Question on permissions

[IzzySoft]

First up, great to see another release of this fine app! When pulling it in however the scanners here at IzzyOnDroid sounded a little warning:

! repo/io.github.nfdz.cryptool_20.apk declares sensitive permission(s):
  android.permission.SYSTEM_ALERT_WINDOW android.permission.SEND_SMS
  android.permission.RECEIVE_SMS android.permission.READ_SMS
! repo/io.github.nfdz.cryptool_20.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The SMS permissions are rather clear, and Ive added them to the app's "green list" right away:

    android.permission.SEND_SMS: required by the SMS provider
    android.permission.RECEIVE_SMS: required by the SMS provider
    android.permission.READ_SMS: required by the SMS provider

But could you please (confirm this and) clarify about the missing one (SYSTEM_ALERT_WINDOW)?

As for DEPENDENCY_INFO_BLOCK, that can be avoided easily with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

[nfdz]

Hello @IzzySoft, thank you very much for your comments :)

The app asks for SYSTEM_ALERT_WINDOW to implement the overlay/window mode:

Android tried to promote the Bubbles API instead of this, but I still think that is not enough to provide all the features of this app in any case.

Anyway, the app must get the user approval in order to get this permission: MANAGE_OVERLAY_PERMISSION
So it is in the hands of the user if they want to activate this functionality or not. Please let me know if you have more concerns about this.

Regarding the DEPENDENCY_INFO_BLOCK, I honestly was not aware of this thing. I am testing the solution and I will include it in the next release 👍

[IzzySoft]

Anyway, the app must get the user approval in order to get this permission

Yupp. So good to know what it is used for, so one can make an "informed decision" 😜 I've updated the "green list" accordingly.

I honestly was not aware of this thing

Few were, so this does not surprise me. To my knowledge, this "feature" was not part of some "loud announcement" of "exciting news".

I am testing the solution

Will go smoothly. Proven by hundreds of other apps where I reached out to their resp. developers with this. So I do not expect any issues (not as long as the app does not want to use AccessibilityService that is; then, PlayProtect might become nasty. Not the case here, so all should be fine).

[nfdz]

@IzzySoft Thanks for sharing this knowledge! Expect an update soon.

[nfdz]

https://github.com/nfdz/Cryptool/releases/tag/3.2.1 ✅

[IzzySoft]

Good timing! In 10 minutes the update checker starts its run 😄