App fails to start without internet connection

[SneakIn42]

Current behaviour

When I run the Android App, it doesn't work when there is no internet connection. You just get an error page that the website https://app.super-productivity.com couldn't load. So the App seems to load something from your web server and just fails to start if it can't.

My question here would be, what does the app try to load from your webserver? Is the app just a wrapper for the web app and loads all the html, css, js content from your webserver at each start? Or is it just some update check?

Suggested behaviour

It would be great if the app would work offline, too.

[johannesjo]

Hey there! The mobile app requires you to be online once initially. It basically uses the webapp at https://app.super-productivity.com/ and adds some android specific stuff around it. Once you loaded it once, the app should work fine offline too.

[SneakIn42]

Hey @johannesjo, thanks for the quick response. Unfortunately, that is not the case. I did the following to check this:

• Allow internet access for super productivity in my firewall
• Start super productivity, works fine
• Force stop super productivity
• Disallow internet access for super productivity in my firewall
• Start super productivity again, doesn't work, the mentioned error appears

I checked with the latest version from @IzzySoft s F-Droid repository and also with the F-Droid release APK provided here.

Also, but this may be more of a feature request, would it be possible to include the web files in the app? I'm concerned regarding privacy and security when an app that doesn't need to loads and executes things dynamically from the internet without my knowledge and without the possibility to verify the content. On this note, do you use certificate pinning?

[johannesjo]

I'd imagine this is due to the fact, that blocking something via the firewall is not quite the same as being offline, at least from the webviews perspective.

Also, but this may be more of a feature request, would it be possible to include the web files in the app?

Yes, this might be an option. To be honest, I was very happy, that I had one release less to worry about. It demands a lot of time to provide software for this many platforms. Being able to rely on this being in a more or less up to date version, was making my life easier :)

So for now I think I want to wait for either more people demanding this or for more people to contribute to the android version. There are more things to do than I can handle as is.

do you use certificate pinning?

I am using letsencrypt and didn't configure anything in this direction that I am aware of. So I am assuming that I am not? :)

[IzzySoft]

I checked with the latest version from @IzzySoft s F-Droid repository and also with the F-Droid release APK provided here.

Those are identical. That's where my updater gets it from :wink:

So I am assuming that I am not? :)

You are assuming correctly. Ceretificate pinning would require some extra steps. But you can aways test for yourself, as I do from time to time to see whether security & privacy are still intact for my sites: see here for details, I'm using WebbKoll, SSL Labs and Mozilla Observatory checks. Just replace my URL in that link by yours. SSL Labs (and Observatory IIRC) will tell you about cert pinning.

[SneakIn42]

I'd imagine this is due to the fact, that blocking something via the firewall is not quite the same as being offline, at least from the webviews perspective.

That's not it, I guess. Just allowed traffic from super productivity on my firewall again and performed the same steps above, but instead of controlling the internet connection via firewall I simply enabled and disabled wlan / celluar data. The issue still persists.

Yes, this might be an option. To be honest, I was very happy, that I had one release less to worry about. It demands a lot of time to provide software for this many platforms. Being able to rely on this being in a more or less up to date version, was making my life easier :)

Reasonable for an hobby project. Unfortunately, I won't be able to help with that as I'm not an Android developer, but I could imagine that the release process could be scripted some way once set up.

So for now I think I want to wait for either more people demanding this or for more people to contribute to the android version. There are more things to do than I can handle as is.

I'm sure there are more people that would love to see this feature, especially in the F-Droid and privacy community. Most probably simply don't know that the app is basically an web app - not everyone configured a firewall or similar tools with whom you could detect such things on their mobile phone.

In the meantime, until more people state their opinion or until others are willing to help implement this feature, it may make sense to mention the fact that the mobile application does collect some data, as this is inevitable as soon as something is connected to the internet. A good place for this would probably be the privacy policy, that would fit quite good in the footer of your page, by the way :-) Because as far as I'm concerned I feel a bit misled if an app states it doesn't collect any data and then I discover it connects to the developers internet presence without my knowledge. Does the desktop app behave the same, by the way?

I am using letsencrypt and didn't configure anything in this direction that I am aware of. So I am assuming that I am not? :)

What izzy wrote.

[johannesjo]

Does the desktop app behave the same, by the way?

No, it does not. Just the android app.

Well, the web app does not actively collect any data neither, which is as good as it gets for a web page, so I don't think the statement is incorrect.

I'm sure there are more people that would love to see this feature, especially in the F-Droid and privacy community.

Only one way find out! Could you be so kind to open an issue about this here? This would offer people the chance to upvote this. If more than 10 people upvote the issue I definitely implement it (at the very least for F-Droid).

A good place for this would probably be the privacy policy, that would fit quite good in the footer of your page, by the way :-)

I hate to deal with the legal stuff – I'd rather work on the app itself and I find it very time consuming and annoying – but yeah, you're probably right.

[johannesjo]

Btw. I was able to reproduce the issue now with the latest store version. This seems to be new. I'll work on a solution.

[johannesjo]

I hope didn't sound rude yesterday. Since the Heise article, I am a bit swamped with new issues and there was much to do already...

[IzzySoft]

If I may say so: Nope, I didn't detect even the slightest rudeness, all is fine! And yeah, such a publication rises interest :smile:

[johannesjo]

Hehe. Thanks @IzzySoft ! I sure felt a little annoyed by the thought of having to deal with the legal stuff again :D

[SneakIn42]

Well, the web app does not actively collect any data neither, which is as good as it gets for a web page, so I don't think the statement is incorrect.

It's not incorrect, it is misleading. I don't expect an ToDo / Time Tracking App I install locally to connect anywhere, whereas it's clear that data is collected if one browses a web app.

Only one way find out! Could you be so kind to open an issue about this here? This would offer people the chance to upvote this. If more than 10 people upvote the issue I definitely implement it (at the very least for F-Droid).

You mean an extra issue to upvote/discuss beside this bug report? Certainly can do so :-)

I hate to deal with the legal stuff – I'd rather work on the app itself and I find it very time consuming and annoying – but yeah, you're probably right.

Personally, I don't mind about legal stuff at this note, I just want to know how my data is handled from the apps I use. And in most cases the privacy policy is the first thing I look up for that.

Btw. I was able to reproduce the issue now with the latest store version. This seems to be new. I'll work on a solution.

Great! Thank you!

I hope didn't sound rude yesterday. Since the Heise article, I am a bit swamped with new issues and there was much to do already...

No, don't worry ;-)

[IzzySoft]

I sure felt a little annoyed by the thought of having to deal with the legal stuff again :D

Who would not, apart from some lawyers maybe?

Apart from that: what @therealjeybe wrote. As a user, I would expect a locally installed ToDo app claiming privacy to stay local and not connect anywhere without telling me explicitly and asking my permission. So it should at least be mentioned that it (initially?) needs to do so. For me, no legal sh!t is required – just the information should be there in a way it cannot be easily missed :wink:

[johannesjo]

The best solution might be switching away from the web app and serve the files locally (EDIT: but this is complicated to do and would require an annoying migration path for existing users ;)).

ToDo app claiming privacy to stay local and not connect anywhere without telling me explicitly and asking my permission.

I just wonder where would you put this information. I think it doesn't belong to the main repo as only the android app does this and the repo and also the landing-page is mainly about the desktop/web-app, while the android app is more like an additional service at least for the moment. If I understand the "NonFreeNet" badge correctly, the info should be already there for F-Droid?

[SneakIn42]

That was my initial suggestion :-)

[IzzySoft]

If I understand the "NonFreeNet" badge correctly, the info should be already there for F-Droid?

If we add that AntiFeature (which I fear we currently must), users only see it connects somewhere – but not why or what for. I'd add that to the app's description (full_description.txt in Fastlane, since you've got that now), introduced with a bold <b>NOTE:</b>.

[johannesjo]

If we add that AntiFeature (which I fear we currently must), users only see it connects somewhere – but not why or what for. I'd add that to the app's description (full_description.txt in Fastlane, since you've got that now), introduced with a bold <b>NOTE:</b>.

Makes a lot of sense! Thank you!

[jiongxuan]

@johannesjo @SneakIn42 @IzzySoft I’ve resolved the issue. Please refer to this PR for details:

• https://github.com/johannesjo/super-productivity-android/pull/57
• https://github.com/johannesjo/super-productivity/issues/3527

Considering that many are interested, here’s a brief overview of the changes:

I have taken steps to address the longstanding issues related to offline support and CORS in the Android application. These updates are designed to enhance the user experience by enabling offline functionality, resolving security-related CORS issues, and ensuring a smooth transition for existing users. I welcome any questions or feedback from the community to help refine and improve the solution further.