Atomic-Periodic-Table.Android icon indicating copy to clipboard operation
Atomic-Periodic-Table.Android copied to clipboard
verified publisher icon JLindemann42

cleartext traffic?

Open IzzySoft opened this issue 1 year ago • 9 comments

May I ask what cleartext connections this app uses and why?

! repo/com.jlindemann.science_66.apk declares flag(s): usesCleartextTraffic
! repo/com.jlindemann.science_66.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided with a tiny adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

IzzySoft avatar Jul 07 '24 20:07 IzzySoft

Oof. Just catching up with the reports (I was AFK for 10 days), and there's another one. Looks like you've added non-free dependencies:

! com.jlindemann.science: needs NonFreeComp, needs NonFreeNet

Checking, I see:

  • BillingClient
  • GMS
  • Firebase
  • Places report

That's a little much. Could you undo that, or provide a libre build flavor (with its APK)?

IzzySoft avatar Jul 07 '24 21:07 IzzySoft

Hello!

I will provide an APK without the billing. It's for the PRO version which is in the Play Store app that supports the development. But I will provide a version without those features here on GitHub without those dependecies.

JLindemann42 avatar Jul 09 '24 18:07 JLindemann42

Btww, the new version also shows cleartextTraffic still:

! repo/com.jlindemann.science_81.apk declares flag(s): usesCleartextTraffic
! repo/com.jlindemann.science_81.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

What is that needed for? Also, will you take care for that blob? Also, the BillingClient is back – along with all the other proprietary libs (Firebase, GMS, PlaceReport). Not only that, now the app also added Crashlytics. So I'm sorry, I'll have to remove it from IzzyOnDroid, as it no longer meets the inclusion criteria.

You've promised to provide an APK without billing. Is there a chance to have that soon? I've now removed the offending version for a last time, to be able to keep your app in the repo. Updates are set to monthly instead of daily, so it doesn't get dragged in the next day. But if this issue isn't solved until the update is pulled again, I'll have to remove the app. Still hoping we can keep it!

So thanks in advance for helping with that!

IzzySoft avatar Aug 01 '24 06:08 IzzySoft

Hello!

I will try to fix it on my free-day tomorow, but quite alot with my work at the moment. But working on it!

The app will have BillingClient for supporting the development and the costs for the backend as well as my studies. But when I have time I will have multiple releases at the same time. Where one is with billing and one is not.

JLindemann42 avatar Aug 02 '24 17:08 JLindemann42

I will try to fix it on my free-day tomorow, but quite alot with my work at the moment. But working on it!

Great, thanks! And I'm not the "prosecutor", just the "friendly reminder", so nu rush :wink:

The app will have BillingClient for supporting the development

Hm, I understand the purpose, but that's really unfortunate FOSS wise. Not only is the library itself proprietary, it also drags in several other proprietary libraries (like GMS). And apart from not working anyway on degoogled devices, is a tracking component as it calls out to Google. Maybe you'd consider some alternative – if not for the PlayStore build, then maybe at least for a FOSS flavor?

I will have multiple releases at the same time. Where one is with billing and one is not.

Ah, there's the flavor idea. Glad to read – so I keep my :crossed_fingers: that you find time for this soon. Those anti-features look a bit scary:

image

:wink:

IzzySoft avatar Aug 02 '24 23:08 IzzySoft

I have just released 2.5.1 which includes a version here on github without the libraries for billing!

JLindemann42 avatar Aug 16 '24 07:08 JLindemann42

Thanks! The libs seem gone indeed, but:

Dangerous flags:
----------------
* usesCleartextTraffic

Permissions:
------------
* android.permission.INTERNET
* com.android.vending.BILLING
* com.jlindemann.science.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The billing permission is still there. So is usesCleartextTraffic and DEPENDENCY_INFO_BLOCK. I guess you simply forgot to remove the permission from AndroidManifest.xml for the flavor, so it's "unused".

I've set your app for daily update checks again, so this release should show up with the next sync around 6 pm UTC. But can you please address that permission and the blob (at least for the APK of the nobilling variant) – and tell me what reason to name for the cleartext traffic? Thanks in advance!

IzzySoft avatar Aug 16 '24 21:08 IzzySoft

Hello! Thanks for the quick reply. Cleartext was used way back in development for some experimental stuff when my homepage didn't have a https security. I will remove this soon and is most likely something I have forgotten.

I will continue to remove the things you mention from the "non-billing version" as I continue to remove billing code for the APK

Thanks, Jonatan Lindemann

JLindemann42 avatar Aug 17 '24 16:08 JLindemann42

Thanks a lot! Looking forward to the next release(s) then :star_struck:

IzzySoft avatar Aug 17 '24 18:08 IzzySoft