Closed IzzySoft closed 6 months ago
Hello, thanks for your effort. I will prepare a key and release a proper signed APK as soon as possible after I can get it to work on mobile phones. Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.
Thanks for your reply! And thanks for working on it!
Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.
Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.
Thanks for your reply! And thanks for working on it!
Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.
Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.
Yes I also agree that it should be removed for now, I’ll let you know after I get it solved.
Done that now (effective with the next sync in less than 2h from now). Looking forward to your "ready ping" then, wishing you best progress!
APKs are signed with a release key now.
Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.
Btw, here's the output from my scanner:
No offending libs found.
Dangerous Filters:
------------------
android.view.InputMethod
Permissions:
------------
* android.permission.SYSTEM_ALERT_WINDOW
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_SPECIAL_USE
* android.permission.POST_NOTIFICATIONS
* android.permission.INTERNET
* android.permission.INJECT_EVENTS
* xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
If you want to have some explanations added to the permissions, especially SYSTEM_ALERT_WINDOW
(which then would loose its "chocolate" warning color), just let me know. I already did that for android.view.InputMethod
:
That DEPENDENCY_INFO_BLOCK
blob is easy to get rid of:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.
Btw, here's the output from my scanner:
No offending libs found. Dangerous Filters: ------------------ android.view.InputMethod Permissions: ------------ * android.permission.SYSTEM_ALERT_WINDOW * android.permission.FOREGROUND_SERVICE * android.permission.FOREGROUND_SERVICE_SPECIAL_USE * android.permission.POST_NOTIFICATIONS * android.permission.INTERNET * android.permission.INJECT_EVENTS * xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION SigningBlock blobs: ------------------- 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
If you want to have some explanations added to the permissions, especially
SYSTEM_ALERT_WINDOW
(which then would loose its "chocolate" warning color), just let me know. I already did that forandroid.view.InputMethod
:That
DEPENDENCY_INFO_BLOCK
blob is easy to get rid of:android { dependenciesInfo { // Disables dependency metadata when building APKs. includeInApk = false // Disables dependency metadata when building Android App Bundles. includeInBundle = false } }
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Nice! It would be great if you can use this icon, I think it is of enough quality for a icon: SYSTEM_ALERT_WINDOW is used to display a pointer on the screen and for showing alert dialogs (to select apps, switch profiles).
It would be great if you can use this icon
Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is :rocket: – so yours is at least cislunar, at 512x512 I would have had to throttle your drives :stuck_out_tongue_winking_eye:
SYSTEM_ALERT_WINDOW
Thanks, added! That just leaves the DEPENDENCY_INFO_BLOCK
– maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).
It would be great if you can use this icon
Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is 🚀 – so yours is at least cislunar, at 512x512 I would have had to throttle your drives 😜
SYSTEM_ALERT_WINDOW
Thanks, added! That just leaves the
DEPENDENCY_INFO_BLOCK
– maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).
Thanks! Sorry I forgot about that, I disabled it now. For a more accurate description, android.view.InputMethod is used to detect when user is entering input in a text field and disable the service accordingly. I have not documented the feature myself either, it is not prompted by the app, only if the user themselves go to settings and enable it as an Input method.
Sorry I forgot about that, I disabled it now.
Thanks!
For a more accurate description
There's a little space limitation, so I have to keep the description short. You see about how long it can be in the screenshot above (I'd rather avoid it causing line breaks if I can). Still enough space to make it twice as long as it currently is; "used to detect when user is entering input in a text field and disable the service accordingly" could fit if you want me putting that.
I understand, then it’s better to leave it as it is. Closing this issue as I made another release with the dependency info changes included. Thanks.
Thanks a lot!
A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!