Kayos
567423336c
Three round-2 Opus audits ran on the vc=35+vc=36 surface. CVE
returned no new CRITs (round-1 fixes hold) but found 5 new HIGH.
Code-health found 2 CRIT — both my own vc=35 regressions. Function-
correctness found 5 BROKEN that the round-1 sweep missed.
CRIT (from code-health round 2)
R1 Subs feed avatar-backfill self-cancel loop.
Subscriptions.updateAvatar emits a new _subs reference;
SubsPane's LaunchedEffect(subs) reacts → refreshIfStale →
refresh() → inFlight.cancel(). With N channels needing
backfill the parallel-12 batch degenerated into N sequential
single-channel fetches that kept aborting each other. Gated
refreshIfStale on inFlight.isActive != true.
R2 HistoryStore.recordAllWatches O(N²) input.
The vc=35 bulk-import path collapsed N SP writes into 1
(good) but used ArrayList.add(0, item) inside a loop walking
up to 50k input rows before take(50). ~1.25B shifts worst
case. Rewritten: walk newest-first, filter blanks + seen
IDs, stop at MAX_WATCHES. O(N) bounded by output cap.
HIGH (from CVE round 2)
CVE-1 PlayerScreen + VideoDetailScreen rendered raw
error.message into the UI — Media3 HttpDataSource
exceptions include the full request URI with sig=/pot=.
User screenshots a playback error to a chat → full
session credentials in the picture. Both surfaces now
scrub via LogDump.scrubLine before rendering.
CVE-2 SubscriptionsStore.addAll counter race —
updateAndGet's lambda re-runs on CAS retry; var-outside-
lambda increment double-counted. Now derives `added`
from next.size - cur.size delta.
CVE-3 sweepStale ran deleteRecursively() on cacheDir (up to
~256MB) on the main thread inside Application.onCreate.
Moved to appScope.launch(Dispatchers.IO).
CVE-MED-2 Expanded LogDump.SIGNED_PARAM_RE alternation to
include n / lsig / ei / key / sparams.
CVE-MED-3 PlayerScreen + VideoDetailScreen error handlers now
also NowPlaying.clear() so the minibar doesn't keep
claiming a dead session is loaded.
CVE-MED-4 SettingsImport validates imported subscription /
playlist / history URLs against IMPORT_ALLOWED_HOSTS
at import time. Hostile NewPipe export can no
longer smuggle attacker-controlled URLs.
HIGH (from code-health round 2)
R3 Store constructors hit SP + JSON-decode on main thread at
Application.onCreate. Small stores (Settings, History,
Subscriptions, Playlists) stay eager — sub-millisecond
cost. Heavy stores (FeedCache ~225 KB, SearchCache ~150
KB) now lazy-init: their `init()` just stashes
applicationContext; the actual Store + disk decode is
built on first `get()`, which happens from VM IO-dispatched
coroutines.
R4 SearchViewModel.pool race with init coroutine. Switched
pool to a plain @Volatile var (no observers anyway — LOW-
R14) and exposed rebuildPool() so the cache-toggle handler
and a future explicit hook can refresh it.
R5 SubsPane first-paint empty flash. Seeded
SubscriptionFeedUiState(loading = true) in the VM's
initial state — the init coroutine always runs.
R6 Dropped dead uploaderAvatar field on StreamItem. Written
three places, read zero. Saved bytes in every cache entry.
R7 Split mergeFromCache into pruneCacheToSubs + mergeFromCache
(no side effect in the reader). Callers do prune then
merge.
R8 Settings cache-disable wipe now runs on Dispatchers.IO
(3 SP-edit calls were on the UI thread).
HIGH (from function-correctness round 2)
B1 refresh() empty-channels also wipes disk cache (was
in-memory only — disk orphans accumulated).
B2 Settings cache OFF→ON now triggers feedVm.refresh() +
searchVm.rebuildPool() so the user doesn't have to
navigate away and back to repopulate.
B3 SearchViewModel.submit() cache lookup was still doing
SearchCache.get().load() on main (CRIT-C1 was only
partial). Now uses entries.value (StateFlow snapshot).
B5 SearchCacheStore.record now atomic via MutableStateFlow
+ updateAndGet (was load()→write() with no atomicity, so
concurrent records lost entries).
Q9 History.recordWatch wrapped in withContext(Dispatchers.IO).
Q11 Minibar onPlayerError also stops the controller + clears
media items (was leaking dead controller state).
MED
R10 Added comments at the 4 pre-flight NowPlaying checks
noting they're optimizations, claim() is the safety guard.
Prevents a future refactor recreating the round-1 race
after deleting "the guard."
R11 Minibar Toast continues but now layered with the
controller.stop() + clearMediaItems().
CVE-MED-1 NowPlaying.claim updates metadata fields when the
same URL is re-claimed (was returning false unconditionally,
pinning truncated search titles over fresh-from-detail titles).
Q3 onQueryChange clears state.error so a failed-submit's
banner doesn't haunt the next reactive preview.
Deferred to vc=38 (intentional cost/benefit):
CVE HIGH-2 (Rust strawcore::search query= info-log) — needs
a separate strawcore-core edit + rebuild. Logged as a
follow-up.
CVE HIGH-3 (DownloadManager setVisibleInDownloadsUi
deprecated on API 29+) — only the direct-streaming
download replacement is a full fix; that's a multi-day
refactor.
Q5/Q8 (SettingsImport hostile zip silent abort UX) —
cosmetic dialog-title fix.
Q12 (loadedUrl assignment ordering) — pre-existing,
deferred again.
|
||
|---|---|---|
| .github | ||
| .idea | ||
| app | ||
| assets | ||
| buildSrc | ||
| checkstyle | ||
| desktopApp | ||
| doc | ||
| docs/sulkta | ||
| fastlane/metadata/android | ||
| gradle | ||
| iosApp | ||
| rust | ||
| shared | ||
| strawApp | ||
| .editorconfig | ||
| .gitignore | ||
| build.gradle.kts | ||
| gradle.properties | ||
| gradlew | ||
| gradlew.bat | ||
| LICENSE | ||
| README.md | ||
| settings.gradle.kts | ||
We are rewriting large chunks of the codebase, to bring about a modern and stable NewPipe! You can download nightly builds here.
Please work on the refactor branch if you want to contribute new features. The current codebase is in maintenance mode and will only receive bugfixes.
NewPipe
A libre lightweight streaming front-end for Android.
Screenshots • Supported Services • Description • Features • Installation and updates • Contribution • Donate • License
Read this document in other languages: Deutsch, English, Español, Français, हिन्दी, Italiano, 한국어, Português Brasil, Polski, ਪੰਜਾਬੀ , 日本語, Română, Soomaali, Türkçe, 正體中文, অসমীয়া, Српски, العربية
Warning
THIS APP IS IN BETA, SO YOU MAY ENCOUNTER BUGS. IF YOU DO, OPEN AN ISSUE IN OUR GITHUB REPOSITORY BY FILLING OUT THE ISSUE TEMPLATE.
PUTTING NEWPIPE, OR ANY FORK OF IT, INTO THE GOOGLE PLAY STORE VIOLATES THEIR TERMS AND CONDITIONS.
Screenshots
Supported Services
NewPipe currently supports these services:
- YouTube (website) and YouTube Music (website) (wiki)
- PeerTube (website) and all its instances (open the website to know what that means!) (wiki)
- Bandcamp (website) (wiki)
- SoundCloud (website) (wiki)
- media.ccc.de (website) (wiki)
As you can see, NewPipe supports multiple video and audio services. Though it started off with YouTube, other people have added more services over the years, making NewPipe more and more versatile!
Partially due to circumstance, and partially due to its popularity, YouTube is the best supported out of these services. If you use or are familiar with any of these other services, please help us improve support for them! We're looking for maintainers for SoundCloud and PeerTube.
If you intend to add a new service, please get in touch with us first! Our docs provide more information on how a new service can be added to the app and to the NewPipe Extractor.
Description
NewPipe works by fetching the required data from the official API (e.g. PeerTube) of the service you're using. If the official API is restricted (e.g. YouTube) for our purposes, or is proprietary, the app parses the website or uses an internal API instead. This means that you don't need an account on any service to use NewPipe.
Also, since they are free and open source software, neither the app nor the Extractor use any proprietary libraries or frameworks, such as Google Play Services. This means you can use NewPipe on devices or custom ROMs that do not have Google apps installed.
Features
- Watch videos at resolutions up to 4K
- Listen to audio in the background, only loading the audio stream to save data
- Popup mode (floating player, aka Picture-in-Picture)
- Watch live streams
- Show/hide subtitles/closed captions
- Search videos and audios (on YouTube, you can specify the content language as well)
- Enqueue videos (and optionally save them as local playlists)
- Show/hide general information about videos (such as description and tags)
- Show/hide next/related videos
- Show/hide comments
- Search videos, audios, channels, playlists and albums
- Browse videos and audios within a channel
- Subscribe to channels (yes, without logging into any account!)
- Get notifications about new videos from channels you're subscribed to
- Create and edit channel groups (for easier browsing and management)
- Browse video feeds generated from your channel groups
- View and search your watch history
- Search and watch playlists (these are remote playlists, which means they're fetched from the service you're browsing)
- Create and edit local playlists (these are created and saved within the app, and have nothing to do with any service)
- Download videos/audios/subtitles (closed captions)
- Open in Kodi
- Watch/Block age-restricted material
Installation and updates
You can install NewPipe using one of the following methods:
- Add our custom repo to F-Droid and install it from there. The instructions are here: https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo/
- Download the APK from GitHub Releases, compare the signing key and install it.
- Update via F-Droid. This is the slowest method of getting updates, as F-Droid must recognize changes, build the APK itself, sign it, and then push the update to users.
- Build a debug APK yourself. This is the fastest way to get new features on your device, but is much more complicated, so we recommend using one of the other methods.
- If you're interested in a specific feature or bugfix provided in a Pull Request in this repo, you can also download its APK from within the PR. Read the PR description for instructions. The great thing about PR-specific APKs is that they're installed side-by-side the official app, so you don't have to worry about losing your data or messing anything up.
We recommend method 1 for most users. APKs installed using method 1 or 2 are compatible with each other (meaning that if you installed NewPipe using either method 1 or 2, you can also update NewPipe using the other), but not with those installed using method 3. This is due to the same signing key (ours) being used for 1 and 2, but a different signing key (F-Droid's) being used for 3. Building a debug APK using method 4 excludes a key entirely. Signing keys help ensure that a user isn't tricked into installing a malicious update to an app. When using method 5, each APK is signed with a different random key supplied by GitHub Actions, so you cannot even update it. You will have to backup and restore the app data each time you wish to use a new APK.
In the meanwhile, if you want to switch sources for some reason (e.g. NewPipe's core functionality breaks and F-Droid doesn't have the latest update yet), we recommend following this procedure:
- Back up your data via Settings > Backup and Restore > Export Database so you keep your history, subscriptions, and playlists
- Uninstall NewPipe
- Download the APK from the new source and install it
- Import the data from step 1 via Settings > Backup and Restore > Import Database
Note
When you're importing a database into the official app, always make sure that it is the one you exported from the official app. If you import a database exported from an APK other than the official app, it may break things. Such an action is unsupported, and you should only do so when you're absolutely certain you know what you're doing.
APK Info
This is the SHA fingerprint of NewPipe's signing key to verify downloaded APKs which are signed by us. The fingerprint is also available on NewPipe's website. This is relevant for method 2.
CB:84:06:9B:D6:81:16:BA:FA:E5:EE:4E:E5:B0:8A:56:7A:A6:D8:98:40:4E:7C:B1:2F:9E:75:6D:F5:CF:5C:AB
Contribution
Whether you have ideas, translations, design changes, code cleaning, or even major code changes, help is always welcome. The app gets better and better with each contribution, no matter how big or small! If you'd like to get involved, check our contribution notes.
Donate
If you like NewPipe, you're welcome to send a donation. We prefer Liberapay, as it is both open-source and non-profit. For further info on donating to NewPipe, please visit our website.
 |
 |
 |
Privacy Policy
The NewPipe project aims to provide a private, anonymous experience for using web-based media services. Therefore, the app does not collect any data without your consent. NewPipe's privacy policy explains in detail what data is sent and stored when you send a crash report, or leave a comment in our blog. You can find the document here.
License
NewPipe is Free Software: You can use, study, share, and improve it at will. Specifically you can redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.