Why accessing internet?

[hakaishi]

My firewall just blocked catima.

In the description of catima it says that no Internet is required. Still, my firewall blocked internet access from catina. Another tool says that catima uses WiFi.

For what reason is catima accessing internet? And why is there no setting to disable this?

[TheLastProject]

That must be a bug in your firewall attributing something to the wrong app as Catima literally doesn't even have the internet permission from Android. Even if there was any code that accessed the internet (there isn't), Android literally wouldn't allow it without the permission.

[electroCutie]

In the description of catima it says that no Internet is required. Still, my firewall blocked internet access from catina. Another tool says that catima uses WiFi.

You can verify that catima doesn't have internet permissions on your phone, and isn't requesting it, by looking at the app permissions

On my version of android you can find this by

• Long pressing the icon
• Selecting App Info
• Opening the Permissions screen

You should see what permissions you have granted, and which permissions you have not granted as well. You will not see permissions it has not asked for. Here is what mine looks like

[TheLastProject]

@electroCutie Actually, you can't, because Google made the "amazing" decision to always silently allow Internet permission and not list it.

So you will have to read the AndroidManifest.xml file (either directly or through an app that can) and look for the following line:

<uses-permission android:name="android.permission.INTERNET" />

[hakaishi]

I'll check the source code then. For some reason the "AM App Manager" also lists android.hardware.wifi under the category of functionalities...

[TheLastProject]

That's a "feature", not a "permission". An app needs the android.permission.INTERNET permission to be able to access the internet.

Why Android decided to give my app the android.hardware.wifi feature while I only request camera and autofocus is beyond me:

Android/app/src/main/AndroidManifest.xml

Lines 12 to 17 in d0d1539

	<uses-feature
	android:name="android.hardware.camera"
	android:required="true" />
	<uses-feature
	android:name="android.hardware.camera.autofocus"
	android:required="false" />

It's probably another of these "given to every app by default" things (just like android.hardware.screen.landscape which I never explicitly requested), but as always Google has no documentation about this I can find.

[hakaishi]

Oh I see. Other apps don't have this, but permission wise it looks good.

I'll try and search through the code, but I can already guess that I won't find anything.

I'll report back.

[hakaishi]

What is stocard.zip? It hits when searching for WiFi. Unzipping needs a password...

Path: Android/app/src/test/res/protect/card_locker/stocard.zip

[TheLastProject]

Did you search for stocard.zip in the source code? You could easily see it's used only for the importStocard unit test:

Android/app/src/test/java/protect/card_locker/ImportExportTest.java

Lines 1200 to 1202 in 377438b

	@Test
	public void importStocard() throws IOException {
	InputStream inputStream = getClass().getResourceAsStream("stocard.zip");

The password is also in that unit test.

The reason it hits when searching for WiFi is because this is a GDPR data export from the proprietary app Stocard (for the purpose of having an unit test for importing from Stocard so people can easily migrate to Catima). Stocard does sketchy shit like try to figure out your location from Wi-Fi networks and sending it to their server, which is why it was part of the export file: https://twitter.com/SylvieLorxu/status/1389343401435439112

[hakaishi]

Now it gets interesting!
I downloaded the apk from here: https://apt.izzysoft.de/fdroid/index/apk/me.hackerchick.catima
Then I unpacked the apk using the apktool and searched again:
grep -rin wifi -> AndroidManifest.xml:10: <uses-feature android:name="android.hardware.wifi" android:required="false"/>

I also found in the App Manager that the apk uses libraries from OkHttp.
grep -rin OkHttp well, I shouldn't list that here. It's hundreds of lines...

Maybe the apk has been modified without anyone knowing.

[hakaishi]

Did you search for stocard.zip in the source code? You could easily see it's used only for the importStocard unit test:

Android/app/src/test/java/protect/card_locker/ImportExportTest.java

Lines 1200 to 1202 in 377438b

	@Test
	public void importStocard() throws IOException {
	InputStream inputStream = getClass().getResourceAsStream("stocard.zip");

The password is also in that unit test.

The reason it hits when searching for WiFi is because this is a GDPR data export from the proprietary app Stocard (for the purpose of having an unit test for importing from Stocard so people can easily migrate to Catima). Stocard does sketchy shit like try to figure out your location from Wi-Fi networks and sending it to their server, which is why it was part of the export file: https://twitter.com/SylvieLorxu/status/1389343401435439112

Thanks for clearing that up! 👍

[TheLastProject]

Now it gets interesting! I downloaded the apk from here: https://apt.izzysoft.de/fdroid/index/apk/me.hackerchick.catima Then I unpacked the apk using the apktool and searched again: grep -rin wifi -> AndroidManifest.xml:10: <uses-feature android:name="android.hardware.wifi" android:required="false"/>

I also found in the App Manager that the apk uses libraries from OkHttp. grep -rin OkHttp well, I shouldn't list that here. It's hundreds of lines...

Maybe the apk has been modified without anyone knowing.

Izzy's repo just downloads straight from GitHub releases, so those are the builds I upload, see #82 (comment).

Izzy is an F-Droid contributor who wrote several scripts to help ensure apps on F-Droid are really Open Source, so I trust him to not modify APKs.

What path is that AndroidManifest.xml? Most likely it's one of Catima's dependencies having built in support for some network-related tasks.

[hakaishi]

What path is that AndroidManifest.xml? Most likely it's one of Catima's dependencies having built in support for some network-related tasks.

Well, if you unpack the apk it is in the top level.

[hakaishi]

[hakaishi]

I just tested the apk from the releases here. It also has this smali and smali_classes2 in it where OkHttp is also included. I wonder what this is...

[TheLastProject]

Looking at https://medium.com/glucosio-project/how-libraries-can-silently-add-permissions-to-your-android-app-620911d7de6c and the merger log:

ADDED from [com.journeyapps:zxing-android-embedded:4.3.0] /home/sylvia/.gradle/caches/transforms-3/817ae1057df17edc1b1ec4b7357792da/transformed/jetified-zxing-android-embedded-4.3.0/AndroidManifest.xml:39:5-41:36
	android:required
		ADDED from [com.journeyapps:zxing-android-embedded:4.3.0] /home/sylvia/.gradle/caches/transforms-3/817ae1057df17edc1b1ec4b7357792da/transformed/jetified-zxing-android-embedded-4.3.0/AndroidManifest.xml:41:9-33
	android:name
		ADDED from [com.journeyapps:zxing-android-embedded:4.3.0] /home/sylvia/.gradle/caches/transforms-3/817ae1057df17edc1b1ec4b7357792da/transformed/jetified-zxing-android-embedded-4.3.0/AndroidManifest.xml:40:9-57
uses-feature#android.hardware.wifi

So that wifi hardware feature comes from here: https://github.com/journeyapps/zxing-android-embedded/blob/40260272fcff4f14181803495e7d370c23e35db7/zxing-android-embedded/AndroidManifest.xml#L29

That's probably because zxing-android-embedded can technically recognize Wi-Fi networks in QR codes and offer adding them: journeyapps/zxing-android-embedded@586f9aa

I still don't think that's an issue given there's no Internet permission at all.

smali I don't really know anything about, I'm just a hobby dev, not a reverse engineering expert :)

[TheLastProject]

Looking at app/build/outputs/mappings/release/mapping.txt, I figured out where OkHttp came from:

com.yalantis.ucrop.OkHttpClientStore -> com.yalantis.ucrop.OkHttpClientStore:
    11:11:void <clinit>() -> <clinit>
    9:9:void <init>() -> <init>
    22:25:okhttp3.OkHttpClient getClient() -> getClient

It's because uCrop technically supports starting an image cropping directly from an image on a web URL (which Catima doesn't use, it always uses local images or camera images): https://github.com/Yalantis/uCrop#version-14

[hakaishi]

zxing! I see!

I still don't think that's an issue given there's no Internet permission at all.

No worries, I was just wondering why these features where showing in the App Manager application. My firewall asks for every app that I install if I want to keep it blocked, so I think I misunderstood that as well. Sorry for the trouble.

I still don't think that's an issue given there's no Internet permission at all.

👍

smali I don't really know anything about, I'm just a hobby dev, not a reverse engineering expert :)

I'm programming at work and as a hobby as well, but I'm not very familiar with Android apps or "low-level stuff" like this. What I figured out is, that OkHttp might be used for SSL pinning etc.

Looking at app/build/outputs/mappings/release/mapping.txt, I figured out where OkHttp came from:

Thanks! Looks like it is not really usable either.

It's because uCrop technically supports starting an image cropping directly from an image on a web URL (which Catima doesn't use, it always uses local images or camera images): https://github.com/Yalantis/uCrop#version-14

I see! Thank you! :-)