Asking for the permission in question sounds very reasonable for me as well, in particular since we are talking about an open source app (paranoid people could always check the source code and compile it by themselves if they don't trust us).
My biggest concern has to do with security. The bytecode for transfer is loaded dynamically in lttoolbox-java and therefore apertium-android. If we store this bytecode in the external SD card, where anybody can read from and write to, an attacker could potentially replace it with some malicious code that would be run in our app's context. There are two solutions that I can think of: 1) Keep the bytecode in the internal storage. 2) Cryptographically sign the bytecode and verify this signature every time that we load it. Probably not too hard to implement, but we would have to take care of the infrastructure involved, which is not trivial (e.g. who would keep the private key? only people with it could publish or update language pairs, but we could not make it public either as potential attackers would then have access to it). I have to implement the 2nd option in Mitzuli before I release it, since I have discovered that this security hole is present there even if I keep the language pairs in internal storage. Maybe we could adapt the code for Apertium when it is ready. Mikel On Sun, Oct 26, 2014 at 1:02 PM, Wei En Ng <[email protected]> wrote: > Writing to the SD card appears to be a very reasonable permission to grant > to an application. An explanation of why we need the permissions can be > provided in the description. This is a more practical option imo. > On 26 Oct, 2014 7:06 pm, "Jacob Nordfalk" <[email protected]> > wrote: > >> We are discussing why >> https://play.google.com/store/apps/details?id=org.apertium.android cant >> store its big dictionaries on the external SD card. >> >> The issue is permissions: We need extra read/write access permission to >> SD card to store dictionary files on external storage. >> >> I prefer not to require more permissions than absolutely neccesary. >> >> From version 4.4.4 we can store stuff to external storage without >> requiring extra permissions. >> >> So: >> 1) either require extra permissions to SD card >> 2) only be able to store dictionaries on external storage from 4.4.4 >> KitKat and up. >> >> What do you think ? >> >> Jacob >> >> 2014-10-25 22:57 GMT-07:00 Yaro <[email protected]>: >> >>> Hsairen Jacob >>> >>> Android 4.0.4 I think gogl started messing and locking sd And app access >>> from 4.1 onwards escalating their actions in every new version .but that >>> doesn't apply to internal sd for my ics.i heard about the 4.4.4 issues then >>> again appertium should use it's deposit file space on kitkat's internal >>> sd.and ics's in fact. And i'll be on 4.4.4 soon.! >>> >>> Cheers >>> Yaro >>> >>> >>> Jacob Nordfalk <[email protected]> wrote: >>>> >>>> What Android version has your phone? >>>> >>>> Sendt fra min Android >>>> Den 25/10/2014 02.55 skrev "Yaro" <[email protected]>: >>>> >>>>> Hello >>>>> >>>>> So great to see you rise back from the cold. >>>>> >>>>> Have an issue, the downloaded language data goes to my "Rom" memory >>>>> not my sd and consumes a lot,please update for sd storage, my device has >>>>> 32gb internal, but appertiun ignored it,fix when possible. >>>>> >>>>> Thanks in advance >>>>> >>>>> Regards >>>>> -- >>>>> Sent from my Android device >>>> >>>> -- >>> Sent from my Android device l> >> >> >> >> >> -- >> Jacob Nordfalk <http://profiles.google.com/jacob.nordfalk> >> javabog.dk >> Androidudvikler og -underviser på DTU >> <http://cv.ihk.dk/diplomuddannelser/itd/vf/MAU> og Lund&Bendsen >> <https://www.lundogbendsen.dk/undervisning/beskrivelse/LB1809/> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Apertium-stuff mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/apertium-stuff >> >> > > ------------------------------------------------------------------------------ > > _______________________________________________ > Apertium-stuff mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/apertium-stuff > >
------------------------------------------------------------------------------
_______________________________________________ Apertium-stuff mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/apertium-stuff
