Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on permissions #86

Open
IzzySoft opened this issue Aug 2, 2024 · 4 comments
Open

Question on permissions #86

IzzySoft opened this issue Aug 2, 2024 · 4 comments

Comments

@IzzySoft
Copy link

IzzySoft commented Aug 2, 2024

The scanners at IzzyOnDroid just reported:

! repo/eu.darken.bluemusic_25801000.apk declares sensitive permission(s): android.permission.SYSTEM_ALERT_WINDOW
! repo/eu.darken.bluemusic_25801000.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what SYSTEM_ALERT_WINDOW is needed for? As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor change to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!
d4rken added a commit that referenced this issue Aug 3, 2024
@d4rken
Remove DEPENDENCY_INFO_BLOCK
8ed49bd 
See #86
@d4rken
Copy link
Member

d4rken commented Aug 3, 2024

Could you please clarify what SYSTEM_ALERT_WINDOW is needed for?

As far as I remember it was a workaround for restriction on launching the app from background 🤔 I'd probably achieve this in a different way now, but I don't have the motivation to rewrite everything just for that while it works like it is.

38e20f2

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor change to your build.gradle:

I'll make a PR

@d4rken d4rken mentioned this issue Aug 3, 2024
Open
@IzzySoft
Copy link
Author

IzzySoft commented Aug 3, 2024

I'll make a PR

Thanks!

but I don't have the motivation to rewrite everything just for that

So what shall I put as "justification" to the "green list" then? To see what I mean, here's the "green list" from Capod:

android.permission.ACCESS_COARSE_LOCATION: needed to access BLE broadcasts in earlier Android versions
android.permission.ACCESS_FINE_LOCATION: needed to access BLE broadcasts in earlier Android versions
android.permission.ACCESS_BACKGROUND_LOCATION: needed to scan for BLE while the app is in background
android.permission.BLUETOOTH_SCAN: needed to access BLE broadcasts in newer Android versions
android.permission.SYSTEM_ALERT_WINDOW: needed to display the pop-up window with battery infos when the airpods case is opened

@d4rken
Copy link
Member

d4rken commented Aug 3, 2024

Needed on newer Android versions to change/monitor volume while the app is in the background

@IzzySoft
Copy link
Author

IzzySoft commented Aug 3, 2024

Thanks! Updated and deployed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d4rken @IzzySoft