search

martinmimigames / little-file-explorer

Android 1.0+ mini file explorer and manager
https://martinmimigames.github.io/projects/little-file-explorer/
GNU General Public License v3.0
319 stars 13 forks source link

Permission question #78

Closed IzzySoft closed 7 months ago

IzzySoft commented 7 months ago

My scanner just reported:

! repo/com.martinmimigames.simplefileexplorer_17.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.MANAGE_EXTERNAL_STORAGE
  android.permission.REQUEST_INSTALL_PACKAGES
! repo/com.martinmimigames.simplefileexplorer_17.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The storage permissions are pretty clear, just wondering about REQUEST_INSTALL_PACKAGES. Is that just to install APK files from local storage – or does the app have an integrated self-updater?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks!

wmartinmimi commented 7 months ago

First of all, yes, it is only intended for installing apks from local storage as invoked by the user.

The app does not self-update (nor will it in the near future) as it is not core to a file manager and I consider it unnecessary.

Secondly, that is interesting. I did not know my apk contained stuff like this. Aside from DEPENDENCY_INFO_BLOCK, is there anything else I can remove from the apk that is not necessary for the app to run, or where can I find information about this?

IzzySoft commented 7 months ago

First of all, yes, it is only intended for installing apks from local storage as invoked by the user.

Thanks! Added to the details:

image

(btw: I had to look 3 times that I saw it correctly: less than 40 kB, wow! Reminds me of 14 years back when I started with Android :see_no_evil: Cool!

The app does not self-update (nor will it in the near future)

Please keep it that way! Self updater violate the policy not only of F-Droid (who'd probably not notice it as they don't check for it once the app is listed) but also of my repo, where your app is listed longer than at F-Droid (be welcome to pick a badge to link there, too, if you wish).

I did not know my apk contained stuff like this.

Few know, many are surprised when I report it. You can find details about such things e.g. in the section What about security? of my repo info page, or in my latest blog article Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

is there anything else I can remove from the apk that is not necessary for the app to run

Not that I'm aware of. All my scanners reported I forwarded to you. There's not even a library block with your app's listing, so you didn't include any other dependency – which means no unneeded ones either :star_struck: