I have tested the new version for a while. I have some comment (hopefully not too long...)
- Set Camera Usage Stat
e, nice addition. Just know we can lock the camera directly using dev admin. There are several one-trick pony app out there which can do it. Adding up another reason to use Automagic. Small correction, at the help menu using English; the "Kamera usage" is not properly translated. I think it should be "Camera usage
- Audio Volume on every change
can be used to trigger something based upon volume button. I know that smartkeyboard has the capability to consume the volume button event to make it become cursor right/left. Maybe this is the thing that has been requested before, but minus the volume up/down. I mean pressing the vol up/down trigger something, but doesn't send the event media_volume_up/down to the system (thus didn't change any volume). There should be a lock and release mechanism during certain input time. (smartkeyboard only consume the vol up/down button when the keyboard appear). Don't if it is possible to implement the same without using the input keyboard.
- Input Dialog - PIN
, another nice addition
- Web-URL intents
. This will remove the web url intent receiver, automagic will be restarted. Useful for someone who don't use this feature at all.
- Undo/redo button
, marvelous addition. It is just a little hidden in the 3 dot menu. I wish i can just long press at blank space and simply undo. Because most of the accidental delete happen just like that and we want it back immediately. I have tested it out for a longer time, it seems only to log undo/redo since the last flow opening. So I can only undo till the last time I started to open the flow. I tested up to 11 elements, all still can be undo. Is there a limit of the undo? I mean if it stacks all the undo, will it affect the perfomance when editing the flow after adding so many elements in a single session flow opening?
- Finish HTTP response
also works properly, the logic is much better now.
- I still like previous icon, although I also don't hate the new one. But It will add up 10 more icon to use in my shortcut. I wish I can have more.
- Variable bug passing
has been fixed here.
- Input speech prefer offline
works properly, Lollipop 5.1, Latest google app and play services and have downloaded the offline voice. Oh, can't wait to test this on my main phone.
I want to add something about the Trigger HTTP request
. I actually have ever discuss about it previously
when requesting HTTP post action (started from curl, become built-in action to post file).
The problem is the HTTP server are started on every interface
. When I test the Trigger HTTP request above, I realize the interface on mobile data also listening for incoming connection. I have the same carrier at my phone and wifi modem. So even though both are private IP of the carrier, I can ping from my modem to the phone. And I can trigger the command using the phone carrier's IP from my modem, even though my phone is using mobile data, not wifi. I have actually blocked the incorrect IP source by using expression. But the port is still left open on the mobile data site, even though I am using wifi only (the possible attacker can trigger the flow, but can't execute pass thru the main branch of the flow.
So I think we should have a way to limit the interface only for the wifi, wifi hotspot, wifi direct, LAN or mobile data. If not possible to limit per interface, probably at least separate the mobile data part. In most phone, there are a lot of interface available. Here is the output when I use netcfg. (I have censored out the mac and IP)
Code: Select all
p2p0 UP 0.0.0.0/0 0x00001003 be:20:10:00:00:00
sit0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
lo UP 127.0.0.1/8 0x00000049 00:00:00:00:00:00
wlan0 UP 192.168.1.xx/24 0x00001043 bc:20:10:00:00:00
dummy0 DOWN 0.0.0.0/0 0x00000082 aa:3c:52:00:00:00
rev_rmnet1 DOWN 0.0.0.0/0 0x00001002 4a:61:9f:00:00:00
rev_rmnet0 DOWN 0.0.0.0/0 0x00001002 06:e0:ed:00:00:00
rev_rmnet8 DOWN 0.0.0.0/0 0x00001002 a2:92:e0:00:00:00
rev_rmnet7 DOWN 0.0.0.0/0 0x00001002 ea:d9:32:00:00:00
rev_rmnet5 DOWN 0.0.0.0/0 0x00001002 56:b4:de:00:00:00
rev_rmnet6 DOWN 0.0.0.0/0 0x00001002 e2:ca:32:00:00:00
rev_rmnet4 DOWN 0.0.0.0/0 0x00001002 fa:08:f2:00:00:00
rev_rmnet2 DOWN 0.0.0.0/0 0x00001002 4a:c1:51:00:00:00
rev_rmnet3 DOWN 0.0.0.0/0 0x00001002 ea:c3:fb:00:00:00
r_rmnet_data4 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data3 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data1 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data2 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data0 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data8 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data7 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data5 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
r_rmnet_data6 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet0 UP 0.0.0.0/0 0x00000041 00:00:00:00:00:00
rmnet_data7 UP 10.100.xx.xx/27 0x00000041 00:00:00:00:00:00
rmnet_data5 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data6 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data4 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data2 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data3 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data1 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet_data0 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
rmnet series are the mobile data part, don't know why there are a lot of them. The one I can ping/reach is the rmnet_data7, which has the IP 10.100.x.x/27. This is VoLTE interface, so even though mobile data is off, this interface is still on. (thus the risk of leaving the HTTP request enabled). When mobile data is enabled, rmnet_data7 is still UP, another interface is up, which is r_rmnet_data0, which has the IP 100.x.x.x/30. From my modem, which has the IP of 100.x.x.x/30 too, can trigger the HTTP request on the same interface. But 10.100.x.x/27 (VoLTE interface) can only be trigger by my other phone which use VoLTE too (since both has the same private IP range). I never realized this before, because one of the phone is not updated to VoLTE yet till the last test I made.
To minimize the exposure, we should have option to disable the listening port on any other interface outside of the wifi/LAN kind. So the option only enable the HTTP server on p2p0 (wifi direct and bridge), lo (loopback is ok), wlan0 (wifi client and wifi hotspot) and eth0 (LAN, usually on tv box only). Put it default checked, and when unchecked give warning that the HTTP request will be enabled on all interface including mobile data/VoLTE.
I consider this as one of the security exploit, even though the risk is still minimal if the flow is set up properly. But until it is enhanced to limit listening on all interface, I think there should be a warning to tell that the HTTP server will be started on all interface. The help menu should give a strict warning about setting up a proper expression to filter out the IP or using some keyword to authenticate the user.