search

Xtr126 / XtMapper

Advanced keyboard and mouse input mapping tool
https://xtr126.github.io/XtMapper-docs
GNU General Public License v3.0
185 stars 20 forks source link

Certificate issue #79

Closed IzzySoft closed 6 months ago

IzzySoft commented 7 months ago

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

Xtr126 commented 6 months ago

Hello, thanks for your effort. I will prepare a key and release a proper signed APK as soon as possible after I can get it to work on mobile phones. Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

IzzySoft commented 6 months ago

Thanks for your reply! And thanks for working on it!

Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.

Xtr126 commented 6 months ago

Thanks for your reply! And thanks for working on it!

Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.

Yes I also agree that it should be removed for now, I’ll let you know after I get it solved.

IzzySoft commented 6 months ago

Done that now (effective with the next sync in less than 2h from now). Looking forward to your "ready ping" then, wishing you best progress!

Xtr126 commented 6 months ago

APKs are signed with a release key now.

IzzySoft commented 6 months ago

Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.

Btw, here's the output from my scanner:

No offending libs found.

Dangerous Filters:
------------------
android.view.InputMethod

Permissions:
------------
* android.permission.SYSTEM_ALERT_WINDOW
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_SPECIAL_USE
* android.permission.POST_NOTIFICATIONS
* android.permission.INTERNET
* android.permission.INJECT_EVENTS
* xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

If you want to have some explanations added to the permissions, especially SYSTEM_ALERT_WINDOW (which then would loose its "chocolate" warning color), just let me know. I already did that for android.view.InputMethod:

image

That DEPENDENCY_INFO_BLOCK blob is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Xtr126 commented 6 months ago

Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.

Btw, here's the output from my scanner:

No offending libs found.

Dangerous Filters:
------------------
android.view.InputMethod

Permissions:
------------
* android.permission.SYSTEM_ALERT_WINDOW
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_SPECIAL_USE
* android.permission.POST_NOTIFICATIONS
* android.permission.INTERNET
* android.permission.INJECT_EVENTS
* xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

If you want to have some explanations added to the permissions, especially SYSTEM_ALERT_WINDOW (which then would loose its "chocolate" warning color), just let me know. I already did that for android.view.InputMethod:

image

That DEPENDENCY_INFO_BLOCK blob is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Nice! It would be great if you can use this icon, I think it is of enough quality for a icon: image SYSTEM_ALERT_WINDOW is used to display a pointer on the screen and for showing alert dialogs (to select apps, switch profiles).

IzzySoft commented 6 months ago

It would be great if you can use this icon

Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is :rocket: – so yours is at least cislunar, at 512x512 I would have had to throttle your drives :stuck_out_tongue_winking_eye:

SYSTEM_ALERT_WINDOW

Thanks, added! That just leaves the DEPENDENCY_INFO_BLOCK – maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).

image

Xtr126 commented 6 months ago

It would be great if you can use this icon

Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is 🚀 – so yours is at least cislunar, at 512x512 I would have had to throttle your drives 😜

SYSTEM_ALERT_WINDOW

Thanks, added! That just leaves the DEPENDENCY_INFO_BLOCK – maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).

image

Thanks! Sorry I forgot about that, I disabled it now. For a more accurate description, android.view.InputMethod is used to detect when user is entering input in a text field and disable the service accordingly. I have not documented the feature myself either, it is not prompted by the app, only if the user themselves go to settings and enable it as an Input method.

IzzySoft commented 6 months ago

Sorry I forgot about that, I disabled it now.

Thanks!

For a more accurate description

There's a little space limitation, so I have to keep the description short. You see about how long it can be in the screenshot above (I'd rather avoid it causing line breaks if I can). Still enough space to make it twice as long as it currently is; "used to detect when user is entering input in a text field and disable the service accordingly" could fit if you want me putting that.

Xtr126 commented 6 months ago

I understand, then it’s better to leave it as it is. Closing this issue as I made another release with the dependency info changes included. Thanks.

IzzySoft commented 6 months ago

Thanks a lot!