Android-Apps auf dem Seziertisch: Eine vertiefte Betrachtung
https://www.kuketz-blog.de/android-apps-auf-dem-seziertisch-eine-vertiefte-betrachtung/
Nice idea to check usesCleartextTraffic, but that particular check isn't worth much since, as the docs say:
> This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.
Sounds like the IzzyOnDroid scanner would not catch `android:usesCleartextTraffic="false"` then in the Network Security Policy, sets `<base-config cleartextTrafficPermitted="true" />`. From what I've seen, most apps use Network Security Policy anyway.
1/
@kuketzblog @IzzyOnDroid the #FDroid implementation that checks usesCleartextTraffic and cleartextTrafficPermitted is here:
https://gitlab.com/fdroid/issuebot/-/commit/cd76b15fd6be063fdb614040a26dfe5801629c0a
3/3
@eighthave It's true my scanner would currently not catch that special case (thanks for the pointer, will look if I can get that in, too – remember other than F-Droid, I'm only running a "simple binary repo" here) – but at least it was catching loads of the "simple cases" instead of none at all 😉 So good to see this is finally addressed at F-Droid as well. As for "what's missing", you might wish to check … (1/x)
@eighthave (2/3) https://gitlab.com/fdroid/admin/-/issues/367 from 12/2022 which, when brought to my attention in 1/2024 immediately triggered the changes from https://gitlab.com/IzzyOnDroid/repo/-/issues/475 discussed here – and the blog article you've asked for in 10/2022 at https://gitlab.com/fdroid/fdroidserver/-/issues/1056#note_1143767439 – apologies it took me that long to write it though I knew it since 1/2024, but I wanted to check thoroughly before. F-Droid does have those signing block issues as well with reproducible builds (as the two issues point out), so I hope …
@eighthave (3/3) you have that focused as well? Be welcome to use the details from issue 475 in my repo (https://gitlab.com/IzzyOnDroid/repo/-/issues/475) for it.
@eighthave "From what I've seen, most apps use Network Security Policy anyway." from what I've noticed, too many do not while simply setting cleartextTraffic to true – which often meant they were not aware of the implications. After I told them (in issues I've opened) they either removed that entirely, or THEN started to use network config, to e.g. pin cleartext to localhost when it was only intended for that.
Opened https://gitlab.com/IzzyOnDroid/repo/-/issues/524 to keep an eye on it, though. Thanks for the pointer!
@kuketzblog @IzzyOnDroid thanks for the prompt, we just merged related work. Issuebot now reports service intent-filters and checks cleartextTrafficPermitted. `fdroid build` blocks APKs with testOnly. You might be interested in the <meta-data> check in issuebot. For many cases, API key configs are by far the most reliable way to spot that a tracking or proprietary library is actually enabled in the app, and not just accidentally included. <meta-data> fields are tracked in Exodus ETIP.
2/