this post was submitted on 11 Apr 2024
28 points (91.2% liked)

F-Droid

8069 readers
32 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
 

I turned on my old HTC espresso after a decade and I remembered that I loved this app.

It creates an unique profile image for contacts without a profile picture

So now when you open the contact list instead of having a list of capital letters in a circle you have a list of capital letters in a more colorful circle

Unfortunately it's now outdated and discontinued, but it still works on Android 14.

Seems like some asshole took the source code and republished the app as is, without credit, in the Amazon app store to get some financial incentive (around 2014 blackberry paid devs to republish their apps and many assholes decided that it was a good idea to "steal" open source apps)

After this, dev took development private but then got tired of the update treadmill that Google forces on the play store, so the apps were automatically delisted.

Luckily, fdroid doesn't have such artificial limitations on outdated apps that still work as intended.

you are viewing a single comment's thread
view the rest of the comments
[–] Moonrise2473@feddit.it 8 points 6 months ago* (last edited 6 months ago) (2 children)

Even for a 100% offline app?

The chance of something like this being exploited is much lower than a zero day on the browser you're using right now

Not to mention that you can install it and then immediately uninstall it after it generated the profile pics

[–] taladar@sh.itjust.works 11 points 6 months ago (1 children)

It likely parses the profile pictures with some image parsing libraries, those have frequent security issues.

[–] Moonrise2473@feddit.it 2 points 6 months ago (1 children)

Apart that in this specific case it only touches empty contacts or overwrites existing, but who would have placed in your own contact list a specially crafted image with the exploit targeting this niche app that nobody uses?

I insist that something that's not a web browser and it's not connected to internet doesn't need weekly/monthly updates. The program it's done and it's ok to stop development.

[–] taladar@sh.itjust.works -2 points 6 months ago (1 children)

the exploit targeting this niche app that nobody uses?

Which likely uses one of the extremely common libraries for image parsing which are much more likely to be targeted. And profile pictures enter your contacts from all kinds of online sources.

[–] Moonrise2473@feddit.it 2 points 6 months ago (1 children)

btw you know what's the beauty of open source? That you can take the source and update the vulnerable library to a nightly updated 2 hours ago, if it's that important for you.

I guess you're watching every month that all your apps are updated to the latest version. "OMG this app hasn't been updated in the last 6 weeks, IMMEDIATE UNINSTALL!!!!"

For me, the chance that one of my contact pics contain an exploit (i would mean that i manually did it, i don't use online services) my is lower than getting hit by an asteroid, so i accept the risk.

[–] thegreekgeek@midwest.social 2 points 6 months ago

Goodness, someone got out of bed on the wrong side this morning. I remember when this app came out! I'm pretty sure some of my contacts still have the pictures.

[–] rollingflower@lemmy.kde.social 1 points 6 months ago

The app requests Network Permissions