Certificate issue

[IzzySoft]

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

[Xtr126]

Hello, thanks for your effort. I will prepare a key and release a proper signed APK as soon as possible after I can get it to work on mobile phones.
Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

[IzzySoft]

Thanks for your reply! And thanks for working on it!

Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.

[Xtr126]

Thanks for your reply! And thanks for working on it!

Currently the app works only on PCs or already insecure rooted devices with SELinux disabled so I did not care about it.

Then maybe I should better remove your app from my repo until that's solved – to avoid frustration on the end of those trying it? I'd then re-enable it as soon as you have it ready and let me know.

Yes I also agree that it should be removed for now, I’ll let you know after I get it solved.

[IzzySoft]

Done that now (effective with the next sync in less than 2h from now). Looking forward to your "ready ping" then, wishing you best progress!

[Xtr126]

APKs are signed with a release key now.

[IzzySoft]

Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.

Btw, here's the output from my scanner:

No offending libs found.


Dangerous Filters:
------------------
android.view.InputMethod

Permissions:
------------
* android.permission.SYSTEM_ALERT_WINDOW
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_SPECIAL_USE
* android.permission.POST_NOTIFICATIONS
* android.permission.INTERNET
* android.permission.INJECT_EVENTS
* xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

If you want to have some explanations added to the permissions, especially SYSTEM_ALERT_WINDOW (which then would loose its "chocolate" warning color), just let me know. I already did that for android.view.InputMethod:

That DEPENDENCY_INFO_BLOCK blob is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[Xtr126]

Thanks, that looks good! Added it back, will be available again with the next sync around 7 pm UTC. I had to screenshot the icon however as it cannot be downloaded; if you want me to put a different icon (or some screenshots), I gladly accept the graphics.

Btw, here's the output from my scanner:

No offending libs found.


Dangerous Filters:
------------------
android.view.InputMethod

Permissions:
------------
* android.permission.SYSTEM_ALERT_WINDOW
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_SPECIAL_USE
* android.permission.POST_NOTIFICATIONS
* android.permission.INTERNET
* android.permission.INJECT_EVENTS
* xtr.keymapper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

If you want to have some explanations added to the permissions, especially SYSTEM_ALERT_WINDOW (which then would loose its "chocolate" warning color), just let me know. I already did that for android.view.InputMethod:

That DEPENDENCY_INFO_BLOCK blob is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Nice!
It would be great if you can use this icon, I think it is of enough quality for a icon:

SYSTEM_ALERT_WINDOW is used to display a pointer on the screen and for showing alert dialogs (to select apps, switch profiles).

[IzzySoft]

It would be great if you can use this icon

Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is 🚀 – so yours is at least cislunar, at 512x512 I would have had to throttle your drives 😜

SYSTEM_ALERT_WINDOW

Thanks, added! That just leaves the DEPENDENCY_INFO_BLOCK – maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).

[Xtr126]

It would be great if you can use this icon

Done, thanks! And yes, definitely enough resolution (everything beyond 72x72 is good, 256x256 is very good – and higher is 🚀 – so yours is at least cislunar, at 512x512 I would have had to throttle your drives 😜

SYSTEM_ALERT_WINDOW

Thanks, added! That just leaves the DEPENDENCY_INFO_BLOCK – maybe a todo item for the next release then? It's currently using "neutral colors", but I might change that to "warning colors" in a few months or so (once I'm through addressing what popped up from the other scans).

Thanks!
Sorry I forgot about that, I disabled it now.
For a more accurate description, android.view.InputMethod is used to detect when user is entering input in a text field and disable the service accordingly. I have not documented the feature myself either, it is not prompted by the app, only if the user themselves go to settings and enable it as an Input method.

[IzzySoft]

Sorry I forgot about that, I disabled it now.

Thanks!

For a more accurate description

There's a little space limitation, so I have to keep the description short. You see about how long it can be in the screenshot above (I'd rather avoid it causing line breaks if I can). Still enough space to make it twice as long as it currently is; "used to detect when user is entering input in a text field and disable the service accordingly" could fit if you want me putting that.

[Xtr126]

I understand, then it’s better to leave it as it is. Closing this issue as I made another release with the dependency info changes included. Thanks.

[IzzySoft]

Thanks a lot!