Replies: 20 comments
-
For a quick overview on requested permissions, please have a look at our manual: https://manual.cgeo.org/de/installation#permissions (slightly outdated, though). A new permission is "read contacts" due to integration of c:geo contacts platform, and only requested on demand if the user starts a feature regarding contacts. With regard to "cleartext connections" I can only guess: c:geo accepts a couple of links, eg: a url to a gpx file, and accepts unencrypted (http) connections for it (besides accepting https connections). READ_EXTERNAL_STORAGE is only required for older Android version, for newer versions c:geo is using SAF (storage access framework). |
Beta Was this translation helpful? Give feedback.
-
For the
This was introduced for Issue #7889. For details see there. In short:
The The images at geocaching.com should in the meantime downloadable with https, but probaly there are links (also at other platforms) to http sources. |
Beta Was this translation helpful? Give feedback.
-
Cgeo supports many different platforms. While most of them support https meanwhile, this doesn't apply to all sites. E.g. http://gcvote.com/ is http only. (while the front end is broken, their Api is still working.) Same applies to embedded images inside geocache listings which may be hosted on third party servers. We have no control over that. We already use https where possible.
Is this any problem? If yes, we would be happy to see a PR fixing this. Only the contacts permission is new BTW and was introduced cause we merged the cgeo contacts plug-in with the main app to reduce maintenance effort and make the feature more popular. |
Beta Was this translation helpful? Give feedback.
-
Thanks! That answers the storage permissions, added here. android.permission.ACCESS_FINE_LOCATION: needed to locate/guide-to GeoCaches
android.permission.ACCESS_COARSE_LOCATION: needed to locate/guide-to GeoCaches
android.permission.READ_EXTERNAL_STORAGE: needed on lower Android versions to read geocaches saved for offline use
android.permission.WRITE_EXTERNAL_STORAGE: needed on lower Android versions to save geocaches for offline use
android.permission.READ_CONTACTS: used optionally for integration of the c:geo contacts platform
OK, got it. Are there at least any warnings shown? Plain
As outlined. It's an opaque blob only Google can read (as it's encrypted with their key), so nobody can tell for sure what's really in there. An article on this topic will be published on Monday, going a bit more in-depth on the risks of those "dependency block blobs" (there are others, too).
Scroll up, it's basically a one-line fix in your dependenciesInfo {
includeInApk = false
} That's all. |
Beta Was this translation helpful? Give feedback.
-
For backgrounds to the DEPENDENCY_INFO_BLOCK see https://gitlab.com/fdroid/admin/-/issues/367 (https://gist.github.com/obfusk/31c332b884464cd8aa06ce1ba1583c05#dependency-info-block-1). Description: |
Beta Was this translation helpful? Give feedback.
-
I understand on one side, that a salted encrypted text is not deterministic and therefor the apk is no more deterministic. Of course, I can see that F-Droid neither needs nor can use this encrypted package.
Currently we build no Bundle, so your idea would not solve the problem. It would be fine if you could create a PR for dedicated sourceSets (nightly/release) for F-Droid. |
Beta Was this translation helpful? Give feedback.
-
Sorry – but not being an Android dev myself, I cannot do that. I can only give hints from what I know, which I did here. But thanks for picking this up! Btw: if it were intended as transparent help, the blob would not have been encrypted with Google's public key, but rather signed with it. Signing would guarantee it cannot be tampered, while still being transparent about what's inside. So skepticism arises from the fact of stuff being hidden from the public view here. Including dependency details would be very welcome if it were done transparently, but not if it's done opaque. What is it the public should not see? What in that blob must be kept secret, and why? We're talking open source here. |
Beta Was this translation helpful? Give feedback.
-
No warning is shown. But I think the risk is rather low. We make an Api call to gcvote to request the rating (number between 0-5). If it gets MITM'd, our regex will either fail or display a wrong rating for a cache. Same applies for uploading a MITM'd rating. Pretty limited risk IMHO. Platforms especially with sensitive login data of course should and are using https. |
Beta Was this translation helpful? Give feedback.
-
Sorry, I have to disagree here. We are not talking about open source here, but about Android software regardless of where the source code is held. This information must be encrypted because an attacker could easily use it to attack the software. Of course, he could scan the source code if it is accessible to the whole world (as with c:geo). But this is more complicated than using information that is directly in the software (if it were integrated and readable there). |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
So what would you suggest to add as explanation there?
Which is what we're currently doing (clarifying). And once done, yes, it's annotated manually. I'm not aware of any safe method to automate this. So what you see there is the default text when no annotation was yet made.
That's right – and you're not the only ones with this. Another app having a similar issue decided to show a warning hint when encountering a cleartext link – once per server addressed, then remember the decision made (in case it was chosen to continue with that URL, like "risks explicitly accepted"). I cannot tell if that's feasible here, hence I only raise the question. I'm open to your suggestion for the annotation.
Oh, we do: my repo only accepts open source apps (as does F-Droid.org).
Ugh? What's "sensitive" here? I can (partly) understand this with closed source, but even there I can extract most of those details (which libraries are used etc) – guess how it comes that those are shown in my repo (see the "79 libraries detected" in above screenshot).
With open source, wouldn't that be accomplished much easier and more detailed by simply accessing the source repo? As for closed source: a choice could be offered to optionally encrypt it. So make it "encryption opt-in" instead of "all or nothing". |
Beta Was this translation helpful? Give feedback.
-
You can take my text above. Interesting idea to include such warning. I will create an issue for it.
No. You are talking about F-Droid.
Do you also see witch version they have?
Do you see the repository name in the apk? Once more, we are talking about the Google Play store. Make the encryption optionally would probaly be fine for us (and F-Droid), but this is not in our hand. |
Beta Was this translation helpful? Give feedback.
-
I'm a bit limited concerning the length of the text there. Does the following look OK to you?
Thanks a lot!
Hm, I thought I was the one opening this issue, and asking about this. I'm not concerned about PlayStore at all: this entire blob is only useful for PlayStore. I'm totally fine with you including it with what you ship there – I was rather suggesting to not ship it here (or rather, to ship an APK without it here – again no problem if both would be available and easy to distinguish). It does not help anybody apart from Google. For everyone else, it's just an opaque blob which might just contain the dependency tree, but also could contain pretty much anything else; we cannot verify. You could even use its block ID (
And you can verify that? I remember Google once stated if you turn location logging off they would not collect it. In case you don't remember that (as it was several years ago), this was not the truth; they still collected it. So if they state something, I prefer having a way to validate that. And even then, as pointed out, anyone could just abuse that block to put in their own stuff – and again, only Google could tell.
OK. But what is in your hand is which variant you ship to Google, and which you provide here 😉 So may I kindly ask you to provide an APK without it, for the FOSS world? And I'm not asking for F-Droid here, but for my repo, where your app is currently listed (since 2016-08-09 btw, so for almost 8 years now) – F-Droid doesn't have it (at least not as |
Beta Was this translation helpful? Give feedback.
-
Imagine I take the APK and swap the blob to something else. How would this affect users security? To me that blob sounds like a dead block of bytes which can and will not get executed on the device. The question is whether it's possible to convert your POC into an exploit?! Otherwise it's not a security issue in any way... |
Beta Was this translation helpful? Give feedback.
-
Ok, that's fine, imho.
Done, see #15497.
Sorry, but this issue is talking about the c:geo apk permissions.
The project provides his work in this repo.
If we believe that these are the sdkDependencies - then we have a use case, not google (besides their reputation).
Then you can remove it for your copy of c:geo, is't it?
There is nothing without a bit of trust.
I am also sceptical about many things that Google does. Btw., It is fine that you have such a repository. Maybe someone has time and is interested in building a google-reduced c:geo ("F-Droid") - the issue #15493 would be the starting point. |
Beta Was this translation helpful? Give feedback.
-
Not quite. My blog article on that is not yet published (I hope to have it ready next week). But you could search for
Thanks! In place then.
Wonderful, thanks! 🤩
So shall I split this part off to a separate issue? Or would it suffice to update the title, as my initial post clearly covers the other questions as well? 😉 (Edit: see the end of this comment – I see this topic moved to another issue already)
As I've said already, I'm no developer. I don't have any build environment even. And even if I had, I'd have to sign it with a different key (so to avoid confusion, I'd have to use a different
If I had the technical means for it, probably. It was tried and seemed to work – but I don't remember why that approach was abandoned. For one, I'd decide against it as I clearly state to provide the developers' APKs unaltered – and even removing this would mean altering the APK, though the signature verification would not break. A simple
Nope, that's stating a fact, sorry. Ever checked what happened to AOSP over the years? Especially to its apps? What happened to mail, calendar & co? They got abandoned, replaced by non-FOSS Google apps. Without your wanting it, things drag in non-free dependencies (that play-services-oss-licenses e.g. drags in GMS, which definitely is not FOSS). But we're heading quite into some other arguments here. I'm not here to fight you 😉 I'd really appreciate if you could provide an APK without that blob – but in the end will also accept a "no" if you really don't want it. Especially as that would be arguing about a needle, while with GMS and Google Maps there're some knives present, too 😜
Gladly, if you point me to replacements! One possibility would eg be to have Fastlane structures here in the repo (just the metadata, no binaries needed though you probably could use those for deployment to PlayStore then) – see my Fastlane Cheat Sheet for some guidance if you wish. My updater would then not fetch only the APK, but see to keep screenshots, description, changelogs, icon – whatever you put into Fastlane – in sync as well. If you want me to, I could send a "starter package" with those metadata via PR, which you could then build upon. But of course you could simply point me to some replacements whenever needed. If you want, also an updated app description 😉
Thanks! And agreed, let's move that part of my initial question over there. Maybe someone even might offer a flavor replacing other proprietary pieces (e.g. Maps by OSM), for a "more-foss" build 😉 Thanks a lot for your support, much appreciated! |
Beta Was this translation helpful? Give feedback.
-
Screenshots can be found here: https://github.com/cgeo/cgeo/tree/master/main/project/playstore/screenshots We can move them into fast lane structure though, if that makes it easier on the long run... |
Beta Was this translation helpful? Give feedback.
-
Thanks! Updated, and also added the German ones. As I saw them there, I've also updated the app description. Changes will become visible with the next sync around 7 pm UTC.
Having them in Fastlane would make automation possible, as outlined – so there'd be no need to wait for manual action on my end (unless something needs replacement before the next version is released, in which case I'd need to manually trigger a sync). |
Beta Was this translation helpful? Give feedback.
-
Fastlane -> "fastlane screenshots for Android" looks very interesting, see https://docs.fastlane.tools/getting-started/android/screenshots/ |
Beta Was this translation helpful? Give feedback.
-
Yeah, if you're OK using the binaries, you can automate quite a few things. Up to publishing at PlayStore & Co. Catching 2 birds with 1 breadcrumb, so to say 😉 |
Beta Was this translation helpful? Give feedback.
-
My scanner today reported after processing the recent release's APK:
Can you please clarify…
The
DEPENDENCY_INFO_BLOCK
can be easily avoided btw:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Beta Was this translation helpful? Give feedback.
All reactions