search

AdamGuidarini / MediTrak

A free and open source medication tracking app for Android 8 and newer.
GNU General Public License v2.0
39 stars 5 forks source link

Question on permissions #72

Closed IzzySoft closed 7 months ago

IzzySoft commented 7 months ago

My scanner (which got a few additional checks in January) reported on today's update:

! repo/projects.medicationtracker_15.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
! repo/projects.medicationtracker_15.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

As I don't see any matching feature in either the app description or screenshots, may I kindly ask for clarification on what the storage permissions (read and write) are needed for?

That DEPENDENCY_INFO_BLOCK can be avoided easily btw:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

image

AdamGuidarini commented 7 months ago

The read/write permissions are used to allow users to import/export their data in case they got a new phone and want to carry the data from the app over to it.

The read permission specifically is used here in Settings.java:

https://github.com/AdamGuidarini/MediTrak/blob/43a2965ebcca07e3accee4bcca42b3d0ad5600d9/app/src/main/java/projects/medicationtracker/Settings.java#L404-L412

Which lead to this function in DbManager.cpp:

https://github.com/AdamGuidarini/MediTrak/blob/43a2965ebcca07e3accee4bcca42b3d0ad5600d9/app/src/main/cpp/DbManager/DbManager.cpp#L396-L555

The buttons triggering imports/exports can be found in the Settings activity toward the bottom.

I'll add that dependenciesInfo change to my build.gradle just to be safe.

IzzySoft commented 7 months ago

Thanks! Added to your app's "allow list" here with the corresponding explanations:

image

Looking forward to the DEPENDENCY_INFO_BLOCK to disappear :smiley:

AdamGuidarini commented 7 months ago

Thank you!

IzzySoft commented 7 months ago

I thank you for the quick response and handling! :star_struck: