Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on permissions #1821

Open
IzzySoft opened this issue May 10, 2024 · 5 comments
Open

Question on permissions #1821

IzzySoft opened this issue May 10, 2024 · 5 comments
Labels
feature question

Comments

@IzzySoft
Copy link

On the latest APK, my scanner reports:

! repo/com.kunzisoft.keepass.free_129.apk declares intent-filter(s): android.view.InputMethod
! repo/com.kunzisoft.keepass.free_129.apk declares sensitive permission(s): android.permission.QUERY_ALL_PACKAGES
! repo/com.kunzisoft.keepass.free_129.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Can those please be clarified? I assume InputMethod is needed for auto-type. For QUERY_ALL_PACKAGES I found #996 which is still open, so I assume the reason given there („used to open applications directly from their applicationId from an "AndroidApp" field“) still holds true?

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
@IzzySoft
Copy link
Author

PS: with KeePassDX being available at IzzyOnDroid, maybe you want to pick a badge to link there, next to the other three? 😉

@J-Jamet
Copy link
Member

J-Jamet commented May 11, 2024

I haven't changed the permissions since the last version.

Can those please be clarified? I assume InputMethod is needed for auto-type. For QUERY_ALL_PACKAGES I found #996 which is still open, so I assume the reason given there („used to open applications directly from their applicationId from an "AndroidApp" field“) still holds true?

Yes indeed

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided:

I'll take a look.

@J-Jamet J-Jamet mentioned this issue May 11, 2024
Open
@IzzySoft
Copy link
Author

I haven't changed the permissions since the last version.

Probably not – but i have extended my scanners since 😉 Details are outlined here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo

Yes indeed

Thanks for confirming! I've put that to your app's "green list" with the explanation added:

image

I'll take a look.

Thanks! Excluding it for the APK would suffice, in case you think you'll need it for the AAB to upload to Google Play.

That said: Thanks a lot for maintaining your app – I'm one of your happy "users" myself!

@shuvashish76
Copy link

shuvashish76 commented May 12, 2024
edited

I assume InputMethod is needed for auto-type.

@J-Jamet Auto-type feature of Autofill service feature only not Magikeyboard right? Or required for both?

@J-Jamet
Copy link
Member

J-Jamet commented May 15, 2024

@shuvashish76 android.view.InputMethod is the Magikeyboard declaration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature question
Projects
4.1.0
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@IzzySoft @J-Jamet @shuvashish76