It must be run from the terminal as root. It configures Sailfish OS’s firewall, so app blocks survive reboots & start working straight away.
The script will give you a list of all installed Android apps, from which you can choose to block any you want. You can also unblock any previously blocked apps, save the changes you’ve made, or cancel without making the changes.
I haven’t done much testing yet, but it seems to work fine on my Sony Xperia 10 III (**). Please let me know if you find any bugs!
(** = which I only use for testing - I’m waiting for my new Jolla Phone before I switch to using Sailfish OS as my main phone.)
In the history, zip files have been used quite a few times to carry malware. It’s quite understandable that they are a red flag to many of us. Downloading random packages from Internet, extracting them and then running the scripts found inside as root is not a behavior pattern we should teach to new Sailfish OS users.
wow 3 people complaining about zip file instead of just reading the script (just for your info, you cant uplaod that many file formats to this forum, but for whatever reason you can attach targz (? wtf why not tar.gz or tgz ?)
So thank you chris for your effort and no its not some kind of malicious binary which sets you dog on fire, its just a sh script (which you can read) inside a zip file
You can unzip the script & read it. It’s quite short. If it was a compiled executable instead of a script, would you still say it should be available without zip?? Zips cannot hide anything malicious anyway, they don’t have a secret folder or something!
How does being zipped or unzipping it somehow make it malicious? Zips are a standard format, and cannot auto-execute stuff, unlike Rars, so it’s 100% safe to unzip.
As for running as root, there are lots of downloads for SailfishOS that require root, and some of them are not scripts, so you can’t even be sure what you’re executing. I would be worrying about compiled executables that have to run as root, not a little script.
And if it was also available without being zipped, then you can’t be sure it’s the same files as the zipped version…
Who said anything about teaching new users anything? This requires root, and running from the terminal, so just executing it correctly requires jumping through quite a few hoops, which would be very difficult for new users, unless they were experienced Linux users…
And I have a feeling that if I hadn’t labelled the download as “.zip” people might not even have thought to complain.
Maybe next time I shan’t try being helpful, and instead just keep my useful scripts to myself
ls -1 /home/.appsupport/instance/defaultuser/data/data
...
ls -ld "$AppPath" | awk '{ print $3 }'
Is this a reliable way to not only find out which apps are installed but also which Android processes access the internet? Meaning, do these always follow the “one User ID per app” policy? Could they not access the internet via some additional UserIDs?
I made a gui app for this (I’ll release it soon) but I haven’t thoroughly tested it either. It looks like apps can’t access the internet if their user ID is blocked but is that guaranteed? As you said, @ohnonot, can we be sure that an Android app’s connections always go via its dedicated user ID?
Please test it and tell me if it works I only tested it on my Xperia 10 III with Sailfish 4.6 so there might be issues with other devices or more recent Sailfish versions.
A proper app sounds great, although I haven’t used OpenRepos before, so I don’t know when I’ll get around to trying it… Just a few thoughts from briefly looking at the source code:
I don’t have “/home/.android/data/data/" on my phone, just “/home/.appsupport/instance/defaultuser/data/data/“. On what device/version does the former folder appear? And can both folders appear on the same device? (So I can update my script.)
You don’t seem to filter the apps from that folder, so I assume your app displays all the built-in Jolla ‘helper’ apps that are part of SfOS, which the user doesn’t normally see or need to know about??
I see you just restart ConnMan (which is a bit slow), rather than directly update iptables. I suppose that’s the safest way, and arguably you don’t need to do anything else, but hopefully later you might implement the much faster method I use…
The source code has many more files than I’d naively expect, which makes it hard to check the safety of it!
Also, why does the installer’s name begin with “harbour”? Do you plan to submit the app to Jolla’s official app store? (Harbour?) (Do they usually allow apps that need root access?)
Do you plan to submit the app to Chum? (I read they compile the apps themselves(?), and so it’s presumably a little more trustworthy source for apps?)
It does not.
It only shows the user installed Android apps including proper names and icons.
I can’s speak for the developer but many apps traditionally do that (mine included) even if we don’t ever intend to publish to Jolla Store.
It’s more of a tradition than a requirement I think.
It asks for admin credentials before making changes, maybe that makes a difference.
There are built packages and screenshots in the repo
My Xperia 10 III with Sailfish 4.6 has the former path, my C2 with latest Sailfish 5.x uses the latter. My app supports both.
I do actually: MainPage.qml I used the list from your script. It uses Jolla’s own ApplicationSettingsModel which is not ideal but it was the quickest way to get the results I needed. Implementing a custom model may make sense in a future version.
Yes, I don’t like parsing CLI output. I just pushed version 0.2.0 where I implemented a new method that works faster and doesn’t require parsing iptables: connman doesn’t support live reloading changed config files (Firewall | Sailfish OS Documentation) but it does support adding and removing config files without a service restart. So now the app simply switches between two config files (60-... and 61-...), then calls systemctl reload connman. This is fast and reliable (edit for future reference: maybe not so reliable as others have pointed out).
Because of: FAQ This app won’t fly in harbour but it makes maintenance easier if all my apps follow the same structure.
Would be nice but I didn’t manage to set it up yet. From a developer perspective I also see little use in it because it is yet another place where I’d have to manually release stuff. Automatic publishing from Git to chum to Harbour and OpenRepos would be ideal…
I only tested it on my Xperia 10 III with Sailfish 4.6 so there might be issues with other devices or more recent Sailfish versions.