Question on permissions

MarmadileManteater / FreeTubeAndroid

A soft fork of FreeTube which brings it to Android (formerly FreeTubeCordova)

GNU Affero General Public License v3.0

322 stars 6 forks source link

Question on permissions #296

Open IzzySoft opened 8 months ago

IzzySoft commented 8 months ago

My scanner got a few additional checks in January, and on today's update of your app reported:

! repo/io.freetubeapp.freetube_190002110.apk declares flag(s): usesCleartextTraffic
! repo/io.freetubeapp.freetube_190002110.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.SYSTEM_ALERT_WINDOW

Could you please clarify:

what cleartext connections are used and where to
what those two permissions are needed for?

Thanks in advance!

MarmadileManteater commented 8 months ago

Cleartext connections were enabled in order to allow use of invidious servers hosted on the local network. No cleartext connections are made outside of in the context of when the invidious instance is set to be HTTP by the user explicitly. If this is potentially a security issue that I am not understanding fully, I could disable clear text.

I do not believe the external storage permission is necessary. I seem to have mistakenly left that one in there. 🍳 👤

I am completely unfamilar with SYSTEM_ALERT_WINDOW. I wasn't aware my app was requesting that permission, and I wonder if it is coming from one of my cordova plugins. 🤔 Is it a new permission request for this as of this version?

MarmadileManteater commented 8 months ago

Now that I am looking, I don't actually explicity include the external storage permission either. I may need to explicitly disable those permissions if a plugin is enabling them.

MarmadileManteater commented 8 months ago

Full context: I am likely switching away from cordova by the time I was planning on doing the next full release. The new "cordovaless" build of the app I am working on does not request these permissions in the android manifest.

IzzySoft commented 8 months ago

Thanks, @MarmadileManteater! I've added the usesCleartextTraffic to the exception list for your app together with the explanation you gave. As for the storage permission, guess I simply wait if it's gone with the next release then.

Now for SYSTEM_ALERT_WINDOW: do you use any "floating video player" maybe, or "floating controls"? In your code I see some references to a floatingTopButton. Such things need to "display over other windows", which is what SYSTEM_ALERT_WINDOW enables.

MarmadileManteater commented 8 months ago

I have plans to implement picture-in-picture, but it doesn't actually work at the moment.