Comments (19)
Finally I've removed the 'MANAGE_EXTERNAL_STORAGE', thanks for the advice
from shiori-android-client.
I have updated the AGP and some libraries, I assume one of the libraries must have added it. I will check to see what has happened."
from shiori-android-client.
I could even check to include it with my repo – but as long as the APKs are signed with debug keys that won't be possible:
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: b0724d3e750bb7d737cda8d881480ed189d87c84ac66fb7e9c8632c0dce5c797
Signer #1 certificate SHA-1 digest: 437fb08422a5254032a6c014b774addec912d245
Signer #1 certificate MD5 digest: fb434487f1f5666376c4465441fbad01
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
See:
Could you please sign the APKs at releases/
with a release key? Thanks in advance!
from shiori-android-client.
You're right, I must have a bug in my GitHub Actions file, I'll fix it as soon as I can.
from shiori-android-client.
Fixed, the apk now is signed with release key
from shiori-android-client.
Thanks Antonio, that looks good! Preparing the integration here now. Meanwhile, from the output of my scanners:
No offending libs found.
Dangerous flags:
----------------
* usesCleartextTraffic
Permissions:
------------
* android.permission.INTERNET
* android.permission.WRITE_EXTERNAL_STORAGE
* com.desarrollodroide.pagekeeper.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
* android.permission.READ_EXTERNAL_STORAGE*
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
- "No offending libs found": so no proprietary, tracking etc. libs detected – all fine there 🥳
usesCleartextTraffic
: I guess this is intended for "local resources" (i.e. self-hosted in the LAN, where it's hard to have proper SSL certs)?- Storage Permissions: is there some export/backup functionality, or what is that needed for?
DEPENDENCY_INFO_BLOCK
: this one is easily fixed:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Nothing of the above is a show-stopper here (I'm integrating your app with my repo now). But for transparency, these questions would be good to have clarified (and of course the blob removed, if possible). So if you could help with those details I'd include them then.
Thanks a lot!
from shiori-android-client.
OK, there you go:
That looks fine so far (metadata where imported from your PlayStore listing). For some background to above questions:
So once above questions are answered, I can fill those gaps and the "chocolate" goes away, showing the proper explanations instead.
Your app will become available here around 7 pm UTC, with the next sync. Those having my repository configured with their favorite F-Droid client will automatically be able to access it from there as well. If you like what you see there, be welcome to pick a badge to link there e.g. from your README 😃
from shiori-android-client.
Thank you very much for your work.
I use WRITE_EXTERNAL_STORAGE to be able to download the EPUB and then share it.
usesCleartextTraffic is set to true in case Shiori is installed on a server that does not have SSL. For my tests, I use the following URL: http://144.24.183.231:8086/
DEPENDENCY_INFO_BLOCK, I have modified build.gradle so that the Google metadata does not appear, it will be fixed in the next release.
from shiori-android-client.
I use WRITE_EXTERNAL_STORAGE to be able to download the EPUB and then share it.
Which EPUB? I thought this is a bookmark app?
usesCleartextTraffic
Thanks, I've set that accordingly then.
DEPENDENCY_INFO_BLOCK
Great, thanks!
from shiori-android-client.
Which EPUB? I thought this is a bookmark app?
Shiori has the ability to save the content of bookmarks, one option is to save it as Epub.
from shiori-android-client.
Ah, now I get it, thanks! But if it's just for this one file, why not using SAF (Storage Access Framework) and let the user pick a location? SAF was introduced with Android 5, which is the minimal version your app supports. It has its culprits and complexities, true – but for saving/reading a single file it should be fine. Your app the wouldn't need to declare a single storage permission.
from shiori-android-client.
SAF
I can't use SAF because the epub is not public, to download it, I need authorization via a sessionID that is sent in the headers.
from shiori-android-client.
So where do you store the EPUB then? If it is inside your own application's scope, you won't need any storage permissions either. If not, I don't see what difference SAF makes in this context.
But OK, you will know better than me what is needed. I've set the explanations accordingly. Thanks!
from shiori-android-client.
I'm using the Downloads folder
val directory = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)
from shiori-android-client.
So where do you store the EPUB then? If it is inside your own application's scope, you won't need any storage permissions either. If not, I don't see what difference SAF makes in this context.
But OK, you will know better than me what is needed. I've set the explanations accordingly. Thanks!
But you're right, I'll change the storage location to be within the app's scope and remove the permission.
from shiori-android-client.
I'm using the Downloads folder
Oww… that one is special fun with SAF over Android versions, requiring a different permission with every second Android version… well, almost. Will need MANAGE_EXTERNAL_STORAGE
starting at some point.
But you're right, I'll change the storage location to be within the app's scope and remove the permission.
If it should be private anyway, good idea. An export can always be offered, be it via share or SAF then.
from shiori-android-client.
But with today's update, we have some new permission alerts:
! repo/com.desarrollodroide.pagekeeper_22.apk declares sensitive permission(s):
android.permission.READ_PHONE_STATE android.permission.READ_EXTERNAL_STORAGE
What happened, and what are they needed for? Dragged in by one of the new dependencies?
from shiori-android-client.
But with today's update, we have some new permission alerts:
! repo/com.desarrollodroide.pagekeeper_22.apk declares sensitive permission(s): android.permission.READ_PHONE_STATE android.permission.READ_EXTERNAL_STORAGE
What happened, and what are they needed for? Dragged in by one of the new dependencies?
When updating the Android Gradle Plugin, it seems necessary to set the minSdkVersion in all modules to prevent the addition of those permissions:
- READ_PHONE_STATE
- READ_EXTERNAL_STORAGE
This is the log of the manifest-merger:
1.0.0/AndroidManifest.xml:20:5-44
android:targetSdkVersion
INJECTED from /home/ubuntu-dev/Dev/My Projects/Shiori/presentation/src/main/AndroidManifest.xml
android:minSdkVersion
INJECTED from /home/ubuntu-dev/Dev/My Projects/Shiori/presentation/src/main/AndroidManifest.xml
uses-permission#android.permission.WRITE_EXTERNAL_STORAGE
IMPLIED from /home/ubuntu-dev/Dev/My Projects/Shiori/presentation/src/main/AndroidManifest.xml:2:1-63:12 reason: com.desarrollodroide.model has a targetSdkVersion < 4
uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from /home/ubuntu-dev/Dev/My Projects/Shiori/presentation/src/main/AndroidManifest.xml:2:1-63:12 reason: com.desarrollodroide.model has a targetSdkVersion < 4
uses-permission#android.permission.READ_EXTERNAL_STORAGE
IMPLIED from /home/ubuntu-dev/Dev/My Projects/Shiori/presentation/src/main/AndroidManifest.xml:2:1-63:12 reason: com.desarrollodroide.model requested WRITE_EXTERNAL_STORAGE
from shiori-android-client.
Good find! Yes, I remember that some permissions are automatically implied based on targetSdk (see here. I knew that for READ_EXTERNAL_STORAGE
if WRITE_EXTERNAL_STORAGE
is present. I knew this for RED_CALL_LOG
and WRITE_CALL_LOG
with targetSdk < 16
. I must have skipped that one as, well, how likely is a targetSdk < 4
? Funny that the new AGP assumes that as default, with the toy shop requiring an ever higher one – and that it now adds them to the manifest (before they were just applied "on device"). OTOH, good it's now made transparent.
Good to see this resolved, thanks!
from shiori-android-client.
Related Issues (20)
- Bookmark Update Cache broken HOT 6
- [feat] allow to filter tags as well
- [Feature Request] Startup explanation with links to Shiori docs HOT 3
- The interface is very large HOT 7
- Improve "Remember password" checkbox HOT 2
- The position of the list of articles is reset HOT 1
- The state of the tag list is not remembered HOT 7
- The interface does not fit on the screen HOT 8
- Unwanted scrolling if there are few elements HOT 2
- When logging out of your account, the database is not cleared HOT 2
- The application takes up an unexpectedly large amount of space after installation HOT 6
- [FEATURE] Show URL after it has been shared to PageKeeper HOT 1
- [FEATURE] After login error, have button to go straight to the login screen HOT 6
- No bookmarks listed past the first page of Shiori HOT 8
- [BUG] Error Opening URL into other apps (not browser) HOT 1
- [FEATURE] Close the interface if bookmark saving was successful.
- [BUG] Not all tags automatically load from web instance of Shiori HOT 3
- [FEATURE] Use completely offline on Android without an account
- Shiori ignores user installed root certificates
- [FEATURE] iOS version HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shiori-android-client.