moto g15 (VVTAS35), Motorola moto g22
- OS version: Android 15 (VVTAS35.51-137-2-1), Android 14
- Version of freeRASP: 7.5.0 (Flutter)
Additional context
Full stacktrace from Sentry (2 events, 2 distinct users, production):
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely
at kotlinx.coroutines.DispatchedTask.run
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith
at M3.o.invokeSuspend ← obfuscated Talsec class
at com.aheaditec.talsec.security.u.a
at com.aheaditec.talsec.security.n.b
at M3.y0.run ← obfuscated Talsec class
at M3.y0.a
at com.aheaditec.talsec.security.u.N
at android.app.usage.UsageStatsManager.queryUsageStats
at android.app.usage.IUsageStatsManager$Stub$Proxy.queryUsageStats
at android.os.Parcel.readException
at android.os.Parcel.createExceptionOrNull
The exception type is SecurityException with message: redacted.app from uid 10428 not allowed to perform GET_USAGE_STATS.`
The entire stack is within the com.aheaditec.talsec.security namespace — no first-party application code is involved. The crash occurs on a Kotlin coroutine worker thread (DefaultDispatcher-worker-1), triggered during Talsec's automated security checks.