GPSLogger icon indicating copy to clipboard operation
GPSLogger copied to clipboard
verified publisher icon BasicAirData

Add a first run setup asking to download the EGM grid

Open GrazianoCapelli opened this issue 9 years ago • 8 comments

The app needs a first run screen (to download the EGM file). Something like the following:

In order to use the right altitude above the sea level, we suggest to download the EGM96 grid file. You can also download it later, enabling the EGM Automatic Altitude Correction on settings. [ Download it ] [ No, thanks ]

Download it: The app downloads the EGM grid (showing the progress dialog like on settings) and enables EGM correction when the download is finished; No, thanks: The app enables the "projected on the ground" option for displaying altitude in Google Earth.

In fact some Google Play users reported "the track is not visible in Google Earth" because they tried the app without EGM grid and using the "Absolute" altitude mode (ie. out of the box).

The app must show a first run setup in order to adjust that. The first run setup has to run after the real time permissions check (and requests) for Android 6+, because it needs to have internet access and to write the EGM file into the SD.

GrazianoCapelli avatar Nov 26 '16 09:11 GrazianoCapelli

I'm wondering why this download is necessary at all. Can't that file be included in the app package? It's not like it's huge. Are there licensing issues? Does it have to be updated? I hope the download is via https.

The first-run screen could also take the chance to introduce the user to the main operations and maybe a few important settings. Though it should be a lot easier after redesigning the main screen.

If this tutorial has several pages, there should be a "Skip tutorial" button in the lower left corner (and "Continue" in the lower right) for those who just reinstall the app on a new device. The download page should be shown in any case then.

ygoe avatar Oct 10 '20 11:10 ygoe

Yes, there are licensing Issues (https://earth-info.nga.mil/GandG/disclaim.html) The download is via HTTPS and it doesn't need to be updated.

I completely agree with you: when we'll add a First-Time Tutorial we could ask to download the EGM Grid as a step.

GrazianoCapelli avatar Oct 11 '20 08:10 GrazianoCapelli

Hm, I'm not so sure about the https download: https://github.com/BasicAirData/GPSLogger/blob/master/app/src/main/java/eu/basicairdata/graziano/gpslogger/FragmentSettings.java#L156

The page you linked above does not contain any licence or terms of use. It's just a disclaimer that says they're not liable for anything. I couldn't find any such terms on their website but being a US governmental organisation, I'd guess the data belongs to the public domain.

ygoe avatar Oct 11 '20 10:10 ygoe

Copyright issues are never easy. To avoid any issue it is necessary to have a clear statement that declare that the use of the file is free for any application. In general that is not true.

JLJu avatar Oct 11 '20 11:10 JLJu

Hm, I'm not so sure about the https download

take a look at https://github.com/BasicAirData/GPSLogger/issues/67 To date the HTTP link is still unavailable (HTTP 302), and the HTTPS alternative is used.

Here you can find the code that switches the HTTP link to HTTPS with TLS cryptographic protocol.

GrazianoCapelli avatar Oct 13 '20 07:10 GrazianoCapelli

That redirection is unfortunately insecure. You rely on the server to redirect you to https (and even the same requested resource). But since this is all happening unencryptedly, an attacker could easily inject another file, even as redirection to a totally different location. https is only secure if you initially start with it. Otherwise, it's almost as insecure as if it wasn't there. It's probably not very relevant here, but still, using https improperly isn't of any use. Remember: If you want to use https, then you must never ever use http again anywhere.

ygoe avatar Oct 13 '20 07:10 ygoe

We know that the redirection is insecure. Unfortunately the July 2019 the National Geospatial-Intelligence Agency started to change its website in a not predictable way for us (the EGM file started to return a HTTP 302) and, when we patched the code, we decided to keep opened all the possibilities in order to restore the functionality and minimize the possibility that the File could become unavailable again.

We are watching if the remote situation remains stable: the plan is to completely remove the HTTP request in favor of a direct HTTPS one, at least for Android 5+ that support TLS protocol.

Anyway, thanks for pointing this out.

GrazianoCapelli avatar Oct 13 '20 08:10 GrazianoCapelli

Ah, that explanation helps. A good place for that would be the code itself. Just a short comment reasoning this insecure approach. At least from a code reviewer's perspective, that seems necessary.

ygoe avatar Oct 13 '20 15:10 ygoe