search

aritra-tech / Notify

📝 Notify is a simple note application build to demonstrate the use of clean MVVM Architecture with Jetpack Compose and Material-3 guidelines along with some Modern Android development tools.
MIT License
325 stars 65 forks source link

Question on permissions #487

Open IzzySoft opened 3 months ago

IzzySoft commented 3 months ago

Your current release passed my scanner yesterday, which reported:

! repo/com.aritra.notify_15.apk declares sensitive permission(s):
   android.permission.CAMERA
   android.permission.RECORD_AUDIO
   android.permission.READ_EXTERNAL_STORAGE

I could find no hint in the app description helping me to answer the question what those permissions might be needed for. Could you please clarify? Thanks in advance!

Moreover, the updater rejected your APK:

2024-06-21 19:36:02,284 WARNING: repo/com.aritra.notify_15.apk: debuggable or testOnly set in AndroidManifest.xml
2024-06-21 19:37:55,350 WARNING: "com.aritra.notify_15.apk" is signed by a key that is not allowed:
57fe4ea74c39c230863d11cb5a3368532fd170dc56a65712a80e40423f31f429

APKs intended for distribution should have neither the debuggable nor the testOnly flag set. Further, the signing key doesn't match the one from prior releases – so updates are impossible. Could it be you accidentally added the wrong APK – one you intended for internal testing? Taking a closer look seems to suggest that:

Number of signers: 1
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 57fe4ea74c39c230863d11cb5a3368532fd170dc56a65712a80e40423f31f429
Signer #1 certificate SHA-1 digest: 92b643549a4b01d3e7313a92f09299c8b16d5942
Signer #1 certificate MD5 digest: 167de684c7f298c88fb00955cfc38b04
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

And a last thing, while I'm here:

image

This Blob can easily be avoided with a tiny adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance for your help!

PS: As the current APK is not suitable but still would be fetched on each update run, I've disabled updates for your app until this issue was solved. Will of course re-enable once the proper APK is available. Thanks for understanding!

IzzySoft commented 3 months ago

Any word? There will be no updates available before this is solved, @aritra-tech

PS: I have disabled updates for this app entirely now, so I won't get any reminders unless you answer here.

aritra-tech commented 2 months ago

Hey sorry, @IzzySoft didn't get the time to look into it. I will look into this issue.

IzzySoft commented 2 months ago

didn't get the time to look into it.

yeah, time's a bitch… and no personal grudge there, I know that feeling (have some such issues here as well – luckily no "show-stoppers"). My "pressing" is just as it's a technical necessity.

I will look into this issue.

Thanks! Just give me a ping please then, as I do no longer get "reminders" when the still unchanged update was pulled once a month due to updates being disabled entirely now.

The main thing would be the signing. That solved, I could re-enable updates and those permissions would just be shown as warnings until solved/explained. So assuming you still can access your signing key (and having used the debug one was just an accident), if you could take those 5..10 minutes to re-sign and re-attach the APK, we'd be a big step forwards – and those permissions could be addressed separately (luckily there's no "crucial one" involved :wink:).