search

KamWithK / AnkiconnectAndroid

Unofficial Ankiconnect for Android (i.e. for Yomichan)
GNU General Public License v3.0
115 stars 14 forks source link

Question on permissions #53

Closed IzzySoft closed 7 months ago

IzzySoft commented 7 months ago

My scanner got some new checks in January, and on today's update of your app reported:

! repo/com.kamwithk.ankiconnectandroid_13.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.SYSTEM_ALERT_WINDOW
! repo/com.kamwithk.ankiconnectandroid_13.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what those permissions are needed for? As for that DEPENDENCY_INFO_BLOCK, that's easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

KamWithK commented 7 months ago

Reading storage would be for local audio support (instead of querying forvo every single time you want to hear the audio for a word you can download the audio and the app will serve it so Yomichan/Yomitan can use it directly) I'm actually not sure what system alert window was for, I'll have to try have a dig through the code about that Happy to make those dependency info changes, sounds like a good idea

Bit busy right now but I'll try get around to it sometime next week

IzzySoft commented 7 months ago

Reading storage would be for local audio support

Thanks, added that. And thanks for looking after the other two! Fully understood that it might take a little.

KamWithK commented 7 months ago

System alert window as documented:

    This permission is required to open another activity from an app in the background
    (i.e. AnkiConnectAndroid opening AnkiDroid when the kiwi browser is in focus)
KamWithK commented 7 months ago

I have also pushed a change with your requested changes for the dependency tree info

KamWithK commented 7 months ago

This will be part of the next release, which is most likely whenever #55 is fixed and merged

IzzySoft commented 7 months ago

System alert window

Thanks! Included here now.

I have also pushed a change with your requested changes for the dependency tree info

Thanks again! Looking forward to the next release then (that "warning" should then clear itself).