question on permissions

[IzzySoft]

The scanners here at IzzyOnDroid just yielded:

! repo/moe.nb4a_180.apk declares intent-filter(s): android.net.VpnService
! repo/moe.nb4a_180.apk declares sensitive permission(s): android.permission.QUERY_ALL_PACKAGES
  android.permission.CAMERA android.permission.READ_EXTERNAL_STORAGE
! repo/moe.nb4a_180.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

android.net.VpnService is clear (proxy uses Android's VPN service), so I've already added that to the app's "green list". But could you please clarify what those permissions are needed for?

Concerning DEPENDENCY_INFO_BLOCK: that can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

[Mahdi-zarei]

The Query all packages permission is for per-app proxy feature. Camera permission is for scanning qr code to import configs and the read external storage is for importing and exporting backup files (not sure about the last one)

[IzzySoft]

Thanks! Added the first two to the app's "green list". As for storage: export/import would just need a single location, right? Wouldn't that be a classic candidate for SAF (Storage Access Framework), so no explicit (legacy) storage permission is needed?