search

MRepoApp / MRepo

A modules manager for Magisk, KernelSU and APatch
GNU General Public License v3.0
1k stars 44 forks source link

Question on permissions #178

Closed IzzySoft closed 6 months ago

IzzySoft commented 6 months ago

My scanner got some new checks back in January, and on today's update reports:

! repo/com.sanmer.mrepo_731.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
! repo/com.sanmer.mrepo_731.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what read/write storage are needed for? The READ is probably for installing modules from locally stored ZIP files. I must have missed what WRITE might be for. Thanks in advance!

That DEPENDENCY_INFO_BLOCK can easily be avoided btw:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

SanmerDev commented 6 months ago

READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE: This is the same as Magisk App, reading/writing (downloading) Zip files in the Download directory.

IzzySoft commented 6 months ago

Ah D'oh, of course. Thanks for fixing that DEPENDENCY_INFO_BLOCK!