search

yaxim-org / yaxim

yaxim - a lean XMPP/Jabber client for Android
https://yaxim.org
GNU General Public License v3.0
486 stars 238 forks source link

Make scanning clipboard for JIDs optional #281

Open NCC1701M opened 1 year ago

NCC1701M commented 1 year ago

It might be a

convenience feature [ see #280 ]

but some people don't need/want this feature. So make this feature an opt-out - feature. Until now I could not find any setting which disables this feature.

You could, if disabled, add an additional Screenshot_20221223-095757~2.png - menu Entry where the user can execute this feature manually if needed.

ge0rg commented 1 year ago

I appreciate that you don't want apps to access the clipboard, as it might contain sensitive information. Is there a reason why this is especially problematic, do you have some kind of clipboard monitor that creates warnings each time?

Regarding the feature itself and its security: yaxim is FOSS and you can inspect the source code. The feature of "do the useful thing with clipboard content" is also present in major apps like Firefox or Google Maps, and I consider it a good usability improvement that I'm even sometimes using myself.

The architecture of the android menu bar with overflow menus requires to fetch the clipboard content on each launch of the main window to provide this functionality - otherwise there'd be just an "Add from clipboard" item that would or would not work.

Regarding making it an option, I am strictly opposed. Every checkbox option doubles the number of possible internal states and makes the program less easy to understand and to use. There is a good description at https://neugierig.org/software/blog/2018/07/options.html with which I fully agree.

If this is very important to you, and you can not block yaxim's access to the clipboard or whitelist it in the monitoring tool you use, then I fear the only way out will be for you to maintain your own fork of the app. All you need to do is to comment out the function call to setMenuItemFromClipboard() in https://github.com/yaxim-org/yaxim/blob/master/src/org/yaxim/androidclient/MainWindow.java#L554

NCC1701M commented 1 year ago

do you have some kind of clipboard monitor that creates warnings each time?

Android itself has this functionality. So every time an app pastes something from the clipboard, I get an information about it.

Regarding the feature itself and its security: yaxim is FOSS and you can inspect the source code. The feature of "do the useful thing with clipboard content" is also present in major apps like Firefox or Google Maps, and I consider it a good usability improvement that I'm even sometimes using myself.

Correct Firefox uses the feature too, but they handle this somehow different. They can detect if there is a link in the clipboard and no simple text or other kind of data. But how they detect this, causes no paste action - at least I don't get an information about pasting something from my clipboard. Only when I click the Fill link from clipboard action I get the information.

And most important, Firefox has an option to disable this feature. Settings -> Search -> Show clipboard suggestions

Regarding making it an option, I am strictly opposed. Every checkbox option doubles the number of possible internal states and makes the program less easy to understand and to use.

I basically agree on "no option for everything" but this is somehow a security related feature. What if someday a "log4j" kind of issue is detected for the use of Androids ClipboardManager and you can copy some malicious data to the clipboard which will executed when being pasted. Spyware or other malicious apps could profit from this. No one ever thought the log4j "feature" could do what it was capable of. So deactivating automatic clipboard pastes would be the first action to prevent this security issue. And if yaxim - like Firefox - has an opt-out of this feature would bring an enormous benefit.