search

JellyBookOrg / JellyBook

A nice way to read books and comics from Jellyfin
MIT License
489 stars 14 forks source link

Question on permissions #164

Closed IzzySoft closed 7 months ago

IzzySoft commented 7 months ago

my recently upgraded scanner just got some of its new routines triggered by today's update of your app and reported:

! repo/com.KaraWilson.JellyBook_2023.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.READ_MEDIA_IMAGES
  android.permission.READ_MEDIA_VIDEO android.permission.READ_MEDIA_AUDIO
! repo/com.KaraWilson.JellyBook_2023.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

By its description JellyBook plays contents from the JellyFin server. These permissions suggest it also covers local content on the device, is that true? A clarification for those permissions would be much appreciated, because…

image

Chocolate :wink: As for DEPENDENCY_INFO_BLOCK, that's easy to fix in build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Kara-Zor-El commented 7 months ago

Hi,

Thank you so much for all the good work. I did recently add the ability to upload a image to the app to change book titles. Not sure why it is picking up audio and video though. Perhaps the dependency causes that to be added? not 100% sure. I can release a new release with a quickfix for the DEPENDENCY_INFO_BLOCK by Saturday or so

Thanks, Kara

IzzySoft commented 7 months ago

Thank you so much for all the good work.

Thanks for the warm feedback! Which surprisingly I get almost everywhere with my reports – which is pretty much overwhelming and, of course, motivating :heart_eyes:

Not sure why it is picking up audio and video though.

Actually, that's exactly the part that got me confused. And yes, I'd suspect a dependency there as well. I cannot tell which one you added – but if you're sure you do not need those permissions, here's how to get rid of them: Removing Unwanted Manifest Permissions With tools:node

<uses-permission android:name="android.permission.READ_MEDIA_AUDIO" tools:node="remove" />
<uses-permission android:name="android.permission.READ_MEDIA_VIDEO" tools:node="remove" />

I can release a new release with a quickfix for the DEPENDENCY_INFO_BLOCK by Saturday or so

Cool, thanks! If you prefer you could check the tools:node alongside, take a few more days for testing to rule out side-effects, and have both ready a little later. Or split it up into two steps – whichever you prefer.

Thanks a lot! Izzy.

IzzySoft commented 7 months ago

Oof. Seems you've added Sentry, so my scanner yelled again. May I ask if Sentry is configured opt-in?

Kara-Zor-El commented 7 months ago

In regards to your first message, I will try to rule out any side effects but it should probably be done by Saturday or Sunday.

In regards to your second, yes Sentry is opt-in rather than opt-out. Wouldn't be right to track people without their permission.

Thank, Kara

IzzySoft commented 7 months ago

Great, thanks! Will add Sentry to the "allow-list" then (i.e. suppressing the Tracking AF it would otherwise have triggered) – and wait patiently for the other part. Glad you hold the value of privacy high! :heart_eyes:

Kara-Zor-El commented 7 months ago

Hey Izzy,

Something came up today that had me swamped and I don't think I will be able to get the release out tonight. Will most likely be tomorrow.

Thanks, Kara

IzzySoft commented 7 months ago

No worries. I know you're on it and you care, so a day or two more won't be a problem. Thanks!

Kara-Zor-El commented 7 months ago

Oh btw, do you have a email I can contact for a more personal inquiry?

Kara-Zor-El commented 7 months ago

@IzzySoft is there any more issues coming up or am I good to close this issue?

Kara-Zor-El commented 7 months ago

assuming your busy and gonna close this assuming everything's good

IzzySoft commented 7 months ago

Argh, the next issue where Github lost notifications for. I just got the one about the issue being closed :cry: So apologies for not having replied earlier – I simply did not know you've asked!

do you have a email I can contact for a more personal inquiry?

Yes. Contact details are listed on my website. But you can use my nick from here, @ and as domain qumran.org, which is what I use for "devel stuff" (Github etc).

is there any more issues coming up

At some point maybe (I constantly "polish my shields") – but scrolling up what we've dealt with here, probably not in the next few weeks/month :wink: