Howdy, is this a serious thing that I should act upon immediately? The apps are Cheogram and Simple File Manager Pro. I think I may have seen this once but it wasn’t an app I was using much so I just uninstalled it. I use these often though. I’m still looking and trying but I am not even sure how to go about verifying this kind of thing at the moment. I trust F-Droid, I just don’t know the severity of this kind of notification.
I tried to look up forums, on here and on their github but I didn’t see anything current as of today(6/1/23)
I’m still trying to finalize a threat model as it changes according my increase in knowledge of what really goes on in the background and such.
Sorry if it’s something simple, I have learned a lot but, no one knows 100% of everything. Yet anyway, lol.
Thanks a bunch!
Regarding Cheogram it seems like it’s a false positive. Have a look at this reddit thread. As you can also see in the fdroid metadata there are no vulnerabilities listed.
Okay so for simple file manager, f droid says that it is something related to PDF viewer built in to it, the link for that issue is given as this which redirects to github, which was resolved long time ago and closed (someone reopen it after fdroid notification 2 days ago). Can someone explain about it more? Should we uninstall the app and wait for it to get fixed again? Or using separate PDF viewer would be fine?
Here they mention that it should be fixed but I don’t if these are actual developers. F-droid is still showing the warning for me. FOr safety I uninstalled it.
So the Cheogram thing seems to be fine. Like @reformed_sandpaper said, a false positive.
As for the Simple File Manager Pro, if I understand correctly, people seem to not care much for the PDF viewer built into the app. They can do with it being removed and sticking to a dedicated PDF viewer. Though it was shared that PDFium has some vulnerabilities and ~60 security issues, shown through shared links in the first comment here, there seems to be concerns about one of the developers responses to it.
It was said to be fixed but someone pointed out that they just changed PDFViewer to voghdev’s PDFViewPager which hasn’t been updated in over a year. Seems people are mostly in agreement of having the file manager be a file manager and to just use a dedicated PDF viewer.
This is just what I understand from what I have read and looked over.
If I’m missing something or got something wrong please do let me know.
Hope I typed this out well enough.
I uninstalled simple file manager for now. I was using github version rather than fdroid version. I was still using it for two-three days after that fdroid warning came to light. Should I be worried about anything?
I feel like the main issue would be if you were using the inbuilt PDF viewer. I never used it myself but uninstalled it myself to see how things unravel from a safe point of view. It did seem like the develeper didn’t want to remove the PDF viewer part of it, which seems to be mostly unwanted. Maybe he’ll listen to the users and get rid of it which would remove the only reason there’s a security issue currently. I think you’ll be fine. I hope I am too.
For simple filemanager pro, the flag is removed now from fdroid (without Dev providing any updates, app was updated last time in April). Dev said that it was bug from fdroid, those libraries are not in use for long time in app and it was false alarm and closed issue on github.
