Question on permissions

[IzzySoft]

On the latest APK, my scanner reports:

! repo/com.kunzisoft.keepass.free_129.apk declares intent-filter(s): android.view.InputMethod
! repo/com.kunzisoft.keepass.free_129.apk declares sensitive permission(s): android.permission.QUERY_ALL_PACKAGES
! repo/com.kunzisoft.keepass.free_129.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Can those please be clarified? I assume InputMethod is needed for auto-type. For QUERY_ALL_PACKAGES I found #996 which is still open, so I assume the reason given there („used to open applications directly from their applicationId from an "AndroidApp" field“) still holds true?

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[IzzySoft]

PS: with KeePassDX being available at IzzyOnDroid, maybe you want to pick a badge to link there, next to the other three? :wink:

[J-Jamet]

I haven't changed the permissions since the last version.

Can those please be clarified? I assume InputMethod is needed for auto-type. For QUERY_ALL_PACKAGES I found https://github.com/Kunzisoft/KeePassDX/issues/996 which is still open, so I assume the reason given there („used to open applications directly from their applicationId from an "AndroidApp" field“) still holds true?

Yes indeed

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided:

I'll take a look.

[IzzySoft]

I haven't changed the permissions since the last version.

Probably not – but i have extended my scanners since :wink: Details are outlined here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo

Yes indeed

Thanks for confirming! I've put that to your app's "green list" with the explanation added:

I'll take a look.

Thanks! Excluding it for the APK would suffice, in case you think you'll need it for the AAB to upload to Google Play.

That said: Thanks a lot for maintaining your app – I'm one of your happy "users" myself!

[shuvashish76]

I assume InputMethod is needed for auto-type.

@J-Jamet Auto-type feature of Autofill service feature only not Magikeyboard right? Or required for both?

[J-Jamet]

@shuvashish76 android.view.InputMethod is the Magikeyboard declaration

[shuvashish76]

You can close the issue now. BTW @J-Jamet what do you think about updating wiki/FAQs with explanations for each of the permissions/intents used by KPDX just for transparency?

[J-Jamet]

https://github.com/Kunzisoft/KeePassDX/wiki/FAQ#what-are-the-permissions-used-in-keepassdx

[shuvashish76]

Permissions are already hyperlinked if you click on "Permissions" from IzzyOnDroid page of KPDX. Updated the wiki with link to IzzySoft's article as he has done really great job by compiling all the sources to a single list.

[IzzySoft]

Thanks! I've taken the freedom to transfer over the remaining descriptions and fill the gaps. Now the only thing left is that dependency blob (see the initial post on how to get rid of that):