7heMech
commented
3 months ago It is quite convenient tho, and doubt any malicious program can find it considering it's a random value in a zipped db, but there could be an option to disable the export.
Open lucasmz-dev opened 3 months ago
7heMech
commented
3 months ago It is quite convenient tho, and doubt any malicious program can find it considering it's a random value in a zipped db, but there could be an option to disable the export.
ruskcoder
commented
3 months ago There could be a switch in backup and restore to prevent any tokens from showing up on the backup.
ROBOT0-VT
commented
3 months ago @ruskcoder Disagree, it should just be removed period. The inconvenience of having to log in on a new device is far far better than the risk of having someone hack your account
lucasmz-dev
commented
3 months ago This is my thought process as well, logging in is just really easy, it's not worth the security risky there
A worthy note is that people also sync these to the cloud, you don't want your cloud provider having tokens to other accounts.
7heMech
commented
3 months ago This is my thought process as well, logging in is just really easy, it's not worth the security risky there
A worthy note is that people also sync these to the cloud, you don't want your cloud provider having tokens to other accounts.
They probably sync to google cloud, but fair enough.
ruskcoder
commented
3 months ago For me, when working on the apps, it's incredibly useful to click two buttons and have all the app settings and tokens automatically imported. How about having a master password, that encrypts the store file. This could prevent access to intruders while also letting anyone using the feature continue using it.
7heMech
commented
3 months ago Yeah, optional password seems the best, you could even make it only encrypt tokens.
lucasmz-dev
commented
3 months ago I'd prefer the option to disable storing these tokens on exported backups rather than encruption. Encryption can be hard to manage, storing these passwords would also be complicated, even with a password manager... if you need encrypted backups, Seedvault is probably the best option now that that's supported, and those will always include the login.
Hikari2w2
commented
2 months ago Agreed
Checklist
Feature description
Currently, the YouTube music token is extracted in the backups, this is a security concern.
Why do you want this feature?
A lot of people grant file access to many apps that should not have it, or have nothing to do with Google. This gives them potential access to a user's Google account.
Additional information
Same as https://github.com/Malopieds/InnerTune/issues/227
As also mentioned in the issue above, this is not referent to backups using the Android API! Those are fine to include these, this is specific to the backup functionality in-app.