[FEATURE] FOSS build flavor for IzzyOnDroid

[TheRedCyclops]

Describe the feature

A build flavor without:

• Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
• Google Mobile Services (/com/google/android/gms): NonFreeComp
• ML Kit (/com/google/mlkit): NonFreeComp,Tracking

As these libraries prevent this project from being included in the IzzyOnDroid F-Droid repo.

Why would it be useful to add?

To allow for updating via the IzzyOnDroid Repo and reduced user tracking

Example(s)

N/A

Additional context

No response

[Mahmud0808]

Firebase Data Transport - I don't remember using firebase anywhere.
Google Mobile Services, ML Kit - Unfortunately these are used in one of the major features of iconify.

[TheRedCyclops]

Google Mobile Services, ML Kit - Unfortunately these are used in one of the major features of iconify.

Which one?
also, relevant IzzyOnDroid issue: https://gitlab.com/IzzyOnDroid/repo/-/issues/710

[Mahmud0808]

It's Depth Wallpaper (iOS like lockscreen wallpaper), anyway I will check if it's possible to create a separate build flavor. Thanks for the heads up.

[IzzySoft]

@Mahmud0808 GMS and Firebase Data Transport are being dragged in by ML Kit. So removing ML Kit should make them disappear as well. I don't know what you need ML Kit for, there might be FOSS alternatives for the functionality.

[Mahmud0808]

@Mahmud0808 GMS and Firebase Data Transport are being dragged in by ML Kit. So removing ML Kit should make them disappear as well. I don't know what you need ML Kit for, there might be FOSS alternatives for the functionality.

I have added foss product flavor without MLKit. What else do I need to do? It has applicaitionId ".foss" suffix btw.

[IzzySoft]

It has applicaitionId ".foss" suffix btw.

Which means folks need to switch to the "new app" (different packageName, different app – no "direct update path"). If that's intended, we can switch to that at IzzyOnDroid with the next release which provides the corresponding APK (provided the size fits now; knowing how much ML Kit adds, my guess is it does).

[Mahmud0808]

we can switch to that at IzzyOnDroid with the next release which provides the corresponding APK (provided the size fits now; knowing how much ML Kit adds, my guess is it does).

I don't think ML Kit adds too much size to the apk. I tried building an apk without mlkit and it's 1-2 mb reduced in size. The huge size bump is due to jniLibs

[IzzySoft]

Oh, OK – in another case where ML Kit was removed, the drop was around 10+ MB. Maybe they cleaned up something else along then, idk. Well, let's see; split APKs might help should it still be too big.

[DHD2280]

Oh, OK – in another case where ML Kit was removed, the drop was around 10+ MB. Maybe they cleaned up something else along then, idk. Well, let's see; split APKs might help should it still be too big.

We use MLKit for Subject Segmentation.
The library has small size, since it's something that will run on Google servers.
Look here

[IzzySoft]

The library has small size, since it's something that will run on Google servers.

Yeah, that's why it also get's tagged NonFreeNet/Tracking and NonFreeDep (proprietary). It's not FOSS, and that combination is worrying – especially for a place dedicated to FOSS and privacy.

[Mahmud0808]

@IzzySoft I published a new release with foss variant. Hopefully it's fine now.

[TheRedCyclops]

It's still slightly over the 30MB limit

[Mahmud0808]

It's still slightly over the 30MB limit

I misread the max limit as 40mb. I don't think it's possible to make it any smaller.

[TheRedCyclops]

And trying to install it alongside the non-foss version fails, not sure if that's intended

[Mahmud0808]

And trying to install it alongside the non-foss version fails, not sure if that's intended

That is intended, there are some components which will conflict if you try to install different flavors at the same time, even with package name changed.

[IzzySoft]

I published a new release with foss variant. Hopefully it's fine now.

Almost. Scanner still reports:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Can be easily fixed with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Next:

! repo/com.drdisagree.iconify_23.apk declares sensitive permission(s):
  android.permission.QUERY_ALL_PACKAGES android.permission.ACCESS_FINE_LOCATION
  android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_BACKGROUND_LOCATION

What are those needed for?

It's still slightly over the 30MB limit

Well, 400 kB with the arm64, we can close an eye on that as long as it doesn't grow much more. But those permissions must be clarified – and in that context, also INTERNET – because listing all installed apps plus having access to the location and internet, without being explained, smells too dangerous.

[Mahmud0808]

Scanner still reports:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Can be easily fixed with a minor addition to your build.gradle:

android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}

Added :)

! repo/com.drdisagree.iconify_23.apk declares sensitive permission(s):
  android.permission.QUERY_ALL_PACKAGES android.permission.ACCESS_FINE_LOCATION
  android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_BACKGROUND_LOCATION

What are those needed for?

QUERY_ALL_PACKAGES permission has been removed.

INTERNET, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_BACKGROUND_LOCATION are required because Iconify has option to show weather information on lockscreen. And Iconify handles getting weather data from internet in background using current location and shows it on lockscreen.

[DHD2280]

But those permissions must be clarified – and in that context, also INTERNET – because listing all installed apps plus having access to the location and internet, without being explained, smells too dangerous.

As @Mahmud0808 explained, iconify has weather in lockscreen and weather as a lockscreen widget.

Location permission is directly explained to the user when he will enable one of these, here string reference.
Clearly is not possible to fetch weather data without internet permission.

---- EDIT ----
Also, we was planning to add Custom app to Lockscreen Widgets, but for this we need query all packages, so I guess this feature couldn't be included in foss build (?)

[IzzySoft]

Thanks! Location permissions added to the green list then. As for QUERY_ALL_PACKAGES: being removed of course "clarifies" as well, thanks. And yes, INTERNET is clear then. With everything properly explained, raised eye-brows go down again 😉 DEPENDENCY_INFO_BLOCK removed means all done then, thanks a lot! Shall we leave this open until the next release confirms?

[Mahmud0808]

I will do a minor release soon and then close this issue. Hopefully everything goes well this time.

[IzzySoft]

Fingers crossed 🤞