QuickNovel
QuickNovel copied to clipboard
LagradOst
Question on permissions
My scanner got a few new features in January, and now reported on today's release:
! repo/com.lagradost.quicknovel_54.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE android.permission.REQUEST_INSTALL_PACKAGES
While the storage one is easily explained, I wonder what apps a novel reader wants to install?
Oh, if you wonder about that DEPENDENCY_INFO_BLOCK, that's easily eliminated:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Qn uses android.permission.REQUEST_INSTALL_PACKAGES because it has a built in updater within the app (and that is the only use), it may be removed but I dont trust android not fucking it up.
Ummm… Is the self-updater opt-in? And does it give proper explanation of the implications? From the IzzyOnDroid App Inclusion Criteria:
The app … must not download additional executable binary files (e.g. addons, auto-updates, etc.) without explicit user consent. Consent means it needs to be opt-in (it must not be harder to decline than to accept or presented in a way users are likely to press accept without reading) and structured in a way that clearly explains to users that they’re choosing to bypass the checks performed in this repo if they activate it.
(basically the same rule as F-Droid.org has). So while ideally it is not present at all, you need not necessarily to remove it altogether, but having it opt-in with the proper explanations would suffice.
Ummm… Is the self-updater opt-in? And does it give proper explanation of the implications? From the IzzyOnDroid App Inclusion Criteria:
If search update check is enabled (can be disabled/enabled in settings) it will search the github releases every startup for an update, and if it finds one it will show the user a dialog with the following options: update, cancel, dont_show_again. So the update is optional but it searches by default. It will never update without user consent.
While you are already here, the same goes for cs3 (https://apt.izzysoft.de/fdroid/index/apk/com.lagradost.cloudstream3) and cs3 disabled acra by default
If search update check is enabled (can be disabled/enabled in settings) it will search the github releases every startup for an update, and if it finds one it will show the user a dialog with the following options: update, cancel, dont_show_again. So the update is optional but it searches by default. It will never update without user consent.
Hm, the check should also be opt-in. Let me give you two example screenshots from an app that recently implemented this:
The first popup occurs when no choice was made yet (e.g. right after the first start following the initial installation or update to the version that introduced this, ad by default the value for that setting is NULL). Both buttons use the very same design, so no "nudging". The second popup of course never appears if the check was disabled. It's still not ideal as it forgets to mention the implications (such updates would bypass the additional checks performed in the resp. F-Droid repo).
While you are already here
Thanks! I removed the Tracking AF right now (effective with the next sync around 7 pm UTC, as usual) and configured the scanner to not report it. As for "the same goes" – yes, then please carry over the same solution from here. It was not yet triggered for CS3 as most likely there was no update yet since those new features got added to my scanner. I didn't yet run a full scan on existing APKs as I still have more than enough to follow up by incoming updates :see_no_evil:
The warning popped up again today, so let me show you the new "screenshot 1" I just received: