search

TeamAmaze / AmazeFileUtilities

An open source Google Files alternative for Android
https://teamamaze.xyz
GNU General Public License v3.0
316 stars 28 forks source link

Question on permissions #179

Open IzzySoft opened 1 month ago

IzzySoft commented 1 month ago

Your recent update triggered some of the newer scanners at IzzyOnDroid (btw, no IoD a badge in your Readme?):

! repo/com.amaze.fileutilities_136.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.MANAGE_EXTERNAL_STORAGE
  android.permission.QUERY_ALL_PACKAGES android.permission.ACCESS_FINE_LOCATION
  android.permission.ACCESS_COARSE_LOCATION android.permission.REQUEST_DELETE_PACKAGES
  android.permission.READ_PHONE_STATE
! repo/com.amaze.fileutilities_136.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Checking with the latest app description, I could already clarify storage and QUERY_ALL_PACKAGES:

android.permission.READ_EXTERNAL_STORAGE: needed for file management
android.permission.MANAGE_EXTERNAL_STORAGE: needed for file management on higher Android versions
android.permission.QUERY_ALL_PACKAGES: needed to show/group apps

Could you please clarify the others?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

VishalNehra commented 1 month ago

ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION > needed to identify nearby devices for transfer tab ref

REQUEST_DELETE_PACKAGES > needed by analysis manager to uninstall apps

READ_PHONE_STATE > needed to generate unique identifier (device id) for a device that persists even when device is cleaned. This is used to manage user's purchase / subscription without capturing their private data such as email id.

Will update other part as you suggested :)

IzzySoft commented 1 month ago

Ah, I totally forgot about location permissions in that context, yeah – thanks! Updated and deployed.

Will update other part as you suggested :)

Wonderful, thanks! – Hm, "part", not "parts"? There's the missing badge, and the to-be-missed blob :wink: