Wrong version in v1.3.1 APK
Closed this issue Β· 8 comments
Just a note: you seem to have forgotten updating versionName and versionCode with the latest release. It still reports
package: name='com.tpb.projects' versionCode='1339' versionName='1.1.0' platformBuildVersionName='7.1.1'
which causes trouble in updating (e.g. as it's not seen as a new version).
The versionCode is correct because it comes from the git commit when the project is built.
I just released a build with the correct version name https://github.com/tpb1908/AndroidProjectsClient/releases/tag/V1.3.2
Sorry about that.
Oh β ans sorry for wrong accusation on versionCode, didn't check that explicitly π. Usually, if one of the two is wrong the other is as well. Thanks for the fast reaction! Pulled that update manually now, so it should be fine in the repo π
By the way: Any suspicion what module could cause that PUA report by VirusTotal? The scanner reporting it (WhiteArmor) is notorious about some ad modules (PUA = Potentially Unwanted Application) β but the name it gives them doesn't give a clue.
No problem.
I don't know why the app would be flagged, as it doesn't contain ads.
It might be because it uses reflection.
There are 2 or 3 (I think) places that it uses it.
One is a fix for an Android memory leak, and another is when accessing tags from the XMLReader in HtmlTagHandler because it doesn't give them to you.
Another reason might be that the APKs are debug rather than release.
The app does contain Firebase analytics, but that's pretty standard and there is an option to disable it.
If anyone is really worried they are free to build the app themselves, all they need is Android studio, and to go on GitHub and Imgur to get their own API keys.
Thanks β and no, then I see no reason either. If there were ads I'd felt the need to point that out. Might be they dislike the Analytics stuff (I wouldn't want to see Flurry or GA in an app I use, for example, for their tracking β and those are "pretty standard" as well unfortunately, see e.g. my article Whatβs it all about those modules apps contain? for details), but I cannot tell much about Firebase (insights are welcome). Those scanners don't check whether something can be disabled, but if something was detected, by the way π
On my help pages I've pointed out that "PUA" doesn't mean "malware" (or anything like that), as well as that if 1 out of the 60 engines at VirusTotal flags an app that might well be a "false positive" β so I'm not really bothered but rather curious π
FireBase lets me see crash stack traces.
Each one comes with some device information, which isn't personally identifiable, but gives me some information about the device.
- VM Performance- Free memory, max used memory, currently used memory
- Battery percentage and charging state
- Network type, e.g. mobile data or WIFI
- Device make, model, and Android version
- Screen orientation
- The device locale and country code
I could use Firebase to push notifications to devices or to do A/B testing / toggle settings if I set it up, but the code would already have to be in the app and installed on the device so there's really nothing that can be easily hidden and there's also no point in doing it.
Thanks a lot for those details! So it's nothing about permanently tracking a device β but just creating a detailed crash report whenever a crash happens? Nothing sent automatically without the user explicitly approving? And no device identifiers (GAID, Android_ID or IMSI)? AFAIR F-Droid doesn't accept apps shipping with Firebase, but I'm not sure whether that's because of tracking or solely for being "closed source / proprietary" (both are valid reasons there, as on F-Droid everything should be "pure FOSS").
As far as I know, that's all ForeBase does, however it is owned by Google, so who knows.
Luckily I think it would be pretty easy to make two releases.
It would just mean wrapping any calls to FireBase with a class which either calls FireBase or logs the same info to a file which the user can email.
Luckily the users that use FDroid are generally the ones who are more willing to report bugs anyway.
Indeed, users focused on FOSS are more active in that sense as well πΈ And often have a general mistrust concerning Google & Co. π―
If a "Firebase-less" version is that easily built you could make a test: build one, and have it checked by VirusTotal. Then see whether WhiteArmor still reports PUA. If not, we know Firebase triggers that. Plus, if you want to, you could submit that to F-Droid π