feat(android): prepare SDK for Android target SDK 36

[m1ga]

(hopefully) fixes #14353

Targeting Android SDK 36 will remove the current opt-out XML for the edge-to-edge stuff and this will break our layouts:

(Ti 13.1.1.GA with targetSDK 36)

Whats fixed:

This PR will remove the opt-out part from the XML file, adds a new EdgeToEdgeHelper that will set the correct padding and fixes the (current/old) BottomNavigation height calculation. Otherwise the views are slightly behind the bottom navigation again. The experimental:true (new) BottomNavigation using the XML is working fine.

(this PR)

How to test it

• add <uses-sdk android:targetSdkVersion="36" /> in the <manifest> node in your tiapp.xml
• build 13.1.1 and this PR and check the top and bottom of your windows

Some images:

Notes:

This will make sure a bottomnavigation will be behind the navigation bar BUT the content will stay above it. So it technically is not using edge-to-edge in order to make existing apps look the same without any changes. It is not using safeArea or allows content behind the bottom navigation. This should be implemented at some point. But this PR will just make sure we have something that is Android SDK 36 ready once there is a requirement by Google!

Removing the current bottom padding for normal windows will make them look like this:

so you have to make sure to set a proper bottom position (like iOS)

[cb1kenobi]

Wow, excellent work!

[hbugdoll]

Very good. I was just about to ask how things were going on with target API level 36...

[hansemannn]

Is the app icon <> title spacing also that way natively? It clips to the app icon

[m1ga]

Don't think so, but this is how it looks with the current SDK too if I remember correctly.

Ti also still use Actionbars in some places. We would need to move all those to Toolbars to have a better look in general.

[m1ga]

I've added some more tasks to look at in the first post of the issue:
#14353 (comment)
we don't need to fix all right away as some are only deprecated but currently still work. This PR will already work with Android 36 but I'll see if I can add some more changes to it.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tap@​1.4.1
	detect-node@​2.1.0
	browserify-zlib@​0.2.0
	cgbi-to-png@​1.0.7
	should@​13.2.3
	pixelmatch@​7.1.0
	mocha@​8.4.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: tests/package-lock.json → npm/tap@1.4.1 → npm/form-data@2.1.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm json-schema is vulnerable to Prototype Pollution CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL) Affected versions: < 0.4.0 Patched version: 0.4.0 From: tests/package-lock.json → npm/tap@1.4.1 → npm/json-schema@0.2.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm lodash CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: tests/package-lock.json → npm/tap@1.4.1 → npm/lodash@3.10.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@3.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: tests/package-lock.json → npm/tap@1.4.1 → npm/minimist@1.2.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: tests/package-lock.json → npm/tap@1.4.1 → npm/minimist@1.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[m1ga]

big update:

Fix: Predictive Back Gesture Support

• Added android:enableOnBackInvokedCallback="true" to all 3 manifest files
• TiBaseActivity.java: Added OnBackInvokedCallback registration in onCreate(), unregistration in onDestroy(), extracted shared handleBackNavigation() method
• TiCameraActivity.java / TiCameraXActivity.java: Added handleBackNavigation() override so camera back handling works with predictive back

Fix: Gradle Config

• gradle.properties: Updated suppressUnsupportedCompileSdk from 35 to 36

Fix: Migrate setSystemUiVisibility() to WindowInsetsController

• TiBaseActivity.java: Replaced setFullscreen() and windowCreated() to use WindowInsetsControllerCompat
• WindowProxy.java: Replaced 3 occurrences (window creation + 2 property change handlers)
• TabGroupProxy.java: Replaced light status bar handling
• TiToolbar.java: Replaced status bar overlap handling
• TiUIBottomNavigationTabGroup.java / TiUIBottomNavigation.java: Replaced light navigation bar handling

Fix: Orientation Restrictions on Large Screens

• TiWindowProxy.java, DecorViewProxy.java, ActivityProxy.java: Added large screen detection (>600dp) with warnings when fixed orientation is requested on Android 16+

Fix: Remove Reflection

• TiToolbarStyleHandler.java: Removed reflection on private mMaxButtonHeight field, kept setMinimumHeight() + requestLayout()

And since statusBarColor is not available anymore in 36+ I'm using the backgroundColor of the e.g. TabGroup to fill that color. That way you can now do:

before it was just black/white.

[hansemannn]

Should we deprecate it already, as it's still usable, but not encouraged to be set anymore? It probably depends on the app's target SDK level to decide, but looking at how Android itself deprecates, it may make sense.

[m1ga]

It still works on an Android 11 phone so it's just for Anrdoid 16+ where the edge-to-edge design is used that it won't work. We could add a warning log that if you use statusBarColor and your phone is Android 16+ it will show that you have to set a backgroundColor. On the other hand: you would see that on your device too if you test it (it's black/transparent or has your backgroundColor already).