Closed FineFindus closed 9 months ago
jameskokoska
commented
9 months ago Cashew relies too heavily on Google services. Google services are mainly used for cloud backups using Drive. There are no plans to write 2 copies of the app with one having a stripped down version of Play Services.
There is already an open source release available here on GitHub.
FineFindus
commented
9 months ago Thanks for the quick response. There is no need to write two versions, you can create flavors of the app, and disable the backup feature with a simple if statement :), for example like https://github.com/deckerst/aves does it for their libre version.
There is already an open source release available here on GitHub.
F-Droid is a much more convenient place to manage installed apps, with the added benefit, that the apps are actually free.
acress1
commented
9 months ago Agreed !
asandikci
commented
1 month ago I totally agree!
According to Exodus report (done locally with AppManager app) there is only 1 library that should be removed: Google Play Billing Library
After that you could hide any google related widget with a simple "if" statement as mentioned above
Maybe we can get this app in IzzyOnDroid repo at least. @IzzySoft is this application suitable for your repo?
IzzySoft
commented
1 month ago Well, not in its current state:
Offending libs:
---------------
* BillingClient (/com/android/billingclient): NonFreeComp,NonFreeNet
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Google Play Core (/com/google/android/play/core): NonFreeNet,NonFreeComp
* Play Integrity API (/com/google/android/play/integrity): NonFreeComp,NonFreeNet
* Firebase (/com/google/firebase): NonFreeNet,NonFreeComp
* firebase-firestore (/com/google/firebase/firestore): NonFreeDep,NonFreeNet
* FlutterFire (/io/flutter/plugins/firebase): NonFreeNet
8 offenders.For an app dealing with sensitive information (here: personal finances), all those need to be gone. Easy for BillingClient maybe, but afraid less easy for Firestore – which would mean a migration to a different storage, e.g. appwrite or Supabase could be viable alternatives for that (both are intended as FOSS replacements for Firebase).
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)This would also need addressing, but again is even easier than all of the above, just requiring a minimal update to build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Next, the APK size would pose an issue. IoD has a per-app size limit of 30 MB, the APK is 40 MB. This could be solved with per-ABI builds; having an ARM only build (i.e. dropping x86, which is rather just for emulators as there are few x86 devices if any at all) would probably reduce the size by ~10 MB, reducing it to single ABis would make each APK around 20+ MB. For IoD we'd then e.g. pick the arm64 build – while all others (incl. the "fat build" containing all ABIs) could be available at releases here.
Is your feature request related to a problem? Please describe. Currently, the app is only available through traditional app stores, which limits accessibility for users who rely on alternative platforms such as F-Droid.
Describe the solution you'd like I would like to request that the app be included on F-Droid.
Describe alternatives you've considered /
Additional context The app seems to use some proprietary packages (from Google) which are not allowed and would need to be removed. Maybe a free/libre flavor can be created?