Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate issue #12

Open
IzzySoft opened this issue Feb 8, 2024 · 6 comments
Open

Certificate issue #12

IzzySoft opened this issue Feb 8, 2024 · 6 comments

Comments

@IzzySoft
Copy link

IzzySoft commented Feb 8, 2024

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!
@IzzySoft
Copy link
Author

@Dado1513 any word?

@Dado1513
Copy link
Contributor

@IzzySoft yes in a couple of days I will proceed with the new release.

@IzzySoft
Copy link
Author

Wonderful, thanks! 🤩

@IzzySoft
Copy link
Author

IzzySoft commented Mar 9, 2024

Friendly ping, @Dado1513 – couple of days reached? At the end of this month, debugkey-signed APKs must be gone from my repo, so I'd have to remove it by then (at least until you have the new one ready).

@Dado1513
Copy link
Contributor

Hi @IzzySoft, I just released a new version with a valid signature: HideDroid 1.3

@IzzySoft
Copy link
Author

Thanks! Triggering a pull now…

! repo/it.unige.hidedroid_4.apk declares flag(s): usesCleartextTraffic
! repo/it.unige.hidedroid_4.apk declares intent-filter(s): android.net.VpnService
! repo/it.unige.hidedroid_4.apk declares sensitive permission(s):
  android.permission.REQUEST_INSTALL_PACKAGES android.permission.REQUEST_DELETE_PACKAGES
  android.permission.READ_EXTERNAL_STORAGE*

usesCleartextTraffic is clear (oops) as all traffic needs to be filtered. VpnService is also clear (that's how the app works). The permissions are however unclear: what packages are going to be installed/deleted? And what for is read/write storage needed (the trailing asterisk says READ_EXTERNAL_STORAGE is being granted implicitly by Android as WRITE_EXTERNAL_STORAGE was requested)?

One more thing: application-debuggable is set for the APK. Any reason for that? I especially wonder as I cannot find that in your AndroidManifest.xml

New release will go live here with the next sync. I've also added a "release note" concerning the changed certificate, telling people they'd have to uninstall and reinstall:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IzzySoft @Dado1513