Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: "R.Wieser" <address@is.invalid>
Newsgroups: comp.mobile.android
Subject: Re: Android keyboard: your choice.
Date: Sun, 23 Jun 2024 10:21:39 +0200
Organization: A noiseless patient Spider
Lines: 126
Message-ID: <v58m4l$8n7c$2@dont-email.me>
References: <20240617114559.a2970ac2923facc44a2ec355@gmail.com> <v4ov83$j5oj$1@dont-email.me> <v4sojj$1gqik$1@dont-email.me> <lde8tqF9a76U1@mid.individual.net> <v4tkrl$1bpq$1@nnrp.usenet.blueworldhosting.com> <v4u0gu$1rom7$2@dont-email.me> <ldia57Frps7U7@mid.individual.net> <v51gfu$2kg3e$2@dont-email.me> <ldj2atFs5uU2@mid.individual.net> <v53gbe$33j85$2@dont-email.me> <ldpbr7Ftm5tU5@mid.individual.net>
Injection-Date: Sun, 23 Jun 2024 10:24:54 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="e6706215b728f93e957043e58f553df7";
	logging-data="285932"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+nsb+i1cOLBKPIBAMFjnQkjDRu9CseZeVdc/rnWgGWfw=="
Cancel-Lock: sha1:9dXvAG+uTS1CZ/e/jYSZpb2n6OI=
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-Priority: 3
X-RFC2646: Format=Flowed; Original
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
Bytes: 6555

Arno,

>>> An app *must* contain the permission request in the manifest,
>>> regardless if it actually uses it or not.
>>
>> I take that as "regardless if it *directly* uses it or not."
>
> There is no "direct use". Either an app does use an system API
> which requires a permission or not.

:-) I think we are talking about the same thing., though I think from 
different vantage points.  The "direct use" quip was about the difference of 
only asking the permission when the app actualy uses it, versus asking for 
all permissions at install time.

> "Late binding" is required for *all* permissions in newer Android
> versions. I am not sure when Google changed this, but as far I
> remember, Android 6 introduced that.

I decision I consider as being bad.   For reason(s) I already mentioned. 
I hope my phones OS doesn't follow it.

>> :-) You talk as if you are smart enough, but at the same time you seem
>> to blindly trust an apps honesty in obeying a setting it manages it 
>> itself.
>> I don't.
>
> I don't either - but I can read and understand source code:

:-)  I've worked my way thru enough sourcecode to know that a lot can go on 
in there that I will never be able to fully grasp.   Kudos to you that you 
can.

> And yes, I also develop Android software myself:

I'm not at all surprised about it.

>> They *tell you* that they will /just/ take the contact names, and leave
>> everything else (you know, phone numbers, adresses, etc.) alone, and
>> you believe them ?   Again, I don't.
>
> Who is "they"?

The apps infopage (wherever it is stored) ?

> Heliboard is not sold by a company but provided by a bunch of
> contributors (at the moment 26 - see
> <https://github.com/Helium314/HeliBoard/graphs/contributors>) who
> spend their free time to maintain a keyboard app you can use for free.
>
> So you believe all these guys work on that app to spy on you?

Is there any reason why I should believe that /all/ app makers - or in this 
case all 26 contributors of it - are all fully above board ?   On which 
ground please ?

Also, *You* have the capability to inspect their sourcecode, and make your 
decisions on that.  I would call that distrust too.   I'm not at your level 
of expertise, so I'm not allowed to have the same distrust ?

And FWY, I was-and-am talking about apps in general.  You keeping pushing a 
specific app forward as proof that my distrust is unwarranted is therefore 
meaningless to me.

And pardon me, but as someone who can inspect such apps (I take it you have 
some kind of de-compiler at hand too) you must have encountered a number 
which are rather ... iffy in what they try to do, and "not quite" matching 
their info sheet.

FYI, I'm frequenting a website which regulary talks about how, often 
high-ranked, android apps contain malware, purposely put there by the app 
maker or because (s)he used a third-party library which cointained it.

> Then don't use the app or better don't use smartphones at all - and
> yes, I am really serious!

You sound as if I trust the OS I'm running I also *must* trust the apps that 
can run on it.  I sure hope I misinterpreted that.

>> Also, there is a reason why some phone OS-es offer you to provide
>> apps asking for such a permission a fake list.
>
> Which does not solve the issue, that you still have to trust the OS that
> it works as intended.

Indeed.   The only difference is that if I (think I) can trust the OS than 
it becomes a bottleneck for the apps that are up to no good, and thereby 
neutralize those.   So instead of having to worry about all the apps I would 
want to put on my phone I only have to worry about one.    I don't know 
about you, but that sounds like quite an improvement.

> Yes - everything is possible! Even if an app has *no* permissions at
> all it still can be harmful since there may be a security bug in Android
> which a malicous app can exploit. And yes, I am really serious!

:-)  The website mentioned talks about such stuff too.   So yes, I'm aware 
of that.

> No, I have no problem trusting an open source app I can check of myself.

:-) You're lying.  You're not *trusting* it, you're *vetting* it.  Just like 
I try to do.  But somehow /my/ vetting is problematic to you. Why ?

> No I don't expect anything except not being paranoid and trying
> to understand *why* I told you that about Heliboard.

Ask yourself how I could possibly *know* why you mentioned that app.    You 
might be fully above board, but you could as easly be someone who's trying 
goading people into installing (trojaned) malware. (don't worry, I'm leaning 
to the former).

And do ask yourself why I would trust someone I cannot touch if he violates 
that trust ?   Thats not trust, that is merely acknowedging that there is no 
other choice.

But to be honest, Heliboard looks, permission wise, to be one of the better 
ones.   If-and-when I install it I likely won't give it that READ_CONTACTS 
permission though.

Than again, I might just go for the other one in my (short) list, which only 
asks access to the dictionary and vibrate.

Regards,
Rudy Wieser