Question on permissions & services

[IzzySoft]

Congrats to the new release! Since your last one, the scanners at IzzyOnDroid received a huge overhaul (see: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo), and for your new release reported:

! repo/ly.com.tahaben.farhan_8.apk declares intent-filter(s):
  android.accessibilityservice.AccessibilityService
! repo/ly.com.tahaben.farhan_8.apk declares sensitive permission(s):
  android.permission.QUERY_ALL_PACKAGES
  android.permission.SYSTEM_ALERT_WINDOW
  android.permission.READ_PHONE_STATE
  android.permission.READ_EXTERNAL_STORAGE
! repo/ly.com.tahaben.farhan_8.apk contains signature block blobs:
  0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

So may I please ask for some clarifications:

• what are AccessibilityService used for? ⇒ Just self-answered from the app description 👍 so: added to the "green list" with the proper explanation (see below).
• QUERY_ALL_PACKAGES is clear and ha been added to the app's "green list" now
• what are the other permissions listed above needed/used for (concerning storage, also the write part)?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a tiny adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

So the current status:

Thanks in advance for your clarifications!

[tahaak67]

Thank you for the info :)
SYSTEM_ALERT_WINDOW -> Required to show a dialog over other apps (ex: to show dialog to user when scrolling limit is over)
WRITE / READ_EXTERNAL_STORAGE -> after investigation i found out it was used by leak canary (a library i use in debug mode to detect memory leaks) since this library is only imported in debug mode im not sure why its manifest was merged with the release apk.
i'll see what i can do to avoid this in future releases

READ_PHONE_STATE -> i still can't find where this came from yet 😅 Android studio can't link it with any library and i have not declared it myself anywhere

Other permissions come from diffrent libraries for diffrent reasons if its of any use for you i can provide a list with what library uses them & why.

[IzzySoft]

• SYSTEM_ALERT_WINDOW: added to the "green list"
• WRITE / READ_EXTERNAL_STORAGE: leaving it open for now, pending your findings.
• READ_PHONE_STATE same. Looking through the dependencies in your build.gradle I don't find any obvious candidate either.
• other permissions: feel free to just list them up together with the reason they're needed for, and I'll integrate them. Reason should be as short as possible (you see how it looks on the page). Here's how it looks in the config:

android.permission.QUERY_ALL_PACKAGES: required to know which apps are installed, eg. for usage stats
android.permission.SYSTEM_ALERT_WINDOW: to show a dialog over other apps eg. when scrolling limit is over

Thanks a lot!

[tahaak67]

Here is the other permissions
• FOREGROUND SERVICE -> To perform actions in the background (eg. for usage caching)
• PACKAGE USAGE STATS -> To get installed apps for exceptions
• POST NOTIFICATIONS -> For notifications (eg. notify me)
• RECEIVE BOOT COMPLETED -> to perform usage caching if device was off
• SCHEDULE EXACT ALARM -> for notify me, to notify you at an exact time
• SET WALLPAPER -> for the launcher (not released yet)
• WAKE LOCK -> to keep usage caching process from sleeping
• WRITE SECURE SETTINGS -> Required to grayscale the screen

For ACCESS NETWORK STATE its required by an external dependency and is never used

[IzzySoft]

Thanks! Added the descriptions. Two remarks:

for the launcher (not released yet)

You should not request it before it's implemented 😉

For ACCESS NETWORK STATE its required by an external dependency and is never used

Please take a look at Removing Unwanted Manifest Permissions With tools:node and give it a try then. If it's never used it does not hurt to remove it.