Certificate issue

[IzzySoft]

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

[IzzySoft]

@Dado1513 any word?

[Dado1513]

@IzzySoft yes in a couple of days I will proceed with the new release.

[IzzySoft]

Wonderful, thanks! :star_struck:

[IzzySoft]

Friendly ping, @Dado1513 – couple of days reached? At the end of this month, debugkey-signed APKs must be gone from my repo, so I'd have to remove it by then (at least until you have the new one ready).

[Dado1513]

Hi @IzzySoft, I just released a new version with a valid signature: HideDroid 1.3

[IzzySoft]

Thanks! Triggering a pull now…

! repo/it.unige.hidedroid_4.apk declares flag(s): usesCleartextTraffic
! repo/it.unige.hidedroid_4.apk declares intent-filter(s): android.net.VpnService
! repo/it.unige.hidedroid_4.apk declares sensitive permission(s):
  android.permission.REQUEST_INSTALL_PACKAGES android.permission.REQUEST_DELETE_PACKAGES
  android.permission.READ_EXTERNAL_STORAGE*

usesCleartextTraffic is clear (oops) as all traffic needs to be filtered. VpnService is also clear (that's how the app works). The permissions are however unclear: what packages are going to be installed/deleted? And what for is read/write storage needed (the trailing asterisk says READ_EXTERNAL_STORAGE is being granted implicitly by Android as WRITE_EXTERNAL_STORAGE was requested)?

One more thing: application-debuggable is set for the APK. Any reason for that? I especially wonder as I cannot find that in your AndroidManifest.xml…

New release will go live here with the next sync. I've also added a "release note" concerning the changed certificate, telling people they'd have to uninstall and reinstall: