search

sndnv / stasis

Backup and recovery system with emphasis on security and privacy
Apache License 2.0
53 stars 4 forks source link

Versioning issue and questions on permissions #45

Closed IzzySoft closed 3 months ago

IzzySoft commented 3 months ago

The update checker today reported multiple problems here after fetching the latest release:

! Binary files repo/stasis.client.android_1.apk and repo/stasis.client.android_1.1.2.apk differ
! repo/stasis.client.android_1.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE android.permission.MANAGE_EXTERNAL_STORAGE
! repo/stasis.client.android_1.apk contains signature block blobs: 0x504b4453  (DEPENDENCY_INFO_BLOCK; GOOGLE)

The first message means you forgot to increase versionCode when making the release. That's what Android uses internally to tell versions apart – so this update will reach no existing installation as each client assumes already having it (1 == 1).

The second line means I'll have to add those permissions to your app's "green list": a backup app of course needs full storage access (done; see screenshot below).

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

That said: you might wish to pick a badge to link to your app at the IzzyOnDroid repo e.g. from your Readme. And congrats, your app was just confirmed as Reproducible Build (also see Reproducible Builds, special client support and more at IzzyOnDroid) and thus will carry the green shield indicating that:

image

IzzySoft commented 3 months ago

PS: forgot to link your welcome toot: image

sndnv commented 3 months ago

Thanks for reporting this! :thinking: I'll have a better look in the following days/weeks.

IzzySoft commented 3 months ago

Thanks! If you have any questions, just ask :smiley:

sndnv commented 3 months ago

Should be fixed in v1.1.3 :) Let me know if that's indeed the case so I can close the issue.

IzzySoft commented 3 months ago

Confirmed @sndnv – as you can see:

image

the "Signing block blobs" are gone, no permissions are "chocolate" (warning color) – and the green shield is still up :smiley: Thanks a lot, and once more welcome aboard!