Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

releases: only "pre"? #108

Open
IzzySoft opened this issue Feb 9, 2025 · 3 comments
Open

releases: only "pre"? #108

IzzySoft opened this issue Feb 9, 2025 · 3 comments
Labels
pending Awaiting more information from issuer

Comments

@IzzySoft
Copy link

IzzySoft commented Feb 9, 2025

I wonder that all releases are still just pre-releases, while the app is already listed at PlayStore. Are any "proper releases" planned?

While here, I just sent the latest APK (the non-debug one) through our scanners, which yielded:

Dangerous flags:
----------------
* usesCleartextTraffic

Dangerous Filters:
------------------
android.accessibilityservice.AccessibilityService

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

I guess the Internet permission is for the weather widget and the RSS feeds only. But why does it need cleartext traffic? What is AccessibilityService used for? As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance – and looking forward to your reply!
@albu-razvan
Copy link
Owner

A release is planned, but there are still features in the Play Store version that are missing from the rewrite. Once the majority of the features are ported, beta releases will start to appear on Google Play.

Regarding the AccessibilityService, that is used to tell the system to lock the device when double tapping the home screen (you can turn on the option, and service in the settings if you wish to, but it is disabled by default for obvious reasons).

About the clear text flag, I genuinely do not remember what might be the reason why it still is part of the manifest entry. It might be something that I forgot to remove from when I was working on the weather widget. I'll take a look and see if it is still needed and where it might be used, if not remove it. I'll mark this as pending in the meantime until I have more info.

@albu-razvan albu-razvan added the pending Awaiting more information from issuer label Feb 9, 2025
@IzzySoft
Copy link
Author

IzzySoft commented Feb 9, 2025

Thanks a lot! If you drop me a note once the first "real release" (not "pre") becomes available, I can see if we can add it to the IzzyOnDroid repo – so it's also easily accessible for those folks not using Goggle's services.

@RomanK2311
Copy link

Hello and all the best to you and thank you for the beautiful launcher, and can I ask if there will be a publication on the IzzyOnDroid repository, since I live in Russia and YouTube is already blocked here and there is a possibility of blocking Play Market @IzzySoft @albu-razvan ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending Awaiting more information from issuer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@IzzySoft @albu-razvan @RomanK2311