search

sweakpl / qralarm-android

QRAlarm is an Android alarm clock application that lets the user turn off alarms by scanning the QR Code.
GNU General Public License v3.0
112 stars 10 forks source link

Question on permissions #40

Closed IzzySoft closed 3 months ago

IzzySoft commented 5 months ago

My scanner just reported for your latest release:

! repo/com.sweak.qralarm_25.apk declares sensitive permission(s):
  android.permission.CAMERA android.permission.READ_EXTERNAL_STORAGE*
! repo/com.sweak.qralarm_25.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Camera permission is clear (QR Code scanner). But what for are storage permissions (read and write; the asterisk * indicates the read permission was granted implicitly as the write permission is requested) needed – can you please clarify?

As for the DEPENDENCY_INFO_BLOCK, that's easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

sweakpl commented 5 months ago

Hey, WRITE_EXTERNAL_STORAGE permission as declared in Manifest:

<uses-permission
    android:name="android.permission.WRITE_EXTERNAL_STORAGE"
    android:maxSdkVersion="28" />

is used in order to save the default QR code image for dismissing alarms. This is required for SDKs up to level 28 since these don't have the scoped storage mechanism (which doesn't require any permissions).

It is harmless in the context of my use-case. Nevertheless I will probably give it another look in the future as maybe there is a different solution that doesn't require the permission.

Also thank you for the information on the DEPENDENCY_INFO_BLOCK.

IzzySoft commented 5 months ago

Thanks for confirming! An alternative approach would be via SAF (Storage Access Framework) here, especially as it's a single file only and your app's minSdk points to Android 5, where SAF became available. Third variant would be to simply store it inside the app's alloted space (/data/data/<packageName>/files), which wouldn't need any extra permission either.

Looking forward to see the BLOB gone than soon as well, thanks!

IzzySoft commented 3 months ago

Yay, thanks!