feat: Add REST API and Web UI for remote time tracking #373
Conversation
|
Looks really cool! |
|
Yes @AnonMiraj, this can definitely work in the F-Droid build! The web UI doesn't actually depend on Google services; it uses NanoHTTPD (standalone library) and local networking only. The note about Google Play Services dependency might be misleading. To enable F-Droid support:
Result:
I'm happy to refactor this PR to support both flavors if desired, or we can merge as-is (play-only) and handle it later. |
| <manifest xmlns:android="http://schemas.android.com/apk/res/android" | ||
| xmlns:tools="http://schemas.android.com/tools"> | ||
|
|
||
| <uses-permission android:name="android.permission.INTERNET" /> |
There was a problem hiding this comment.
Thank you very much for this PR, looks very cool!
Unfortunately the only guarantee of data privacy is not having an internet permission. Is it possible to implement this feature without adding it?
There was a problem hiding this comment.
Hi @Razeeman,
I don't want to reply in place of @av1m, but I don't think this kind of feature is realistically doable without this permission. I'm no Android dev, but the documentation states that this permission is required to open a network socket, so any LAN communication would require this permission (unless using bluetooth or some other exotic communication channel I guess).
However, as this PR currently is, this feature would only be available in the play flavor of the app which nicely solves this "data privacy guarantee" conundrum. In my opinion, in the same way Wear OS support was handled & merged, this feature could be play flavor only. "Privacy wary" people could use or keep using the F-Droid version (which they probably already use), without this feature nor the internet permission in the manifest.
As far as I'm concerned, I understand how not asking for this permission is a quick and easy way to "guarantee" no data leakage over the internet. However, there are other ways to guarantee this (reviewing the source code, sandboxing the app, using something akin to https://reports.exodus-privacy.eu.org, etc.) and other way the data could be poorly handled / leaked. In my opinion, my data in this app is far from critical anyway, so I'm not asking for the highest level of security guarantees anyway. The usefulness of a very convenient feature like this one outweighs the potential privacy concerns. I also understand that as a maintainer and being the creator of the app, you may disagree :)
Cheers,
Florian
There was a problem hiding this comment.
There is one workaround, although not looked into it much, but could be possible. Is to have a separate app, like a plugin, that would be installed separately and would have internet permission, it work with time tracker app and pass data to it. If I'm not mistaken, if both apps signed with the same signing key, they are basically the same app, and can share data without permissions. So it would work like this: time tracker pass data to plugin app, plugin app calls web api. Hope this makes sense.
The downside is that it probably wouldn't be possible to publish this plugin app on google play (I saw apps like this removed). It could be possible to publish it on f-droid and it will be available as an apk on github.
|
I'm really looking forward to this feature. |
5 participants
📱 What does this PR do?
Adds a local REST API server and web interface that allows users to track time from their computer browser while keeping data synced with the Android app in real-time.
This addresses the sync and web UI feature request from issue #103.
🎥 A screen recording that show the feature
✨ Features Added
REST API Server
WearCommunicationAPI) - zero duplicate codeWeb Interface
🔧 Technical Implementation
API Endpoints
Files Added/Modified
New files:
app/src/play/java/.../api/WebApiAdapter.kt- REST API implementationapp/src/play/java/.../api/WebApiModule.kt- Dependency injectionweb/index.html- Sample of WebApp (we just use API)Modified files:
app/src/main/java/.../TimeTrackerApp.kt- Start API server on app launchapp/src/main/AndroidManifest.xml- Add INTERNET permission🎯 Why This Approach?
WearCommunicationAPI- no duplicate business logicplayflavor, doesn't affectbase(F-Droid) build📝 Usage
web/index.htmlin browser on computerhttp://[phone-ip]:8080and click "Connect"🔒 Security Considerations
🐛 Known Limitations
playflavor (depends on Google Play Services components)