Question on permissions - Githubissues

msfjarvis / compose-lobsters

Claw for Android: Unofficial read-only client for https://lobste.rs, built using Jetpack Compose.

https://play.google.com/store/apps/details?id=dev.msfjarvis.claw.android

MIT License

97 stars 7 forks source link

Question on permissions #475

Closed IzzySoft closed 7 months ago

IzzySoft commented 7 months ago

My scanner recently got some additional checks, and on today's update reported:

! repo/dev.msfjarvis.claw.android_14000.apk declares sensitive permission(s):
  android.permission.READ_PHONE_STATE android.permission.READ_EXTERNAL_STORAGE

Could you please clarify what those permissions are needed/used for? Thanks in advance!

msfjarvis commented 7 months ago

Hm that's definitely unintentional, I'm gonna have to check which dependency upgrade pulled that in and remedy this. Thank you for the heads-up.

msfjarvis commented 7 months ago

Android Studio's merged manifest view does not see the READ_PHONE_STATE and READ_EXTERNAL_STORAGE permissions but they're definitely in the APK 🤔

This is slightly perplexing...

msfjarvis commented 7 months ago

Doing a bisection between v1.39.0 and v1.40.0 now

msfjarvis commented 7 months ago

I found the offending dependency and have downgraded it, there will be a v1.41.0 release happening shortly with this addressed. Thank you again for bringing this to my attention.

msfjarvis commented 7 months ago

Release assets for v1.41.0 are now available: https://github.com/msfjarvis/compose-lobsters/releases/tag/v1.41.0

IzzySoft commented 7 months ago

Thanks! Confirming this solved the issue:

$ iod repo get dev.msfjarvis.claw.android
dev.msfjarvis.claw.android: looking for 'https://api.github.com/repos/msfjarvis/compose-lobsters/releases'
dev.msfjarvis.claw.android: checking tag 'latest'
dev.msfjarvis.claw.android: checking tag 'v1.41.0'
dev.msfjarvis.claw.android: lastRelNo set to '1.41.0', checking for files
dev.msfjarvis.claw.android: Upstream file date (2024-03-07 20:47) is newer than ours (2024-03-07 19:38).
dev.msfjarvis.claw.android: returning ['1.41.0','https://github.com/msfjarvis/compose-lobsters/releases/download/v1.41.0/Claw-release-1.41.0.apk',1709840852]
dev.msfjarvis.claw.android: 1.40.0/1.41.0, https://github.com/msfjarvis/compose-lobsters/releases: https://github.com/msfjarvis/compose-lobsters/releases/download/v1.41.0/Claw-release-1.41.0.apk
- Grabbing update for dev.msfjarvis.claw.android: OK
- Checking 'repo/dev.msfjarvis.claw.android_14100.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
dev.msfjarvis.claw.android: check if repo contains FUNDING.yml
dev.msfjarvis.claw.android: looking for 'https://api.github.com/repos/msfjarvis/compose-lobsters/contents/.github'
dev.msfjarvis.claw.android: looking for 'https://api.github.com/repos/msfjarvis/compose-lobsters/contents/'
dev.msfjarvis.claw.android: looking for 'https://api.github.com/repos/msfjarvis/.github/contents/'
dev.msfjarvis.claw.android: FUNDING.yml already up-to-date.
dev.msfjarvis.claw.android: no Fastlane configured, skipping Fastlane check.

No exclamation marks anymore. May I ask what the culprit was? Ah, Kotlin lifecycle (going by the commit) – just asked in case that other apps might be affected. Thanks for the swift action!

msfjarvis commented 6 months ago

Note for myself: the bug that is causing these to be inserted in the APK is https://issuetracker.google.com/issues/319470141

IzzySoft commented 6 months ago

Good find!