DashClock and the problem with the worldReadable flag

As of DashClock version 1.5 a new optional “worldReadable” flag was introduced to the DashClock API. Here is the Manifest declaration:

 <meta-data android:name="worldReadable" android:value="true" />

This flag indicates whether only the official DashClock app (signed by Roman Nurik) or all apps can access an extension. Basically this is a good idea, because if your extension has some sensitive data not every app should be allowed to access this data.

Unfortunately this also brings some problems. When I first updated my app DashClock custom extension to use the newest DashClock API I hadn’t set this flag, because I simply didn’t knew that it exists. For this reason the flag automatically had a value of “false” and this brought some trouble.

After the update I got a lot of negative reviews from people who are using custom roms, that the extension isn’t visible for them. It took me a lot of time to figure out that the problem had to do with the worldReadable flag. For whatever reason some custom roms (e.g. Slimbean or Carbon rom) include their own version of DashClock as a system app in the rom. As this isn’t the official DashClock app and I hadn’t set the worldReadable flag the extension (as intended) didn’t show up for those people!

For my app the solution is really easy. As custom extension doesn’t show any sensible data, I just set the worldReadable flag to true and everything works as expected now. Nevertheless if there is an extension which really shows sensitive data, this is a problem! On the one hand, If it doesn’t set the worldReadable flag it disappoints lots of customers but on the other hand, if the flag is set to true, this is a potential security risk!

Summing up, the worldReadable flag is basically a good idea but in it’s current form it’s more a big problem! As it’s default value is false and only very few developers know of this flag when they are creating their first extension, this produces lots of trouble and annoyance because the extension doesn’t work for apparently no reason. We can only hope that the flag gets either replaced or that custom roms are shipping the official DashClock app in the future.