Question on permissions

[IzzySoft]

My APK scanner got a few additional checks implemented in January, and on today's release of Delta reported:

! repo/chat.delta.lite_30000669.apk declares sensitive permission(s):
 android.permission.READ_CONTACTS android.permission.READ_MEDIA_IMAGES
 android.permission.READ_MEDIA_VIDEO android.permission.READ_EXTERNAL_STORAGE
 android.permission.CAMERA android.permission.ACCESS_BACKGROUND_LOCATION
 android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_FINE_LOCATION
 android.permission.RECORD_AUDIO android.permission.REQUEST_INSTALL_PACKAGES

Now, some of those I thought to be clear and added them already to the app's allow list (to make the explanations visible and reduce the warning reports for the next round):

(please correct me should I've gotten something wrong there), but a few "chocolate entries" are still open. Could you please clarify what the location permissions are needed for – and what packages Delta tries to install? Be welcome to include explanations for the others as well to make them transparent, too :wink:

As for the DEPENDENCY_INFO_BLOCK, that should be easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[adbenitez]

hi, thanks for reaching out, nice to see your apk scanner got improved

please clarify what the location permissions are needed for

DeltaLab has a "location streaming" feature, where user can share their location with a group or contact, the permission is asked only when the user actually request to use such features

android.permission.CAMERA

actually I think that permission was needed for a built-in camera app from the official Delta Chat, but I removed it from DeltaLab so it could be removed!! thanks!

and what packages Delta tries to install

DeltaLab doesn't install any apk, IIRC it is about allowing user to install received APKs, ex. some friend directly sent you in an encrypted chat an APK file and then you click the attachment and then the package installer of the system offers to install the apk, as per https://support.google.com/googleplay/android-developer/answer/12085295?hl=en

To use this permission, your app’s core functionality must include:

1. Sending or receiving app packages, AND
2. Enabling user-initiated installation of app packages.

[IzzySoft]

location streaming

Thanks! Wasn't aware of that. Added the 3 location perms to the allow-list accordingly.

[Camera] could be removed

Ah, found a "legacy bit"? Cool. OK, then I leave that "chocolate" for now – and it will disappear automatically with the next release.

[REQUEST_INSTALL_PACKAGES] Thanks! I was afraid it might have been a self-updater (since these scans are in effect, this permission unveiled several of those).

So there we are then:

If you want to have some other gaps filled, just let me know. And I'm looking with a curious eye whether the next release will have not only CAMERA, but also "that BLOB" removed :wink:

[IzzySoft]

CAMERA is still there with today's release:

! repo/chat.delta.lite_30000672.apk declares sensitive permission(s): android.permission.CAMERA

But the BLOB is gone :partying_face:

[adbenitez]

CAMERA is still there with today's release:

I have no clue why, I removed the permission from AndroidManifest.xml file as you can review in the linked PR so I don't know how is it even possible that it still has the camera permission

[IzzySoft]

I have a vague clue:

<uses-feature android:name="android.hardware.camera" android:required="false" />

Not sure about the required, but declaring that feature would IIRC implicitly trigger the permission. Maybe remove that line, build an APK, and run aapt d badging app-release.apk to check? If that does the trick, we have identified the culprit.

[adbenitez]

I have a vague clue:

no luck, tried removing this from manifest, then running the aapt command you recommended and grep-ing for camera:

uses-permission: name='android.permission.CAMERA'
  uses-feature-not-required: name='android.hardware.camera'
  uses-feature-not-required: name='android.hardware.camera.autofocus'
  uses-feature-not-required: name='android.hardware.camera.flash'
  uses-feature-not-required: name='android.hardware.camera.front'

[adbenitez]

UPDATE: camera permission is actually needed, the app has a QR scanner, that needs direct access to camera, unlike the "take photo to attach" feature

[IzzySoft]

the app has a QR scanner

Now, that's an easy explanation indeed! Added – and the last piece of chocolate is gone:

Be welcome to name descriptions for any of the permissions left if you want – or to close the issue then. Thanks a lot!

[adbenitez]

Now, that's an easy explanation indeed! Added – and the last piece of chocolate is gone:

thanks a lot for your help!, btw, for me the permissions still look in "chocolate" color at https://apt.izzysoft.de/fdroid/index/apk/chat.delta.lite

[IzzySoft]

for me the permissions still look in "chocolate" color

Nonono. Look again, the sync was at 7 pm UTC as usual :wink: (and apologies, I must have forgotten to sync that file manually, which for this would have worked… Too many of those issues to follow currently, since my scanner got those additional checks. Hope that will calm down a bit soon…)