rootbeer icon indicating copy to clipboard operation
rootbeer copied to clipboard

Published 20 hours ago verified publisher icon scottyab

Safe apps are detected by checkPotentiallyDangerousApps

Open scscgit opened this issue 2 years ago • 1 comments

The checkPotentiallyDangerousApps (function detectPotentiallyDangerousApps) uses a constant hard-coded list of packages. For example, org.blackmart.market doesn't have anything to do with root, and it's perfectly valid to have some third-party APK market store installed (especially if it's an old version that doesn't even work anymore) - you can never have enough APK repositories in reserve to be prepared for situations when Google decides to pull more apps from their Play Store once they harm their anti-privacy agendas :) (Counter-intuitively, even if someone claims that unofficial/modified apps/games are "unsafe", remember that this is a root detection tool, so unless it also detects root, these apps should be unable to access dangerous privileges anyway.) Anyway, my guess is that there have been some root managers or tools using the same package name, which is why it got included in the list. The original PR was

  • #145

where the comments referenced an arbitrary file gist like app_list.json, which had suddenly become an indisputable source of truth for this project. Is this list even exhaustive or up-to-date? What are the rules, and what is "potentially dangerous" even supposed to mean in this context? My Google Play Protect surely doesn't get triggered by such an app.

Can we please get an in-app explicit message referencing which package has been detected as unsafe? (Preferably also easy to consume and display to users by library consumers?) Can this be also logged for those of us who use a Logcat app on their phone whenever debugging apps that depend on this library (if for some reason we don't go scavenge source codes as our first resort)? I mean, not trying to be rude, but losing 50+ hours of personal time on debugging this false-positive nonsense at a short notice can be kind of a big deal for some of us. Of course, the intention should be also documented as per

  • https://github.com/scottyab/rootbeer/issues/189

Last but not least, do you realize that banking apps are now starting to use this metric as part of their mandatory security check? (#188) What are your plans if any "dangerous app" decides to re-use a package of some well-known app?

scscgit avatar Mar 27 '22 19:03 scscgit

got locked out of 2 apps, because your lib detects my phone with potentially dangerous apps. please give an information which app i need to get rid of!

other than my personal problem i agree with OP.

syss avatar Jun 20 '23 16:06 syss