Certificate issue

[IzzySoft]

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

[IzzySoft]

@Dado1513 any word?

[Dado1513]

@IzzySoft yes in a couple of days I will proceed with the new release.

[IzzySoft]

Wonderful, thanks! 🤩

[IzzySoft]

Friendly ping, @Dado1513 – couple of days reached? At the end of this month, debugkey-signed APKs must be gone from my repo, so I'd have to remove it by then (at least until you have the new one ready).

[Dado1513]

Hi @IzzySoft, I just released a new version with a valid signature: HideDroid 1.3

[IzzySoft]

Thanks! Triggering a pull now…

! repo/it.unige.hidedroid_4.apk declares flag(s): usesCleartextTraffic
! repo/it.unige.hidedroid_4.apk declares intent-filter(s): android.net.VpnService
! repo/it.unige.hidedroid_4.apk declares sensitive permission(s):
  android.permission.REQUEST_INSTALL_PACKAGES android.permission.REQUEST_DELETE_PACKAGES
  android.permission.READ_EXTERNAL_STORAGE*

usesCleartextTraffic is clear (oops) as all traffic needs to be filtered. VpnService is also clear (that's how the app works). The permissions are however unclear: what packages are going to be installed/deleted? And what for is read/write storage needed (the trailing asterisk says READ_EXTERNAL_STORAGE is being granted implicitly by Android as WRITE_EXTERNAL_STORAGE was requested)?

One more thing: application-debuggable is set for the APK. Any reason for that? I especially wonder as I cannot find that in your AndroidManifest.xml…

New release will go live here with the next sync. I've also added a "release note" concerning the changed certificate, telling people they'd have to uninstall and reinstall:

[IzzySoft]

@Dado1513 Could you please clarify the permissions listed in my comment from March? And will the debuggable flag be dropped any time soon – or has the app been abandoned, as there are not even any commits since March? I mean, for an app about privacy and security, those things should be clarified/fixed. What packages does HideDroid want to install? Some folks might be scared away by this.

[Dado1513]

Hi @IzzySoft,

Apologies for the delayed response. I haven’t had much time to dedicate to personal projects lately.

The debuggable flag was an oversight, and I’ll remove it in the next release.

The REQUEST_INSTALL_PACKAGES permission is used for modifying other apps (repacking) to capture and anonymize traffic, while the READ_EXTERNAL_STORAGE permission is required for creating and storing SSL certificates.

[IzzySoft]

Thanks Davide! I wasn't aware HideDroid would repackage apps, the description doesn't tell that nor does the Readme mention it – I thought filtering/rewriting of traffic was done via "proxying" (hence the android.net.VpnService and the requirement of a local CA certificate).

How then will app updates handled? And the app's data? You cannot repack APKs without re-signing them, so the repacked APK would not be accepted as update (hence probably the REQUEST_DELETE_PACKAGES permission). But then, how do you keep the data? IIRC, that is bound to the signature as well (I vaguely remember I once tried to switch to a differently signed app while keeping the data, and having run into such issue).

And last but not least:Shouldn't this be made clear in the description, to avoid "surprises after install"?