Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleartext Traffic #131

Open
IzzySoft opened this issue Feb 9, 2024 · 2 comments
Open

Cleartext Traffic #131

IzzySoft opened this issue Feb 9, 2024 · 2 comments

Comments

@IzzySoft
Copy link
Contributor

IzzySoft commented Feb 9, 2024

Hi Michele, long time not seen…

The scanner of my repo got some additional features in January and on today's update reported (next to some permissions I already added to the "allow-list" as they are pretty clear) FamilyGem declares the usesCleartextTraffic flag. Can you please tell me what unencrypted connections are used/needed there?

image

If you want some of the other permissions with explanations, just let me know what I should put. For the non-PlayStore-Releases like in my repo it would also be great could the BIND_GET_INSTALL_REFERRER_SERVICE be removed, as it smells a little of tracking (I also doubt the vending.BILLING is useful there as those using my repo usually want to avoid Google).

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
@michelesalvador
Copy link
Owner

Hi Izzy!

android:usesCleartextTraffic="true" was introduced with b53593c (4 years ago).
Removing it, the line

FamilyGem/app/src/main/java/app/familygem/PlaceFinderTextView.java

Line 86 in 73bd6d3

ToponymSearchResult searchResult = WebService.search(searchCriteria);
throws

problems connecting to geonames server http://api.geonames.org
java.io.IOException: Cleartext HTTP traffic to api.geonames.org not permitted

So the answer is: needed by GeoNames to display place suggestions.

At the moment a "non-PlayStore-release" of Family Gem is not a thing.
There is only one release and it compromises with Google's empire.

BIND_GET_INSTALL_REFERRER_SERVICE permission is not requested by Family Gem's AndroidManifest, but probably added to the APK by the InstallReferrerClient used in TreesActivity.
Its purpose is to retrieve a shared tree ID from the Play Store in case the app is installed clicking "Get it on Google Play" on the sharing page. If the app gets this ID, it proposes to download the shared tree.
So it's needed to simplify the import of a shared tree by a new user.

vending.BILLING is probably needed to purchase Family Gem Premium through the Google's BillingClient.
It would be nice to know how many users there are who want to avoid Google and would like an alternative payment system.

I suppose there is no problem on removing that dependenciesInfo from the APK.
But doesn't Google requires these dependency metadata in the AAB I upload to the Play Store?

@IzzySoft
Copy link
Contributor Author

was introduced with b53593c (4 years ago).

Eh, it's the code in my scanner that was added in January, so it only started finding and reporting these things now 🤣

problems connecting to geonames server http://api.geonames.org/

Ah. And yeah, they have an invalid certificate when you try https there. OK, while that's not really good it probably cannot be helped – unless someone telly geonames.org to get a proper cert – or an alternative to that API shows up. Or… read on their forums:

Https requests should be sent to secure.geonames.org instead of api.geonames.org.

Could you give that a try, please? Page looks very much the same, and you could have your (apps) security improved 😃

BIND_GET_INSTALL_REFERRER_SERVICE and `vending.BILLING are declared by their corresponding libraries, yeah. And needed by them I guess. If it's not asked too much, you could also consider a build flavor coming without those libs so I'd pick that APK then. Most folks using my repo will not use PlayServices anyway, so you'd not lose anything there (no install referrers here, and billing won't work without the PlayStore app).

I suppose there is no problem on removing that dependenciesInfo from the APK.

Not at all, right.

But doesn't Google requires these dependency metadata in the AAB I upload to the Play Store?

I'm not sure. But for my repo (or any other F-Droid repo), the AABs are not used. So you could of course just remove it from the APKs but leave it in the AABs – simply skip the includeInBundle = false then:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IzzySoft @michelesalvador