Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

android download manager is insecure #722

Open
nutpantz opened this issue Aug 1, 2024 · 11 comments
Open

android download manager is insecure #722

nutpantz opened this issue Aug 1, 2024 · 11 comments

Comments

@nutpantz
Copy link

nutpantz commented Aug 1, 2024

Download manager is insecure. Any app can abuse internet access by using download manager.
https://developer.android.com/privacy-and-security/risks/unsafe-download-manager

Please support 3rd party download managers , even links for Firefox or app downloading.

Download manager will not work if Google spyware is blocked on many devices (IE Google apps like sounds, MTP host, provides.Media are bundled with download manager on Google devices So power used cannot allow one without allowing all access)

Download manager also will not work on many devices if captive portal controller is blocked or disabled when someone does not want their device to connect to Google every time

https://xdaforums.com/t/guide-how-to-avoid-the-captive-portal-checkin-to-google.3927561/

And worse of all the Android download manager NEVER reports ANY error to the user.

Please stop using the Android download manager it is badly written, badly implemented, dangerous software

@devemux86
Copy link
Contributor

BRouter does not use the Android DownloadManager, but URLConnection to download files.

@nutpantz
Copy link
Author

nutpantz commented Aug 2, 2024

Screenshot_20240802-095702

Well whatever it uses, it acts like the Android download manager.
It gives no error. No progress report. No notification of attempting to download anything. And likely will not start unless Google services or Android reports that it has connected to Google and has access to internet.

Please support 3rd party download managers or at least a link to manually download the needed files. (Or just download and not check if there is a connection, and provide error and progress)

@devemux86
Copy link
Contributor

BRouter does not use the DownloadManager that is in Android and not in Google services.
It uses a more complicated process with URLConnection to download files with notifications.

It shows the progress of the download (see the video below) and reports what is happening.
You can check its code, it is an open source project. 🙂

BRouter is also on F-Droid, so this version cannot use Google services:
https://f-droid.org/packages/btools.routingapp/

You can also download manually the BRouter data with your browser, see the instructions:
https://github.com/abrensch/brouter/blob/master/docs/users/download_segments.md

Cruiser.BRouter.mp4

@nutpantz
Copy link
Author

nutpantz commented Aug 3, 2024 via email

@nutpantz
Copy link
Author

nutpantz commented Aug 4, 2024

03_08-17-47-26_938.log

@zod
Copy link
Collaborator

zod commented Aug 4, 2024

BRouter uses Android's WorkManager which checks if a network connection is available (see code).

This is a sensible action for all users, because there is no need to try if the connection isn't available. If you cripple your android by blocking the services you should also patch it to cause this check to always return true instead of silently failing. This is an issue of your modification and not an insecurity of BRouter.

@nutpantz
Copy link
Author

nutpantz commented Aug 4, 2024

Android contacts Google to check if there is internet and if you are behind a captive portal. That is the default and is not changeable without root or a custom ROM (and even then most custom roms still contact Google). Many many people who use fdroid are using it to stop the tracking of their devices by Google.

Your app fails to download anything even if there is a network connection without providing an error, Android work manager does not provide any error.

So it seems it would work better without that line
It's not checking if there is a network connection.
Or even checking if the server it needs is available. It's is checking if it can contact Google.

And that is not secure
(The little explanation point in my network icon means Android cannot connect to Google)

@zod
Copy link
Collaborator

zod commented Aug 4, 2024

Why would it be insecure?

@nutpantz
Copy link
Author

nutpantz commented Aug 7, 2024 via email

@zod
Copy link
Collaborator

zod commented Aug 7, 2024

I think you should check the definition of "secure".

@nutpantz
Copy link
Author

nutpantz commented Aug 8, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants