Comments (15)
https://f-droid.org/2020/05/29/android-updates-and-tls-connections.html
from newpipe-legacy.
@blackbox87: ProviderInstaller is part of Google's proprietary APIs (see https://developers.google.com/android/reference/com/google/android/gms/security/ProviderInstaller), so we can't use that.
from newpipe-legacy.
You can reuse this code: https://github.com/microg/android_packages_apps_GmsCore/blob/master/play-services-core/src/main/java/com/google/android/gms/common/security/ProviderInstallerImpl.java
Actually it would make sense doing it also in NOT legacy NewPipe to avoid using old TLS versions unnecessarily.
from newpipe-legacy.
This file uses Conscrypt and another class from MicroG called PackageUtils
import org.conscrypt.NativeCrypto;
import org.conscrypt.OpenSSLProvider;
import org.microg.gms.common.PackageUtils
from newpipe-legacy.
I mean using it as example, it should be adapted but 99% of it could be reused.
The part of excluding packages obviously can be stripped.
from newpipe-legacy.
Most devices running Android 4.1 (the minimum that NewPipe Legacy supports) will already make use of TLS 1.2. See c439e19 & d597cef.
So you'd only need to add Conscrypt if the minimum API was lowered, which I don't think it will be due to the issues that introduces.
from newpipe-legacy.
@blackbox87: That just enables it if it's built-in but disabled by default on your device, which unfortunately isn't the case on a lot of pre-KitKat devices, see e.g. https://ankushg.com/posts/tls-1.2-on-android/:
The first thing we realized was that despite documentation suggesting otherwise, not all devices on Android 4.1+ actually support TLS 1.2. Even though it is likely due to device manufacturers not fully following the official Android specs, we had to do what we could to ensure this would work for our users.
from newpipe-legacy.
@wb9688 I know that there's a few that don't, but they're few and far between. In my experience most devices running Android 4.1 can use TLS 1.2 without any issues.
If a device doesn't support TLS 1.2 and a custom ROM can't be used then personally I'd want to encourage these people to upgrade their hardware, since these older versions of Android are vulnerable to so many exploits anyway.
from newpipe-legacy.
@blackbox87: Well, NewPipe Legacy is meant for supporting legacy devices like that. For NewPipe, we also get a lot of reports from KitKat users, that their device doesn't support TLS 1.2. See e.g. TeamNewPipe/NewPipe#3728.
from newpipe-legacy.
Well, NewPipe Legacy is meant for supporting legacy devices like that.
While this is true you'd be increasing the APK size by a few MB to support a few devices running out of spec vulnerable versions of Android. And in general most of these old devices don't have a lot of storage space to begin with, so that's not a fair trade off.
I think you'd be better off catching the throwable and then trying to use ProviderInstallerImpl or ProviderInstaller, depending on if the device is using microG or Google Play Services. That'll keep the file size down while fixing the problem.
from newpipe-legacy.
@wb9688 In that case I'd suggest catching the throwable and attempting to use ProviderInstallerImpl. If it fails then you could then inform the user that their device isn't supported due to their buggy ROM.
I know that most of the people who have one of these buggy devices won't agree with me, but anyone who has a device that hasn't been butchered by the manufacturer probably doesn't want the size of the app to increase by a few megabytes.
In the thread that you previously linked to you said "Then it's not our issue. Upgrade to a newer Android version" and I agree with that. We shouldn't have to add a lot of code to fix issues within old buggy ROMs.
from newpipe-legacy.
What about calling ProviderInstaller without compiling with Google libs but just using reflection?
The code just need to detect if Google Play Services is installed (microG has the same package name) and if yes call it.
PS: This thing is always needed and future proof, what about when there will be TLS 1.3 only servers?
Once the code is added new versions of TLS will appear without doing anything.
Even new ROMs are updated just for a while then left alone... so it is still needed
from newpipe-legacy.
Or create a separate package just with Conscrypt (called maybe "TLS update") and then the main NewPipe-legacy will call it if installed.
from newpipe-legacy.
ProviderInstaller is out because it's proprietary software (an extreme minority of people use microG).
Please read the article above posted by @TobiGr
One abstract
It’s pretty easy to use (ProviderInstaller.installIfNeeded(context);) and fixes all those problems instantly. )
[…]
This sounds too good to be true, doesn’t it? Well, Google’s ProviderInstaller has a pretty big drawback. The library is closed-source, so it can not be used for apps published on F-Droid."
Antennapod has made a build flavor, one fully floss for F-Droid, the other one uses ProviderInstaller and is published to Play Store. We can also think of making a build flavor with Conscrypt.
I'm very interested too see what F-Droid will offer to fix this problem.
from newpipe-legacy.
Google’s ProviderInstaller has a pretty big drawback. The library is closed-source
It is like this only if you USE the library, but you can probably avoid it with reflection.
You can access it without knowing it at compile time.
Info: https://haptik.ai/tech/using-reflection-in-android/
In object-oriented programming languages such as Java, reflection allows inspection of classes, interfaces, fields and methods at runtime without knowing the names of the interfaces, fields, methods at compile time. It also allows instantiation of new objects and invocation of methods
If I'm not wrong the problem is only including closed source libraries, if you use an external app without any library linked in your app, like it was a command line tool I don't think there is any problem.
from newpipe-legacy.
Related Issues (20)
- The Newpipe-legacy app's UI FAILED.. HOT 2
- Is this version dead? HOT 7
- NewPipe For Android 2.3.6 HOT 3
- App crashed on Android 4.0.4 (sh000gun legacy version) HOT 1
- Some YT videos not play
- Video not play - Could not get any stream.
- Video not play - Could not get any stream.
- Some bugs of Samsung Galaxy Win
- Ui error
- at HOT 1
- bug
- Google has limited the transfer/download speed for links received by the old (aka c=WEB) algorithm HOT 1
- Issue
- newpipe legacy does crash when started HOT 1
- Could not parse website using NewPioe Legacy
- Unable to request any stream HOT 3
- Error: no comments shown
- Newpipe legacy crashes when click on notifications & more.
- NewPipe-Legacy is really Became Legacy at present days (no new version) HOT 3
- Import crash
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from newpipe-legacy.