Open IzzySoft opened 1 week ago
IzzySoft
commented
1 week ago Btw, looks like the package name has changed:
2024-07-01 03:34:47,961 WARNING: com.xayah.databackup_3411063.apk (com.xayah.databackup.foss) has no metadata!Shall I move to the new one? that would mean everyone had to uninstall/reinstall of course. Updater here is pinned to /v7a-foss-release/i.
XayahSuSuSu
commented
1 week ago android.permission.QUERY_ALL_PACKAGES is for querying packagesusesCleartextTraffic is needed by http connection, which is used by cloud functions(WevDAV)DEPENDENCY_INFO_BLOCK with your suggetsions, thanks!XayahSuSuSu
commented
1 week ago Btw, looks like the package name has changed:
2024-07-01 03:34:47,961 WARNING: com.xayah.databackup_3411063.apk (com.xayah.databackup.foss) has no metadata!Shall I move to the new one? that would mean everyone had to uninstall/reinstall of course. Updater here is pinned to
/v7a-foss-release/i.
Yeah we need to migrate to com.xayah.databackup.foss
XayahSuSuSu
commented
1 week ago As for
DEPENDENCY_INFO_BLOCK, that can easily be avoided with a tiny adjustment in yourbuild.gradle:android { dependenciesInfo { // Disables dependency metadata when building APKs. includeInApk = false // Disables dependency metadata when building Android App Bundles. includeInBundle = false } }
I've added it, can you have a test? DataBackup-2.0.1-arm64-v8a-foss-release.zip
IzzySoft
commented
1 week ago which is used by cloud functions(WevDAV)
Local WebDAV I assume? Because in the "open net" it should always be SSL.
Package and storage permissions are clear then (the former I already had added to the green list). Done so for the storage perms as well then.
we need to migrate to com.xayah.databackup.foss
OK, will do so now so the new package should show up with the next sync around 6 pm UTC.
Thanks for disabling the blob – I've sent the file through the scanner and it didn't complain.
XayahSuSuSu
commented
1 week ago Local WebDAV I assume? Because in the "open net" it should always be SSL.
Not only local, we also support remote server
IzzySoft
commented
1 week ago Not only local, we also support remote server
I meant cleartextTraffic in this context. Cleartext connections to the open internet should at least raise a proper warning due to increased risk of MITM etc. Do you check that? The backups can contain quite sensitive details after all.
XayahSuSuSu
commented
1 week ago Not only local, we also support remote server
I meant
cleartextTrafficin this context. Cleartext connections to the open internet should at least raise a proper warning due to increased risk of MITM etc. Do you check that? The backups can contain quite sensitive details after all.
Nope, there's no any check for that, maybe I can add a warning about it.
IzzySoft
commented
1 week ago maybe I can add a warning about it.
That would be good I'd say. Meanwhile, I'll add the flag to the "green list":
usesCleartextTraffic: intended for connections within the local networkshould match I guess?
XayahSuSuSu
commented
1 week ago maybe I can add a warning about it.
That would be good I'd say. Meanwhile, I'll add the flag to the "green list":
usesCleartextTraffic: intended for connections within the local networkshould match I guess?
Yes!
I just received a report from the IoD scanners:
Could you please clarify?
android.permission.QUERY_ALL_PACKAGESis clear for a backup app of course – but what cleartext connections are needed? I guess the storage should be clear as well (needed to access the data to be backed up/restored), but a confirmation is welcome.As for
DEPENDENCY_INFO_BLOCK, that can easily be avoided with a tiny adjustment in yourbuild.gradle:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance!