search

JLindemann42 / Atomic-Periodic-Table.Android

Atomic - Periodic Table
https://www.jlindemann.se/
GNU General Public License v3.0
106 stars 2 forks source link

cleartext traffic? #48

Open IzzySoft opened 1 week ago

IzzySoft commented 1 week ago

May I ask what cleartext connections this app uses and why?

! repo/com.jlindemann.science_66.apk declares flag(s): usesCleartextTraffic
! repo/com.jlindemann.science_66.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

As for DEPENDENCY_INFO_BLOCK, this can easily be avoided with a tiny adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

IzzySoft commented 1 week ago

Oof. Just catching up with the reports (I was AFK for 10 days), and there's another one. Looks like you've added non-free dependencies:

! com.jlindemann.science: needs NonFreeComp, needs NonFreeNet

Checking, I see:

That's a little much. Could you undo that, or provide a libre build flavor (with its APK)?

JLindemann42 commented 1 week ago

Hello!

I will provide an APK without the billing. It's for the PRO version which is in the Play Store app that supports the development. But I will provide a version without those features here on GitHub without those dependecies.