Closed FineFindus closed 9 months ago
Cashew relies too heavily on Google services. Google services are mainly used for cloud backups using Drive. There are no plans to write 2 copies of the app with one having a stripped down version of Play Services.
There is already an open source release available here on GitHub.
Thanks for the quick response. There is no need to write two versions, you can create flavors of the app, and disable the backup feature with a simple if statement :), for example like https://github.com/deckerst/aves does it for their libre version.
There is already an open source release available here on GitHub.
F-Droid is a much more convenient place to manage installed apps, with the added benefit, that the apps are actually free.
Agreed !
I totally agree!
According to Exodus report (done locally with AppManager app) there is only 1 library that should be removed: Google Play Billing Library
After that you could hide any google related widget with a simple "if" statement as mentioned above
Maybe we can get this app in IzzyOnDroid repo at least. @IzzySoft is this application suitable for your repo?
Well, not in its current state:
Offending libs:
---------------
* BillingClient (/com/android/billingclient): NonFreeComp,NonFreeNet
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Google Play Core (/com/google/android/play/core): NonFreeNet,NonFreeComp
* Play Integrity API (/com/google/android/play/integrity): NonFreeComp,NonFreeNet
* Firebase (/com/google/firebase): NonFreeNet,NonFreeComp
* firebase-firestore (/com/google/firebase/firestore): NonFreeDep,NonFreeNet
* FlutterFire (/io/flutter/plugins/firebase): NonFreeNet
8 offenders.
For an app dealing with sensitive information (here: personal finances), all those need to be gone. Easy for BillingClient maybe, but afraid less easy for Firestore – which would mean a migration to a different storage, e.g. appwrite or Supabase could be viable alternatives for that (both are intended as FOSS replacements for Firebase).
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
This would also need addressing, but again is even easier than all of the above, just requiring a minimal update to build.gradle
:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Next, the APK size would pose an issue. IoD has a per-app size limit of 30 MB, the APK is 40 MB. This could be solved with per-ABI builds; having an ARM only build (i.e. dropping x86, which is rather just for emulators as there are few x86 devices if any at all) would probably reduce the size by ~10 MB, reducing it to single ABis would make each APK around 20+ MB. For IoD we'd then e.g. pick the arm64 build – while all others (incl. the "fat build" containing all ABIs) could be available at releases here.
Is your feature request related to a problem? Please describe. Currently, the app is only available through traditional app stores, which limits accessibility for users who rely on alternative platforms such as F-Droid.
Describe the solution you'd like I would like to request that the app be included on F-Droid.
Describe alternatives you've considered /
Additional context The app seems to use some proprietary packages (from Google) which are not allowed and would need to be removed. Maybe a free/libre flavor can be created?