Mike Kuketz 🛡  

Android-Apps auf dem Seziertisch: Eine vertiefte Betrachtung

kuketz-blog.de/android-apps-au

1+
Hans-Christoph Steiner  

Nice idea to check usesCleartextTraffic, but that particular check isn't worth much since, as the docs say:

> This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.

Sounds like the IzzyOnDroid scanner would not catch `android:usesCleartextTraffic="false"` then in the Network Security Policy, sets `<base-config cleartextTrafficPermitted="true" />`. From what I've seen, most apps use Network Security Policy anyway.

1/

1+
Hans-Christoph Steiner  

@kuketzblog @IzzyOnDroid thanks for the prompt, we just merged related work. Issuebot now reports service intent-filters and checks cleartextTrafficPermitted. `fdroid build` blocks APKs with testOnly. You might be interested in the <meta-data> check in issuebot. For many cases, API key configs are by far the most reliable way to spot that a tracking or proprietary library is actually enabled in the app, and not just accidentally included. <meta-data> fields are tracked in Exodus ETIP.

2/

1
Hans-Christoph Steiner
Follow

@kuketzblog @IzzyOnDroid the implementation that checks usesCleartextTraffic and cleartextTrafficPermitted is here:

gitlab.com/fdroid/issuebot/-/c

3/3

· Web · 0 · 0 · 0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml