-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
android download manager is insecure #722
Comments
BRouter does not use the Android DownloadManager, but URLConnection to download files. |
Well whatever it uses, it acts like the Android download manager. Please support 3rd party download managers or at least a link to manually download the needed files. (Or just download and not check if there is a connection, and provide error and progress) |
BRouter does not use the DownloadManager that is in Android and not in Google services. It shows the progress of the download (see the video below) and reports what is happening. BRouter is also on F-Droid, so this version cannot use Google services: You can also download manually the BRouter data with your browser, see the instructions: Cruiser.BRouter.mp4 |
What can i say. I am picking things to download and nothing is happening. It's not even trying.
So it must be using Android\Google service to decide if there is internet available (not checking it self) similar to how the Android download manager operates. Then doing nothing.
I have 4 devices i have tested on. All running lineage os (a09 to a14) no gapps and all blocking Google ip address's (and apple face book etc) and one is what i am making the report on.
{Pixel 6 pixel 8 pro, Samsung s7 and a black view).
If i can get a lot I'll post it
…On August 3, 2024 12:31:38 AM PDT, Emux ***@***.***> wrote:
BRouter does not use the [DownloadManager](https://developer.android.com/reference/android/app/DownloadManager) that is in Android and not in Google services.
It uses a more complicated process with [URLConnection](https://developer.android.com/reference/java/net/URLConnection) to download files with notifications.
It shows the progress of the download (see the video below) and reports what is happening.
You can check its code, it is an open source project. 🙂
BRouter is also on F-Droid, so this version cannot use Google services:
https://f-droid.org/packages/btools.routingapp/
You can also download manually the BRouter data with your browser, see the instructions:
https://github.com/abrensch/brouter/blob/master/docs/users/download_segments.md
https://github.com/user-attachments/assets/2fdeb91c-7725-4790-a3f9-d45285d5a1b8
--
Reply to this email directly or view it on GitHub:
#722 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
BRouter uses Android's WorkManager which checks if a network connection is available (see code). This is a sensible action for all users, because there is no need to try if the connection isn't available. If you cripple your android by blocking the services you should also patch it to cause this check to always return true instead of silently failing. This is an issue of your modification and not an insecurity of BRouter. |
Android contacts Google to check if there is internet and if you are behind a captive portal. That is the default and is not changeable without root or a custom ROM (and even then most custom roms still contact Google). Many many people who use fdroid are using it to stop the tracking of their devices by Google. Your app fails to download anything even if there is a network connection without providing an error, Android work manager does not provide any error. So it seems it would work better without that line And that is not secure |
Why would it be insecure? |
1 it schedules the download without any notification or ability to cancel
2 it needs (usually) a connection to Google to verify there is a internet connection
3 there is no user interaction before the download starts
4 there is no error notification
5 there is no que notification
6 the only information before starting or failing download it gives is in a toast, which has no history, no user interaction and no method of recalling that information if missed.
…On August 4, 2024 1:35:03 PM PDT, zod ***@***.***> wrote:
Why would it be insecure?
--
Reply to this email directly or view it on GitHub:
#722 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
I think you should check the definition of "secure". |
Secure means you know what is happening and what is not and why on your own device.
None of that information is given to the user when the download fails.
…On August 7, 2024 12:28:19 PM PDT, zod ***@***.***> wrote:
I think you should check the definition of "secure".
--
Reply to this email directly or view it on GitHub:
#722 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
Download manager is insecure. Any app can abuse internet access by using download manager.
https://developer.android.com/privacy-and-security/risks/unsafe-download-manager
Please support 3rd party download managers , even links for Firefox or app downloading.
Download manager will not work if Google spyware is blocked on many devices (IE Google apps like sounds, MTP host, provides.Media are bundled with download manager on Google devices So power used cannot allow one without allowing all access)
Download manager also will not work on many devices if captive portal controller is blocked or disabled when someone does not want their device to connect to Google every time
https://xdaforums.com/t/guide-how-to-avoid-the-captive-portal-checkin-to-google.3927561/
And worse of all the Android download manager NEVER reports ANY error to the user.
Please stop using the Android download manager it is badly written, badly implemented, dangerous software
The text was updated successfully, but these errors were encountered: