That's totally fair. As the author I can attest that it's not doing anything sketchy, and as has been mentioned elsewhere in the thread you can view the unbundled source to confirm that. But no pressure to use it from me!
I definitely did not make any efforts to minify/obfuscate anything and as you can see from other comments the source is quite readily available from unpacking. You can see for yourself it's not doing anything sketchy other than retrieving your albums and photos and storing them locally.
If you have an android phone you likely do as it backs them up at full res (if camera is 16m or below) for free. Even installed on my iOS devices - as since it is free, then why not.
And google has phenomenal downsizing capabilities for the free unlimited storage. I backup my DSLR photos on Google Photos and I can print 5x8" without any noticeable loss in quality. Here are some examples a user posted to Reddit 2 years ago.
Nice concept, but I take a lot of photos so a high chance they could be one of the 'duff' ones or photos I don't really want to share with my office or whoever is using my machine if I only use this at home. Can you filter by folder or some other way of highlighting those you want to share?
I'm no expert on Google OAuth, so this could be wrong, but my understanding is that this is totally fine.
The client secret is, despite its name, not necessarily intended to be secret. Client ID / secret pairs can be locked down to only work with specific referer headers or Application IDs. Also, they are only useful for purposes of quota and don't provide authentication. A malicious entity could make calls against the quota of this app (which is true for any app), but they couldn't easily distribute the key or use it for other purposes very well.
Yeah I debated this quite a lot and came to the conclusion that it was ok to include. I put a comment in the source where I describe my understanding of the threat model (though not sure if it makes it to the bundled extension?) Here it is for reference:
// I know this shouldn't be here but I've concluded based on a fair amount of
// research that it is *impossible* to make a chrome extension that:
// 1. Allows you to use accounts besides the default browser account
// 2. Doesn't prompt for token/account renewal every hour
// 3. Doesn't have any server-side code.
// without including it here.
// I figured I could obfuscate it, but no matter what it's going to be readily available
// in the network tab anyways so I decided not to bother.
// Here is some information about the threat model this exposes:
// https://tools.ietf.org/html/rfc6819#section-4.1.1
// In summary, the most dangerous thing is that people can use the renewal token
// to get more access tokens to access your photos, if you've already approved this
// and they get access to those things.
// You can always revoke access via google at any time.
If it seemed worth it I could set up a server side proxy to keep the secret a secret at which point I could revoke the existing secret (which would break everyone's installed apps but whatever). However it didn't seem necessary based on my read and definitely not until I had validated that anyone wanted to use it.
Which can only be accessed by an installed Chrome Extension with that ID. So no one should be able to authorize anything besides this app using that information.
This is a bit confusing. My new tabs are for opening new web pages. And I occasionally click on one of the recently opened page icons. Will those be gone?
This is just intended to replace the splash screen of when you open a new tab. Instead of the icons and links, you get a nice photo before you type in the URL.
22 comments
[ 3.9 ms ] story [ 73.0 ms ] threadhttps://www.reddit.com/r/Android/comments/37pfn5/ive_made_an...
This may be helpful: https://developers.google.com/identity/protocols/OAuth2UserA...
The client secret is, despite its name, not necessarily intended to be secret. Client ID / secret pairs can be locked down to only work with specific referer headers or Application IDs. Also, they are only useful for purposes of quota and don't provide authentication. A malicious entity could make calls against the quota of this app (which is true for any app), but they couldn't easily distribute the key or use it for other purposes very well.
> Doesn't this let anyone else make API calls as your app?
The only thing that client id / secret is authorized to do is redirect to the following URL: https://fpljkobkodmnmldgodfefnmjgjlljbjn.chromiumapp.org/oau...
Which can only be accessed by an installed Chrome Extension with that ID. So no one should be able to authorize anything besides this app using that information.
More information about what it does expose is here: https://tools.ietf.org/html/rfc6819#section-4.1.1
This is a bit confusing. My new tabs are for opening new web pages. And I occasionally click on one of the recently opened page icons. Will those be gone?