Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on permissions #296

Closed
IzzySoft opened this issue Feb 24, 2024 · 5 comments
Closed

Question on permissions #296

IzzySoft opened this issue Feb 24, 2024 · 5 comments
Labels
question Further information is requested

Comments

@IzzySoft
Copy link

My scanner got a few additional checks in January, and on today's update of your app reported:

! repo/io.freetubeapp.freetube_190002110.apk declares flag(s): usesCleartextTraffic
! repo/io.freetubeapp.freetube_190002110.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.SYSTEM_ALERT_WINDOW

Could you please clarify:

  • what cleartext connections are used and where to
  • what those two permissions are needed for?

Thanks in advance!
@IzzySoft IzzySoft added the question Further information is requested label Feb 24, 2024
@MarmadileManteater
Copy link
Owner

Cleartext connections were enabled in order to allow use of invidious servers hosted on the local network. No cleartext connections are made outside of in the context of when the invidious instance is set to be HTTP by the user explicitly. If this is potentially a security issue that I am not understanding fully, I could disable clear text.

I do not believe the external storage permission is necessary. I seem to have mistakenly left that one in there. 🍳 👤

I am completely unfamilar with SYSTEM_ALERT_WINDOW. I wasn't aware my app was requesting that permission, and I wonder if it is coming from one of my cordova plugins. 🤔 Is it a new permission request for this as of this version?

@MarmadileManteater
Copy link
Owner

MarmadileManteater commented Feb 24, 2024
edited
Loading

Now that I am looking, I don't actually explicity include the external storage permission either. I may need to explicitly disable those permissions if a plugin is enabling them.

@MarmadileManteater
Copy link
Owner

Full context: I am likely switching away from cordova by the time I was planning on doing the next full release. The new "cordovaless" build of the app I am working on does not request these permissions in the android manifest.

MarmadileManteater added a commit that referenced this issue Feb 25, 2024
@MarmadileManteater
Remove all permissions not named explicitly
bb466dd 
#296
@IzzySoft
Copy link
Author

Thanks, @MarmadileManteater! I've added the usesCleartextTraffic to the exception list for your app together with the explanation you gave. As for the storage permission, guess I simply wait if it's gone with the next release then.

Now for SYSTEM_ALERT_WINDOW: do you use any "floating video player" maybe, or "floating controls"? In your code I see some references to a floatingTopButton. Such things need to "display over other windows", which is what SYSTEM_ALERT_WINDOW enables.

@MarmadileManteater
Copy link
Owner

I have plans to implement picture-in-picture, but it doesn't actually work at the moment.

@MarmadileManteater MarmadileManteater closed this as not planned Won't fix, can't repro, duplicate, stale Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IzzySoft @MarmadileManteater