search

puutaro / CommandClick

"another history" browser in android: has transparent UI, gif URL history, Ubuntu, and unique addon
https://apt.izzysoft.de/fdroid/index/apk/com.puutaro.commandclick
GNU General Public License v3.0
112 stars 4 forks source link

question on permissions #10

Open IzzySoft opened 6 months ago

IzzySoft commented 6 months ago

My scanner got some additional checks in January, and on today's update of your app reports:

! repo/com.puutaro.commandclick_62.apk declares flag(s): usesCleartextTraffic
! repo/com.puutaro.commandclick_62.apk declares sensitive permission(s):
  android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION
  android.permission.READ_EXTERNAL_STORAGE android.permission.MANAGE_EXTERNAL_STORAGE
  android.permission.QUERY_ALL_PACKAGES android.permission.CAMERA
! repo/com.puutaro.commandclick_62.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what these permissions are needed for? The flag (usesCleartextTraffic) is rather clear for a browser. And as for DEPENDENCY_INFO_BLOCK, you can easily get rid of that:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

IzzySoft commented 6 months ago

PS: You also might wish to take a look here

puutaro commented 6 months ago

Thank you for question.
QUERY_ALL_PACKAGES -> CommandClick is also QR executor. So QUERY_ALL_PACKAGES is used for executing qr image contents.: WIFI, URL, SMS, MAIL etc.. ACCESS_FINE_LOCATION -> Ths require WIFI setting via QR reader . READ_EXTERNAL_STORAGE -> CommandClick base is file system. This app data is saved to file. So, without this permission, CC is not feasible.

CC is muilti feature application like termux. Therefore, this app has various permission. Still, only the minimum permission is set.
And I don't think that having many permissions is a problem.

IzzySoft commented 6 months ago

Thanks for your reply! Though I must admit I do not fully understand all:

used for executing qr image contents.: WIFI, URL, SMS, MAIL etc..

I don't understand what that has to do with querying the list of installed apps. Can you please give an example?

The others I (hopefully) got so far:

image

puutaro commented 6 months ago

Like your comment, QUERY_ALL_PACKAGES don't use currently. So I remove once in this release
Apparently, this permission add 5. 2023. In this season, I feel like I explore package other than termux or cobination app. So, in order to seek app, I use QUERY_ALL_PACKAGES. But, I don't use this now. In any way, Thanks for your comemnt, I can removing useless and no-require permission. Thank you.