Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safe apps are detected by checkPotentiallyDangerousApps #195

Open
scscgit opened this issue Mar 27, 2022 · 1 comment
Open

Safe apps are detected by checkPotentiallyDangerousApps #195

scscgit opened this issue Mar 27, 2022 · 1 comment

Comments

@scscgit
Copy link

scscgit commented Mar 27, 2022

The checkPotentiallyDangerousApps (function detectPotentiallyDangerousApps) uses a constant hard-coded list of packages. For example, org.blackmart.market doesn't have anything to do with root, and it's perfectly valid to have some third-party APK market store installed (especially if it's an old version that doesn't even work anymore) - you can never have enough APK repositories in reserve to be prepared for situations when Google decides to pull more apps from their Play Store once they harm their anti-privacy agendas :) (Counter-intuitively, even if someone claims that unofficial/modified apps/games are "unsafe", remember that this is a root detection tool, so unless it also detects root, these apps should be unable to access dangerous privileges anyway.) Anyway, my guess is that there have been some root managers or tools using the same package name, which is why it got included in the list. The original PR was

where the comments referenced an arbitrary file gist like app_list.json, which had suddenly become an indisputable source of truth for this project. Is this list even exhaustive or up-to-date? What are the rules, and what is "potentially dangerous" even supposed to mean in this context? My Google Play Protect surely doesn't get triggered by such an app.

Can we please get an in-app explicit message referencing which package has been detected as unsafe? (Preferably also easy to consume and display to users by library consumers?) Can this be also logged for those of us who use a Logcat app on their phone whenever debugging apps that depend on this library (if for some reason we don't go scavenge source codes as our first resort)? I mean, not trying to be rude, but losing 50+ hours of personal time on debugging this false-positive nonsense at a short notice can be kind of a big deal for some of us. Of course, the intention should be also documented as per

Last but not least, do you realize that banking apps are now starting to use this metric as part of their mandatory security check? (#188) What are your plans if any "dangerous app" decides to re-use a package of some well-known app?
@scscgit scscgit mentioned this issue Mar 31, 2022
Closed
@syss
Copy link

syss commented Jun 20, 2023

got locked out of 2 apps, because your lib detects my phone with potentially dangerous apps.
please give an information which app i need to get rid of!

other than my personal problem i agree with OP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@syss @scscgit