Question on permission/flag: QUERY_ALL_PACKAGES, usesCleartextTraffic

Question

Question on permission/flag: QUERY_ALL_PACKAGES, usesCleartextTraffic

Closed this issue 10 months ago · 8 comments

My scanner just got a few new checks, which were now triggered by your app with today's update:

! repo/dev.zwander.mastodonredirect_34.apk declares flags: usesCleartextTraffic
! repo/dev.zwander.mastodonredirect_34.apk declares risky permissions: android.permission.QUERY_ALL_PACKAGES

I have an idea about that permission (but please tell me nevertheless), but do you really need usesCleartextTraffic here? Are there any Mastodon servers not secured via https? If there are good reasons, both things can be added to the allow-list for your app. But if not, they'd better be fixed on your end 😉 Thanks!

Answer 1 · 2024-01-18T20:10:44.000Z

I've run into a few Mastodon and Lemmy domains that aren't HTTPS when working on building the filters for which domains to include. None of the variants actually send any data over cleartext, they might just try to load the given URL to determine if it's a media link if that option is enabled.

For querying all packages, I don't think it's strictly needed, but some versions of Android are really wonky with intent filters and this lets me avoid making unique query tags for every manually supported app and variant.

Answer 2 · 2024-01-18T20:29:15.000Z

Thanks for the swift response! I'll add both to your app's allow-list then. I already thought QUERY_ALL_PACKAGES was for picking the target app but wondered exactly that: shouldn't there be intent filters for it? But if experience showed they were not reliable, I understand the choice. And nothing you can do about those servers…

Speaking of "Mastodon and Lemmy domains": I guess the same is true then for LemmyRedirect as well? And what about PeerTubeRedirect? Whose two didn't yet trigger my scanner, but maybe their last update was before the additional checks on my end were activated.

Answer 3 · 2024-01-18T20:31:04.000Z

I added usesCleartextTraffic on Sept 4 and QUERY_ALL_PACKAGES on Oct 5 inside the shared manifest, so I don't know why it's not being picked up.

Answer 4 · 2024-01-18T20:47:48.000Z

The checks were just enabled within the past 7 days on my end, see additional APK checks. So if you can tell me if the above also applies to the other two apps, I'd put it to their allow-list as well and would not have to create additional issues then 😉

Answer 5 · 2024-01-18T20:48:44.000Z

They use the same permissions. Zachary Wander

…

On Jan 18, 2024 at 3:48 PM -0500, Izzy ***@***.***>, wrote: The checks were just enabled within the past 7 days on my end, see additional APK checks. So if you can tell me if the above also applies to the other two apps, I'd put it to their allow-list as well and would not have to create additional issues then 😉 — Reply to this email directly, view it on GitHub or unsubscribe. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS or Android.

Answer 6 · 2024-01-18T20:53:42.000Z

OK, thanks! Then I copy the allow-list over. I assume your "Mastodon and Lemmy domains" then also include PeerTube (for cleartextTraffic)?

Answer 7 · 2024-01-18T20:54:39.000Z

Yeah, I saw some there, too. Zachary Wander

…

On Jan 18, 2024 at 3:53 PM -0500, Izzy ***@***.***>, wrote: OK, thanks! Then I copy the allow-list over. I assume your "Mastodon and Lemmy domains" then also include PeerTube (for cleartextTraffic)? — Reply to this email directly, view it on GitHub or unsubscribe. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS or Android.

Answer 8 · 2024-01-18T21:01:58.000Z

OK, thanks – adjusted all three then.