New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why accessing internet? #851
Comments
That must be a bug in your firewall attributing something to the wrong app as Catima literally doesn't even have the internet permission from Android. Even if there was any code that accessed the internet (there isn't), Android literally wouldn't allow it without the permission. |
@electroCutie Actually, you can't, because Google made the "amazing" decision to always silently allow Internet permission and not list it. So you will have to read the AndroidManifest.xml file (either directly or through an app that can) and look for the following line:
|
I'll check the source code then. For some reason the "AM App Manager" also lists android.hardware.wifi under the category of functionalities... |
That's a "feature", not a "permission". An app needs the Why Android decided to give my app the Android/app/src/main/AndroidManifest.xml Lines 12 to 17 in d0d1539
It's probably another of these "given to every app by default" things (just like |
Oh I see. Other apps don't have this, but permission wise it looks good. I'll try and search through the code, but I can already guess that I won't find anything. I'll report back. |
What is stocard.zip? It hits when searching for WiFi. Unzipping needs a password... Path: Android/app/src/test/res/protect/card_locker/stocard.zip |
Did you search for stocard.zip in the source code? You could easily see it's used only for the Android/app/src/test/java/protect/card_locker/ImportExportTest.java Lines 1200 to 1202 in 377438b
The password is also in that unit test. The reason it hits when searching for WiFi is because this is a GDPR data export from the proprietary app Stocard (for the purpose of having an unit test for importing from Stocard so people can easily migrate to Catima). Stocard does sketchy shit like try to figure out your location from Wi-Fi networks and sending it to their server, which is why it was part of the export file: https://twitter.com/SylvieLorxu/status/1389343401435439112 |
Now it gets interesting! I also found in the App Manager that the apk uses libraries from OkHttp. Maybe the apk has been modified without anyone knowing. |
Thanks for clearing that up! 👍 |
Izzy's repo just downloads straight from GitHub releases, so those are the builds I upload, see #82 (comment). Izzy is an F-Droid contributor who wrote several scripts to help ensure apps on F-Droid are really Open Source, so I trust him to not modify APKs. What path is that AndroidManifest.xml? Most likely it's one of Catima's dependencies having built in support for some network-related tasks. |
Well, if you unpack the apk it is in the top level. |
I just tested the apk from the releases here. It also has this smali and smali_classes2 in it where OkHttp is also included. I wonder what this is... |
Looking at https://medium.com/glucosio-project/how-libraries-can-silently-add-permissions-to-your-android-app-620911d7de6c and the merger log:
So that wifi hardware feature comes from here: https://github.com/journeyapps/zxing-android-embedded/blob/40260272fcff4f14181803495e7d370c23e35db7/zxing-android-embedded/AndroidManifest.xml#L29 That's probably because zxing-android-embedded can technically recognize Wi-Fi networks in QR codes and offer adding them: journeyapps/zxing-android-embedded@586f9aa I still don't think that's an issue given there's no Internet permission at all. smali I don't really know anything about, I'm just a hobby dev, not a reverse engineering expert :) |
Looking at
It's because uCrop technically supports starting an image cropping directly from an image on a web URL (which Catima doesn't use, it always uses local images or camera images): https://github.com/Yalantis/uCrop#version-14 |
zxing! I see!
No worries, I was just wondering why these features where showing in the App Manager application. My firewall asks for every app that I install if I want to keep it blocked, so I think I misunderstood that as well. Sorry for the trouble.
👍
I'm programming at work and as a hobby as well, but I'm not very familiar with Android apps or "low-level stuff" like this. What I figured out is, that OkHttp might be used for SSL pinning etc.
Thanks! Looks like it is not really usable either.
I see! Thank you! :-) |
My firewall just blocked catima.
In the description of catima it says that no Internet is required. Still, my firewall blocked internet access from catina. Another tool says that catima uses WiFi.
For what reason is catima accessing internet? And why is there no setting to disable this?
The text was updated successfully, but these errors were encountered: