search

dstark5 / Openlib

An Open source app to download and read books from shadow library (Anna’s Archive)
GNU General Public License v3.0
913 stars 45 forks source link

Question on permissions #63

Open IzzySoft opened 5 months ago

IzzySoft commented 5 months ago

Scanner report for today's update reads:

! repo/com.app.openlib_2008.apk declares sensitive permission(s): android.permission.READ_MEDIA_IMAGES android.permission.READ_MEDIA_AUDIO android.permission.MANAGE_EXTERNAL_STORAGE android.permission.READ_EXTERNAL_STORAGE

image

I guess READ_EXTERNAL_STORAGE is for eading downloaded material (as WRITE_EXTERNAL_STORAGE is to save eBooks; together with MANAGE_EXTERNAL_STORAGE on Android 11+). Can you confirm this?

What I however do not understand (at least going by the app description) is what media access (images and audio) is needed for. A clarification would be much appreciated!

As for DEPENDENCY_INFO_BLOCK: this can probably be avoided easily via some gradle settings:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

dstark5 commented 5 months ago

Scanner report for today's update reads:

! repo/com.app.openlib_2008.apk declares sensitive permission(s): android.permission.READ_MEDIA_IMAGES android.permission.READ_MEDIA_AUDIO android.permission.MANAGE_EXTERNAL_STORAGE android.permission.READ_EXTERNAL_STORAGE

image

I guess READ_EXTERNAL_STORAGE is for eading downloaded material (as WRITE_EXTERNAL_STORAGE is to save eBooks; together with MANAGE_EXTERNAL_STORAGE on Android 11+). Can you confirm this?

What I however do not understand (at least going by the app description) is what media access (images and audio) is needed for. A clarification would be much appreciated!

As for DEPENDENCY_INFO_BLOCK: this can probably be avoided easily via some gradle settings:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

The above permissions are used because on some devices, the EPUB reader works properly with them, and the upcoming update of the app would use a separate folder to store the book.

IzzySoft commented 5 months ago

So the next release comes without those permissions? Then I'd say no further action needed for that – which would only leave the DEPENDENCY_INFO_BLOCK (to be handled at your convenience; trouble with that one is mostly that it's an "opaque block". Though there are POCs that such blocks can easily be abused to store payload and other "things", so it might be a good idea to address this: what's not there cannot cause issues. And apart from Google, nobody can even read it, not to speak of doing something useful with it).

dstark5 commented 5 months ago

No , The permissions are required for the EPUB package and will add support for direct folder for the app

Will you able to fix this DEPENDENCY_INFO_BLOCK

IzzySoft commented 5 months ago

The permissions are required for the EPUB package and will add support for direct folder for the app

I can see that for READ_EXTERNAL_STORAGE and MANAGE_EXTERNAL_STORAGE (which I added to the "allow-list" for your app, so those will no longer trigger warnings here) – but READ_MEDIA_AUDIO and READ_MEDIA_IMAGES? There shouldn't be eBooks stored to the media directories, so I wonder why those permissions should be needed.

Will you able to fix this DEPENDENCY_INFO_BLOCK

See above, it's just adding a few lines to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}
dstark5 commented 5 months ago

Okay 👍 will sure add it

IzzySoft commented 4 months ago

Looks like you forgot:

! repo/com.app.openlib_2009.apk declares sensitive permission(s):
  android.permission.READ_MEDIA_IMAGES android.permission.READ_MEDIA_AUDIO
! repo/com.app.openlib_2009.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The media permissions are still there, and so is the blob…

dstark5 commented 3 months ago

Will sure remove it. Thank you