..."APP_READ_DATABASE" detected

[starblade09]

Can you give me a full and honest breakdown of what your app does and what permissions are utilized, on the back end? Why am I finding such dangerous permissions on this? on an app I thought was said to be open source and privacy friendly?

Does this app operate on its own local database? Or what's going on here. *You are utilizing SQL of some sort: give me a full breakdown on what is being done here as well.

[github-actions]

Hello! 👋 Thanks for logging this issue. Please remember we are all volunteers here, so some patience may be required before we can get to the issue. Also remember that the fastest way to get resolution on an issue is to propose a change directly, https://github.com/ankidroid/Anki-Android/wiki/Contributing

[mikehardy]

Hi there!

You have the wrong app I think, or are mis-reading things. You're worried about privacy, so if you intend to understand my answers, you must be very precise.

I can only respond to my guess as to what you meant.

APP_READ_DATABASE is not an android permission: https://developer.android.com/reference/android/Manifest.permission

com.ichi2.anki.permission.READ_WRITE_DATABASE is (as should be obvious by the name) an AnkiDroid-specific permission. We define it ourselves.

Anki-Android/AnkiDroid/src/main/AndroidManifest.xml

Lines 38 to 42 in e0be1ff

	<permission android:name="com.ichi2.anki.permission.READ_WRITE_DATABASE"
	android:label="@string/read_write_permission_label"
	android:description="@string/read_write_permission_description"
	android:protectionLevel="dangerous"
	/>

That's the permission required by other apps in order to our low-level programming API to modify your flashcards database. That's a neat trick where other dictionary programs can export a word you just looked up directly to your flashcards so you can memorize it.

And you better believe we use SQL in order to maintain our flashcards database, because losing data is bad, right? And fast operation on potentially hundreds of thousands of flashcards is good, right? So we trust sqlite (a SQL implementation) to hold our data.

The only privacy things that are worth knowing about AnkiDroid are that:

1. we require WRITE_EXTERNAL_STORAGE which is write access to all of your external storage. We certainly don't abuse it (but audit the code yourself) and will transition to "scoped storage" as soon as we can Enhancement: AnkiDroid should not use Storage permission (Deadline November 2021) #5304 but we're volunteers so it'll happen when it happens. We have to put the database somewhere though, and it can be massive so it needs to be external. The app's existed more than 10 years before there even was a permission, so it is just a 10 year old legacy decision and here we are.
2. we may request camera or audio permissions if (surprise) you ask to include a photo or audio in a flashcard you are creating. Fairly necessary for that. But optional, deny them if you like.

Now I want to be clear on one thing though: your tone is unfriendly. "said to be"? seriously? Do you approach all volunteer projects, asking for detailed answers, with language like that? And assumptions about danger? I must admit I almost didn't take the time to answer you.

But, I did. Hope the information is sufficient for your flashcard needs.

[starblade09]

Hi there!

You have the wrong app I think, or are mis-reading things. You're worried about privacy, so if you intend to understand my answers, you must be very precise.

I can only respond to my guess as to what you meant.

APP_READ_DATABASE is not an android permission: https://developer.android.com/reference/android/Manifest.permission

com.ichi2.anki.permission.READ_WRITE_DATABASE is (as should be obvious by the name) an AnkiDroid-specific permission. We define it ourselves.

Anki-Android/AnkiDroid/src/main/AndroidManifest.xml

Lines 38 to 42 in e0be1ff

	<permission android:name="com.ichi2.anki.permission.READ_WRITE_DATABASE"
	android:label="@string/read_write_permission_label"
	android:description="@string/read_write_permission_description"
	android:protectionLevel="dangerous"
	/>

That's the permission required by other apps in order to our low-level programming API to modify your flashcards database. That's a neat trick where other dictionary programs can export a word you just looked up directly to your flashcards so you can memorize it.

And you better believe we use SQL in order to maintain our flashcards database, because losing data is bad, right? And fast operation on potentially hundreds of thousands of flashcards is good, right? So we trust sqlite (a SQL implementation) to hold our data.

The only privacy things that are worth knowing about AnkiDroid are that:

1. we require WRITE_EXTERNAL_STORAGE which is write access to all of your external storage. We certainly don't abuse it (but audit the code yourself) and will transition to "scoped storage" as soon as we can Enhancement: AnkiDroid should not use Storage permission (Deadline November 2021) #5304 but we're volunteers so it'll happen when it happens. We have to put the database somewhere though, and it can be massive so it needs to be external. The app's existed more than 10 years before there even was a permission, so it is just a 10 year old legacy decision and here we are.
2. we may request camera or audio permissions if (surprise) you ask to include a photo or audio in a flashcard you are creating. Fairly necessary for that. But optional, deny them if you like.

Now I want to be clear on one thing though: your tone is unfriendly. "said to be"? seriously? Do you approach all volunteer projects, asking for detailed answers, with language like that? And assumptions about danger? I must admit I almost didn't take the time to answer you.

But, I did. Hope the information is sufficient for your flashcard needs.

Hey. Yes , I was in such a rush when I made this post response. I do apologize as coming off to be rude. I am seriously just concerned about my privacy , though at this point. I would greatly appreciate one last answer.

It does indeed. From my memory of deeper analysis on your app, I did discover that there were some questionable permissions , in my opinion. And no disrespect at all. I am, again, concerned about my privacy. From my understanding ,everything works on a local level, and now I'm just generally confused.

READ_WRITE_DATABASE was what I did spot, yes. You solved the exact problem I was specifying. The problem is, the rest of the permissions and their capabilities.

Although that permission is put to rest, what about ACCESS_MEDIA_LOCATION ? Does this not expose geolocation silently? Just a hypothesis. I'd like to be knowledgeable about these permissions so that I am aware of what's going on.

[david-allison]

Although that permission is put to rest, what about ACCESS_MEDIA_LOCATION ? Does this not expose geolocation silently? Just a hypothesis. I'd like to be knowledgeable about these permissions so that I am aware of what's going on.

Where do you see this permission being requested? It's not in our manifest and it's neither on Google Play, nor FDroid.

Anki-Android/AnkiDroid/src/main/AndroidManifest.xml

Lines 26 to 42 in 983ed02

	<uses-feature android:name="android.hardware.camera" android:required="false" />
	<uses-feature android:name="android.hardware.camera.any" android:required="false" />
	<uses-feature android:name="android.hardware.audio.output" android:required="false" />
	<uses-feature android:name="android.software.app_widgets" android:required="false" />
	<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
	<uses-permission android:name="android.permission.VIBRATE" />
	<uses-permission android:name="android.permission.INTERNET" />
	<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
	<uses-permission android:name="android.permission.RECORD_AUDIO" />
	<uses-permission android:name="android.permission.WAKE_LOCK" tools:node="replace"/>
	<uses-permission android:name="android.permission.CAMERA" />
	<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
	<permission android:name="com.ichi2.anki.permission.READ_WRITE_DATABASE"
	android:label="@string/read_write_permission_label"
	android:description="@string/read_write_permission_description"
	android:protectionLevel="dangerous"
	/>