Comments (13)
So will you remove it with the next release
I will make sure again whether it is used anywhere but if not I'll remove it
- ACCESS_MEDIA_LOCATION: to display geo location meta data of file results
- REQUEST_DELETE_PACKAGES: to uninstall apps from the app drawer
And still there and were better missing: DEPENDENCY_INFO_BLOCK (will you try keeping it out with the gradle snippet provided?)…
I can try, but what is its purpose?
from kvaesitso.
PS: Yes, I've searched the documentation, code and issues, but couldn't find an answer…
from kvaesitso.
- location: for weather widget
- write contacts: unused, didn't know that was there lol
- read / manage external storage: local file search
- request install packages: to install apk files when they occur as search results in file search
- request delete packages: to uninstall apps
- accessibility service: for some gestures, to turn off screen, open notifications, …
- clear text traffic: for unencrypted Nextcloud / Mediawiki instances for Nextcloud/Wikipedia search. Also, users can type a URL into the search bar which loads a preview of that URL. If the protocol is set to http explicitely, it uses clear text traffic.
from kvaesitso.
Thanks! So here we go so far:
Be welcome to fill in the other gaps if you wish, I'll gladly add that then. May help keeping future questions away (I guess that e.g. ACCESS_MEDIA_LOCATION
will be added to "sensitive permissions" as well).
write contacts: unused, didn't know that was there lol
So will you remove it with the next release? Still missing: REQUEST_DELETE_PACKAGES
. And still there and were better missing: DEPENDENCY_INFO_BLOCK
(will you try keeping it out with the gradle snippet provided?)…
from kvaesitso.
Thanks! Added the other two – and look forward to see the third one gone. Should you be unable to locate the culprit, you can try this: Removing Unwanted Manifest Permissions With tools:node
I can try, but what is its purpose?
Security and transparency. As outlined above, nobody except Google can read what's inside. And those blobs can be a security risk. We've just ran a POC, I can take the APK you've signed and put anything inside such a signing block blob. Verification would not show my changes, malware scanner would not yell (only 2 out of VT's 64 engines detected an EICAR sample placed inside – and literally NOT A SINGLE ONE detected an ELF binary paced inside. Done right, neither Androguard nor ApkSigner would even see that blob (my scanner would).
So TL;DR: like with other blobs, with FOSS it's better they are not present. What isn't there cannot pose a risk.
from kvaesitso.
from kvaesitso.
@IzzySoft I had to revert the DEPENDENCY_INFO_BLOCK
thing, because apparently without it, Google Play Protect flags my app as malware, and my users can't install it anymore.
from kvaesitso.
That's very unfortunate. This blob will soon become an anti-feature, as it's a proprietary blob. The malware here is obviously PlayProtect, trying to force people into their eco-system. You're sure this is the trigger and nothing else? And folks cannot install it nevertheless (by ignoring the inappropriate and misleading message PlayProtect shows)? First time I hear this, and there are plenty of apps without that blob in the repo here.
from kvaesitso.
The malware here is obviously PlayProtect, trying to force people into their eco-system.
True, but I don't think it's responsible to advise my users to disable Play Protect altogether
You're sure this is the trigger and nothing else?
I had reports from ~5 different people that they couldn't install versions 1.30.0-1.30.2 because of Play Protect and at least 3 people reporting that they could install 1.30.3. The only change in that version was, that I reenabled the dependency info block. It's not a huge sample size so there could be something else at play, but I know for certain that it affects it in some way.
And folks cannot install it nevertheless (by ignoring the inappropriate and misleading message PlayProtect shows)
I don't know, I didn't face the issue myself, but at least it doesn't seem to be trivial (otherwise people wouldn't have asked for assistance) and the only proposed solution by other users was to disable Play Protect altogether.
First time I hear this, and there are plenty of apps without that blob in the repo here.
My guess is that Play Protect becomes suspicious by the amount of sensitive permissions the launcher requests (especially the accessibility service). And the missing dependency info block is just the final nail in the coffin.
That's very unfortunate. This blob will soon become an anti-feature, as it's a proprietary blob.
I wonder if it only affects users who are trying to sideload the APK. Maybe, if it doesn't affect app stores (like F-Droid), I could disable it in the F-Droid build flavor but keep it enabled for the Github version.
from kvaesitso.
My guess is that Play Protect becomes suspicious by the amount of sensitive permissions the launcher requests (especially the accessibility service). And the missing dependency info block is just the final nail in the coffin.
I've just asked in my team, and that was the same conclusion I got as response. In that case it would even make sense, to a degree – if they made that clear ("blabla risk because of blabla permission whatever, are you sure you want to proceed?"). But them making it all a blackbox, together with their history, is not especially establishing any trust. If you look at results at VirusTotal, a scanner named "Google" is the only one never giving a reason, just saying "found". Same thing.
Maybe, if it doesn't affect app stores (like F-Droid)
Where did those reporters install from, or by what means? Did they use an F-Droid client and the IzzyOnDroid repo, or "sideload" it otherwise? In the latter case, you could consider offering an APK with that blob here in addition to the one pulled by IzzyOnDroid (we could establish means to not get the two messed up).
from kvaesitso.
Where did those reporters install from, or by what means? Did they use an F-Droid client and the IzzyOnDroid repo, or "sideload" it otherwise?
At least some of them sideloaded the APK from Github. I haven't heard of anyone yet having issues when they tried to install the update from an F-Droid client.
from kvaesitso.
OK, worth a try then maybe. Could you add the non-blobbed APK as well (e.g. starting with the next release, and maybe include a -noblob
or so in the file name)? Let me know then so I can prepare my updater to focus on that.
This way those affected could easily switch, provided both apps have the same PackageName and Signing key.
from kvaesitso.
And PS, maybe worth a try: https://support.google.com/googleplay/android-developer/contact/protectappeals
from kvaesitso.
Related Issues (20)
- Kvaesitso virtually unresponsive on the Samsung Note 9
- Uniform padding for icons without label. [Feature request]
- [Feature request] A widget that bundles multiple multiple other widgets (and app icons & shortcuts) in a single row HOT 1
- Let choose icon freely HOT 1
- [Feature request] Allow PWA app shortcuts to be added to Tags HOT 2
- Crash on reboot HOT 1
- Application crashes after clearing background apps HOT 3
- [Bug] Search box stays focused after dismissing the keyboard HOT 1
- Chore: migrate OSM parsing of opening-hours to external library HOT 2
- [Feature Request] Ability to scroll in a widget HOT 1
- [Feature Request] Auto Tag sorting based on usage frequency
- [Feature Request] Swipe left or right to show app from personal profil or work profil.
- [feature request] add work profil app in the results of search
- [Feature Request] Ability to remove the whole search bar. HOT 4
- Launcher crashes after i open any app
- [Feature Request]: The ability to create folders and rearrange the positions of apps within the app drawer
- 🐛 Bug — Kavesitso Not Responding in Samsung Phone
- 🐛 BUG: cannot call out input method switch panel in searchbar HOT 1
- Grey out suspended apps
- Full screen clock was gone and crash happened upon opening logs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kvaesitso.