Deutsch English Français Italiano |
<v58m4l$8n7c$2@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: "R.Wieser" <address@is.invalid> Newsgroups: comp.mobile.android Subject: Re: Android keyboard: your choice. Date: Sun, 23 Jun 2024 10:21:39 +0200 Organization: A noiseless patient Spider Lines: 126 Message-ID: <v58m4l$8n7c$2@dont-email.me> References: <20240617114559.a2970ac2923facc44a2ec355@gmail.com> <v4ov83$j5oj$1@dont-email.me> <v4sojj$1gqik$1@dont-email.me> <lde8tqF9a76U1@mid.individual.net> <v4tkrl$1bpq$1@nnrp.usenet.blueworldhosting.com> <v4u0gu$1rom7$2@dont-email.me> <ldia57Frps7U7@mid.individual.net> <v51gfu$2kg3e$2@dont-email.me> <ldj2atFs5uU2@mid.individual.net> <v53gbe$33j85$2@dont-email.me> <ldpbr7Ftm5tU5@mid.individual.net> Injection-Date: Sun, 23 Jun 2024 10:24:54 +0200 (CEST) Injection-Info: dont-email.me; posting-host="e6706215b728f93e957043e58f553df7"; logging-data="285932"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+nsb+i1cOLBKPIBAMFjnQkjDRu9CseZeVdc/rnWgGWfw==" Cancel-Lock: sha1:9dXvAG+uTS1CZ/e/jYSZpb2n6OI= X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 X-Priority: 3 X-RFC2646: Format=Flowed; Original X-Newsreader: Microsoft Outlook Express 6.00.2900.5512 Bytes: 6555 Arno, >>> An app *must* contain the permission request in the manifest, >>> regardless if it actually uses it or not. >> >> I take that as "regardless if it *directly* uses it or not." > > There is no "direct use". Either an app does use an system API > which requires a permission or not. :-) I think we are talking about the same thing., though I think from different vantage points. The "direct use" quip was about the difference of only asking the permission when the app actualy uses it, versus asking for all permissions at install time. > "Late binding" is required for *all* permissions in newer Android > versions. I am not sure when Google changed this, but as far I > remember, Android 6 introduced that. I decision I consider as being bad. For reason(s) I already mentioned. I hope my phones OS doesn't follow it. >> :-) You talk as if you are smart enough, but at the same time you seem >> to blindly trust an apps honesty in obeying a setting it manages it >> itself. >> I don't. > > I don't either - but I can read and understand source code: :-) I've worked my way thru enough sourcecode to know that a lot can go on in there that I will never be able to fully grasp. Kudos to you that you can. > And yes, I also develop Android software myself: I'm not at all surprised about it. >> They *tell you* that they will /just/ take the contact names, and leave >> everything else (you know, phone numbers, adresses, etc.) alone, and >> you believe them ? Again, I don't. > > Who is "they"? The apps infopage (wherever it is stored) ? > Heliboard is not sold by a company but provided by a bunch of > contributors (at the moment 26 - see > <https://github.com/Helium314/HeliBoard/graphs/contributors>) who > spend their free time to maintain a keyboard app you can use for free. > > So you believe all these guys work on that app to spy on you? Is there any reason why I should believe that /all/ app makers - or in this case all 26 contributors of it - are all fully above board ? On which ground please ? Also, *You* have the capability to inspect their sourcecode, and make your decisions on that. I would call that distrust too. I'm not at your level of expertise, so I'm not allowed to have the same distrust ? And FWY, I was-and-am talking about apps in general. You keeping pushing a specific app forward as proof that my distrust is unwarranted is therefore meaningless to me. And pardon me, but as someone who can inspect such apps (I take it you have some kind of de-compiler at hand too) you must have encountered a number which are rather ... iffy in what they try to do, and "not quite" matching their info sheet. FYI, I'm frequenting a website which regulary talks about how, often high-ranked, android apps contain malware, purposely put there by the app maker or because (s)he used a third-party library which cointained it. > Then don't use the app or better don't use smartphones at all - and > yes, I am really serious! You sound as if I trust the OS I'm running I also *must* trust the apps that can run on it. I sure hope I misinterpreted that. >> Also, there is a reason why some phone OS-es offer you to provide >> apps asking for such a permission a fake list. > > Which does not solve the issue, that you still have to trust the OS that > it works as intended. Indeed. The only difference is that if I (think I) can trust the OS than it becomes a bottleneck for the apps that are up to no good, and thereby neutralize those. So instead of having to worry about all the apps I would want to put on my phone I only have to worry about one. I don't know about you, but that sounds like quite an improvement. > Yes - everything is possible! Even if an app has *no* permissions at > all it still can be harmful since there may be a security bug in Android > which a malicous app can exploit. And yes, I am really serious! :-) The website mentioned talks about such stuff too. So yes, I'm aware of that. > No, I have no problem trusting an open source app I can check of myself. :-) You're lying. You're not *trusting* it, you're *vetting* it. Just like I try to do. But somehow /my/ vetting is problematic to you. Why ? > No I don't expect anything except not being paranoid and trying > to understand *why* I told you that about Heliboard. Ask yourself how I could possibly *know* why you mentioned that app. You might be fully above board, but you could as easly be someone who's trying goading people into installing (trojaned) malware. (don't worry, I'm leaning to the former). And do ask yourself why I would trust someone I cannot touch if he violates that trust ? Thats not trust, that is merely acknowedging that there is no other choice. But to be honest, Heliboard looks, permission wise, to be one of the better ones. If-and-when I install it I likely won't give it that READ_CONTACTS permission though. Than again, I might just go for the other one in my (short) list, which only asks access to the dictionary and vibrate. Regards, Rudy Wieser