izzyondroid #6
Comments
|
Will dig into that once I return from my other duties (busy at something else for about a week now). But meanwhile you might want to take a look at these parts of the scanner report: What is android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo. |
|
@IzzySoft: Aard 2 uses a local HTTP server which serves the dictionary contents that are loaded in a WebView. This is the primary reason for that flag. That being said, it does have sensitive permissions, and the HTTP server has no authentication of any sort. In my (personal) fork of Aard 2 which I use as a daily basis, some of these issues have been addressed:
Now, there are some clever ways to use a local HTTPS server (e.g., by creating a self-signed cert and trusting it dynamically in the app), but this could clearly be a waste of time for a "personal" project. But @farfromrefug may want to take a look at such a solution if interested. |
|
@MuntashirAkon awesome ! You dont want to maintain your fork(publicly I mean ) ? Your fork seems more advanced . |
Feel free to merge it. I have no intention to maintain yet another app. Just trying to help you since you're willing to maintain a new fork (and this project badly needs one). I can create PRs when I feel like it. But that's all I can do at my position. |
|
There is another medium severity vulnerability present in the app which allows an adversary having access to the internal/external storage carry out a DoS or XSS attack. I'll attempt to address it as soon as I can. |
|
@MuntashirAkon awesome i am not that good with security things. Will merge your fork as soon as I can |
|
@MuntashirAkon i am migrating my changes into your branch. Is that ok if i migrate to kotlin? Would you still want to contribute/ PR? |
I think it's not a good idea to migrate to Kotlin or making any subtle changes that detach it from the upstream repository. It would be quite difficult to merge the upstream changes otherwise. If I were you, I'd be leaving it as is. This will also reduce any maintenance burden on you as they will be divided between you and the upstream maintainer. |
|
@MuntashirAkon i cant get your fork to work here. I have 2 errors:
|
You can replace it with
Make sure you're merging it correctly. The original slob server does not use localhost server, but a server that's run in the local IP address (that is assigned by the router). So, if you merge it improperly, the IP address may not be 127.0.0.1, which means the dictionaries will not load due to network security config restricting clear text traffic from that IP address. It only allows clear text traffic from localhost. |
|
@MuntashirAkon Ok i did not merge. I decided to start from your fork as I am going to stay in java. If I use your fork the slob server does not start tr écho thread (timeout) EDIT: i fixed it. will commit the change but the Uri.builder was not working (port ':' was encoded) |
|
Great to see the two of you working on this! 🤩 Please give me a ping when I shall pick up the results 😉 Thanks! |
|
@IzzySoft @MuntashirAkon just released the first version of the "new" app based on @MuntashirAkon fork. It is now called OSS-Dict. Let me know if you see any issue |
|
Hm, |
|
@IzzySoft yes I put all.my apps under akylas which is my Dev company (solo). It is a reflex to put it all under there ... |
@IzzySoft here is a new app of mine. Would love for it to be on IzzyOnDroid ;)
It is a fork of ar with updated design, new features and bug fixes
Thanks!
The text was updated successfully, but these errors were encountered: