Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on permissions #63

Open
IzzySoft opened this issue Apr 29, 2024 · 2 comments
Open

Question on permissions #63

IzzySoft opened this issue Apr 29, 2024 · 2 comments
Assignees
@green-green-avk
Labels
question Further information is requested

Comments

@IzzySoft
Copy link
Contributor

For the latest release, my scanner just reported:

! repo/green_green_avk.anotherterm.redist_145.apk declares flag(s): usesCleartextTraffic
! repo/green_green_avk.anotherterm.redist_145.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.CAMERA
! repo/green_green_avk.anotherterm.redist_145.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify their usage? Thanks in advance! (and if you want the other permissions accompanied by an explanation as well, I'll welcome those too 😉)

Ah, that DEPENDENCY_INFO_BLOCK is easily solved by the way:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
@green-green-avk
Copy link
Owner

Short answer first

usesCleartextTraffic & <certificates src="user" />

There are

that could get content from network. How else the user could access HTTP and HTTPS if the device certificates are outdated?

android.permission.READ_EXTERNAL_STORAGE

It is an ancient one... #1
There are people for whom SAF (via termsh) is not an option...

android.permission.CAMERA

Oh huh: https://green-green-avk.github.io/AnotherTerm-docs/issues.html#android9-uvc

contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Is it bad??? 🤔

@IzzySoft
Copy link
Contributor Author

So let me rephrase, while keeping it simple:

  • usesCleartextTraffic is used for connections in the local network
  • READ_EXTERNAL_STORAGE is of course very dang… err, skip that, we're talking about a terminal app here. Sorry, I just quoted the log.
  • CAMERA is required to connect to any USB_CLASS_VIDEO device since Android 9

I've put that in for now, so these are thereby on the "green list" for your app.

Is it bad???

Can you tell? Just look what's inside. Wait, you can't? How's that? Oh, only Google can as it's encrypted with their key? Well, they'd never collect location data without your consent, so they'd certainly not put something strange in here if they say they don't, would they? Apologies for the sarkasm, but: it's a "proprietary blob", and in the FOSS world such are questionable at best. So I'd suggest you keep this out of the APKs here – and if you want, keep it in for the AABs shipped to play. Would that work for you?

@green-green-avk green-green-avk self-assigned this May 1, 2024
@green-green-avk green-green-avk added the question Further information is requested label May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@green-green-avk green-green-avk

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IzzySoft @green-green-avk